Defend against phishing attacks with more than user training. Measure users' suspicion levels along with cognitive and behavioral factors, then build a risk index and use the information to better protect those who are most vulnerable.

Our approach to security awareness is flawed. And we must change it.

As Russian tanks creaked into Ukraine, CEOs and IT managers throughout the United States and much of the free world started sending out emails warning their employees about impending spear-phishing attacks.

It made sense: Spear-phishing was what Russians had used on Ukrainians many times in the past half of a decade, such as when they shut down the country's electrical grid on one of its coldest winter nights. It was also what the Russians had used against the Democratic National Committee and targets across the US.

At one end, the email missives from CEOs were refreshing. People were serious about the threat of phishing, which wasn't the case in 2014 when I started warning about its dangers on CNN.

At the other end, it was sobering. There wasn't much else organizations had figured out to do.

Sending messages to warn people was what AOL's CEO resorted to back in 1997, when spear-phishing first emerged and got its name. Budding hackers of the time were impersonating AOL administrators and fishing for subscribers' personal information. That was almost three decades ago, many lifetimes in Internet years.

In the interim, organizations have spent billions on security technologies and countless hours in security training. For context, a decade ago, Bank of America (BoA) was spending $400 million on cybersecurity. It now spends $1 billion per year on it. Yet thousands of its customer accounts in California were hacked last year.

And BoA isn't alone. This year, Microsoft, Nvidia, Samsung, LG, and T-Mobile — which recently paid out a $350 million settlement to customers because of a breach in 2021 — were hacked. All fell victim to spear-phishing attacks. No question that the employees in these companies are experienced and well-trained in detecting such attacks.

**Flawed Approach**

Clearly, something is fundamentally flawed in our approach, when you consider that after all this, email-based compromises increased by 35% in 2021, and American businesses lost over $2.4 billion due to it.

A big part of the problem is the current paradigm of user training. It primarily revolves around some form of cyber-safety instruction, usually following a mock phishing email test. The tests are sent periodically, and user failures are tracked — serving as an indicator of user vulnerability and forming the backbone of cyber-risk computations used by insurers and policymakers.

There is limited scientific support for this form of training. Most point to short-term value, with its effects wearing off within hours, according to a 2013 study. This has been ignored since the very inception of awareness as a solution.

There is another problem. Security awareness isn't a solution; it's a product with an ecosystem of deep-pocketed vendors pushing for it. There is legislation and federal policy mandating it, some stemming from lobbying by training organizations, making it necessary for every organization to implement it and users to endure it.

Finally, there is no valid measurement of security awareness. Who needs it? What type? And how much is enough? There are no answers to these questions.

Instead, the focus is on whether users fail a phishing test without a diagnosis of the why — the reason behind the failures. Because of this, phishing attacks continue, and organizations have no idea why. Which is why our best defense has been to send out email warnings to users.

**Defend With Fundamentals**

The only way to defend against phishing is to start at the fundamentals. Begin with the key question: What makes users vulnerable to phishing?

The science of security already provides the answers. It has identified specific mind-level or cognitive factors and behavioral habits that cause user vulnerability. Cognitive factors include _cyber-risk beliefs —_ ideas we hold in our minds about online risk, such as how safe it might be to open a PDF document versus a Word document, or how a certain mobile OS might offer better protection for opening emails. Many such beliefs, some flawed and others accurate, govern how much mental attention we pay to details online.

Many of us also acquire _media habits,_ from opening every incoming message to rituals such as checking emails and feeds the moment we awake. Some of these are conditioned by apps; others by organizational IT policy. They lead to mindless reactions to emails that increase phishing vulnerability.

There is another, largely ignored, factor: _suspicion_. It is that unease when encountering something; that sense that something is off. It almost always leads to information seeking and, armed with the right types of knowledge or experience, leads to deception-detection and correction.

It did for the former head of the FBI. Robert Muller, after entering his banking information in response to an email request, stopped before hitting Send. Something didn't seem right. In the momentary return to reason caused by suspicion, he realized he was being phished, and changed his banking passwords.

By measuring suspicion along with the cognitive and behavioral factors leading to phishing vulnerability, organizations can diagnose what makes users vulnerable. This information can be quantified and converted into a risk index, with which they can identify those most at risk, the weakest links, and protect them better.

Doing this will help us defend users based on a diagnosis of what they need, rather than a training approach that's being sold as a solution — a paradigm that we know doesn't work.

After billions spent, our best approach remains sending out email warnings about incoming attacks. Surely, we can do better. By applying the science of security, we can. And we must — because spear-phishing presents a clear and present danger to the Internet.

Time to Change Our Flawed Approach to Security Awareness

The internet infrastructure company has an alternative tool to check whether you’re human—and it doesn’t force you to pick out buses in tiny boxes.

There's a uniquely bitter rage that comes from being asked to click every box that contains a parking meter only to then be told that you missed one because of a tiny sliver of gray that barely floated into the periphery of an otherwise empty, adjacent square. It's a familiar fury, and one that captchas have been provoking across the web for years, but these maddening tools are important for blocking bots from conducting fraud and other abuse. Google's reCaptcha, the dominant tool around the world for implementing these checks, came out with a version in 2018 that uses machine learning to silently check humanness behind the scenes and phase out the garbled, blurry strings of letters and grids full of traffic lights. This week, the internet infrastructure company Cloudflare is releasing a competitor.

Like reCaptcha, Cloudflare's new alternative, dubbed Turnstile, is free, and you don't have to be a Cloudflare customer to put it on your site. Turnstile is based on a tool called Cloudflare Managed Challenge that the company released for its own services in April. When you do a captcha, you are completing a “challenge” of your humanness. Managed Challenge, on the other hand, runs quick and silent checks of your browser's technical behavior and other telemetry in an attempt to determine that you are human without asking you to do anything. Only when the tool lacks adequate confidence will it show you a “harder challenge” or a puzzle to solve. And Managed Challenge, which is an enterprise product for Cloudflare customers, is constantly testing different types of puzzles to find the options that are less frustrating for users. 

