Lapsus$ gang seems to be behind both Uber and Rockstar Games breaches. Both hacks show that social engineering works, and threat actors don't even go through too much trouble using automated attack tools.
"The attacks on Uber and Rockstar Games feel like we are reliving the Lapsus$ attacks of late 2021 and early 2022," a principal research scientist at Sophos, Chester Wisniewski, said.
Lapsus$ group, infamous for targeting Microsoft, Cisco, Samsung, Nvidia, and Okta, focuses on compromising user identities to gain initial access to an organization.
In the Uber case, an attacker purchased an Uber contractor's password on the dark web and bombarded the victim with two-factor authentication requests (a technique known as multi-factor authentication fatigue) until they accidentally accepted the request. From there, the attacker accessed several other employee accounts, G-Suite, and Slack, among other tools.
In the Rockstar Games case, the culprit claims to have accessed the company's Slack servers via a social engineering attack, similar to Uber.
"This is unsurprising as it is an incredibly effective technique for initial compromise and takes advantage of the trust placed in privileged insiders," Wisniewski said.
“Weak multi-factor authentication deployments are leaving large organizations that are attractive targets vulnerable to major attacks,” Tessian CISO Josh Yavor said.
Attackers enjoy the increasing availability of free and accessible tools, helping to automate phishing and bypass weaker MFA factors.
“This is not to say that MFA doesn’t work,” Yavor added. However, some MFA factors are safer than others. For example, factors such as push, one-time-passcodes (OTPs), and voice calls are more vulnerable and are easier to bypass via social engineering.
“Security key technology based on modern MFA protocols like FIDO2 have resiliency built into their design, and we need to increase the adoption and use of these phishing-resistant factors globally,” Yavor said.
He added that strategies to guard against MFA bypass are necessary even with the best technology deployed.
“Various types of attackers (“sophisticated” hacking groups to individual teenagers) are using these techniques. This further reinforces that attackers will reliably use techniques that work and are low-cost. [...] Adversaries know that people can be tricked into giving up their passwords, weak MFA is prevalent, and the tools to exploit this are free and relatively easy to use,” Yavor added.
Cyber pundits on Twitter suggest simply turning off the push notifications to reduce the risk of the MFA fatigue-based attack.
Spotlight on Slack
Office messaging platform Slack's name pops up in the analysis of both breaches.
"Tools like Okta and Slack expose enterprise organizations large and small to social engineering attacks that are entirely undetectable by traditional network and device-based security solutions," Matt Caulfield, founder and CEO of cybersecurity company Oort, said.
The threat actor boasted about hacking into Uber on the company's Slack channel. The culprit that leaked multiple videos of the upcoming Grand Theft Auto 6 video game claims to have accessed Rockstar Game's Slack server. Even Electronic Arts breach in 2021 began with stolen cookies to infiltrate their Slack channel.
"It would be safe to assume that whoever has access to your Slack account pretty much knows whatever happens in the company you're working at," Bitdefender said in 2015 after an unauthorized party accessed Slack infrastructure, including a database that stored user profile information, including usernames and hashed passwords.
"All companies need to adopt a combination of phishing-resistant authentication factors and rigorous identity threat detection monitoring to subvert would-be attackers. Uber is not the first and will not be the last breach. The Rockstar GTA breach is already hitting the news as yet another example of this pattern, only days later," Caulfield added.
This August, Slack said it leaked hashed passwords for five years.