Anyone can now implement Turnstile for free through an application programming interface. You can set it up to only run invisible challenges that don't appear to the user at all or elect to have the system show a button for users to click as an additional humanness check. Unlike Managed Challenge, Turnstile never shows harder challenges or Captchas.

“If a person were walking down the street next to a robot, even without asking the person or robot any questions, you’d be able to observe differences between them just by watching them walk past,” says Cloudflare's chief technology officer, John Graham-Cumming. “Turnstile can do that for the signals your computer sends to the website you’re accessing, which include what web browser you are using or what device this is coming from. In the case of a machine trying to impersonate a human user, they often don’t get all these details right—there’s usually something ‘off’ about the request.”

Invisible challenges include tests like complex equations that devices are asked to solve. Turnstile has data about how long it takes different devices—say, a Macbook Air or a Samsung Galaxy—to solve the challenge. If a device claims to be a Samsung Galaxy S22, but solves the challenge much more quickly than that device should be able to, it may indicate that the request is really coming from an automated system run out of a data center. 

Courtesy of Cloudfare

Captchas are an important security defense across the web, but Cloudflare is billing Turnstile as particularly privacy-protective as well. The tool will look at some browser session data, like browser characteristics and data from website rendering mechanisms, but the service doesn't check advertising cookies or login cookies. And the company plans to outsource as much data review as possible to minimize how much Cloudflare ever sees. For example, Turnstile will check for Apple's "Private Access Tokens," launched this year as a tool for attesting that a user is human and reducing the need for captchas. 

Researchers have found in recent years that Google's reCaptcha checks to see whether a user has a Google login cookie as one of the factors in determining whether they are human. Google denies that reCaptcha data is used for anything other than challenges, but some have pointed out that the data could be used in targeted advertising campaigns.

Cloudflare says that since launching Managed Challenge, it has dramatically reduced the number of captchas it serves.

“Before we introduced Cloudflare Managed Challenge, if we believed a visitor was a bot but our customer wanted us to confirm that, then we would serve a Captcha 100 percent of the time,” Graham-Cumming says. “After introducing Cloudflare Managed Challenge, that number was reduced down to 9 percent. Today, that number is further reduced down to 3 percent.”

The company adds that users previously spent an average of 32 seconds doing captchas on its own sites. Since implementing Managed Challenge, the average wait time is one second because of the new feature's silent, behind-the-scenes challenges. In the Cloudflare dashboard, the captcha option is now called “Legacy Captcha." The company says that, “this more accurately describes what CAPTCHA is: an outdated tool that we don’t think people should use."

Turnstile is part of a broader industry effort to rework captchas and make them less frustrating for users. But reCaptcha's ubiquity and familiarity may hinder adoption of new alternatives. As the field shifts, though, it may be ripe for a new player—especially one that doesn't make you want to chuck your laptop into the sea.

_Updated 9-28-2022, 6:20 pm ET: Included additional details about Turnstile and comment from Cloudflare. We also clarified the types of “challenges” Turnstile will present users._

Cloudflare Takes a Stab at a Captcha That Doesn’t Suck

The fun-loving cybercriminals blamed for breaches of Uber and Rockstar are exposing weaknesses in ways others aren't.

After suffering a breach earlier this month, the ride-share platform Uber said last week that it believes the infamous hacking group Lapsus$ was behind the attack. The incident was in line with the group's track record of using phishing to gain access to corporate accounts that can then be parlayed into broader access. Then on September 23, police in the United Kingdom said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in connection to Lapsus$ in March.

Lapsus$, which may also have breached the _Grand Theft Auto_ developer Rockstar in this latest hacking spree, has established itself in the pantheon of memorable hacking groups for breaching a slew of massive tech companies, including Microsoft, Nvidia, Okta, Samsung, and Ubisoft. They did so to make money, sure, but they also apparently wanted to take the digital-teen joyride of a lifetime. Researchers say that this wild and unpredictable streak is an important key to the group's success that should not be overlooked.

“Lapsus$ probably aren’t causing as much destruction as other actors with different motivations could, and I think that's the answer—they aren’t entirely motivated by money,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “They, therefore, attempt things that purely financially motivated cybercriminals wouldn’t. They are more likely to be adventurous and to try things—that may not have a payoff—just for the fun of it.”

This creative enthusiasm and flair for the dramatic is an important case study. While Lapsus$ seems to perpetrate crimes of opportunity rather than working under a mandate to target certain entities or achieve specific results, the way nation-state actors often do, their seemingly boundless success reveals just how many weaknesses are lurking in organizations around the world that have gone unexposed only because they weren't immediately useful to state-backed actors or cybercriminals. 

“I find the Lapsus$ group significant, because they have highlighted systemic problems in real-world implementations of single sign-on and multifactor authentication,” says independent security researcher Bill Demirkapi. “The techniques that they've used in their attacks are nothing new, but what we're seeing is the widespread abuse of these weaknesses and a wakeup call to organizations.”

Lapsus$ breached Uber by targeting an individual contractor whose username and password had been compromised by another entity through a malware infection and was sold on the dark web, the company said. Lapsus$ repeatedly sent the victim multifactor authentication login notifications until they mistakenly approved access. In a previous, unrelated attack, Lapsus$ breached a contractor working with the authentication company Okta in an attempt to compromise organizations through the identity management provider. The tactics in both instances show that there are weaknesses in some multifactor authentication strategies and they highlight a downside to “single sign-on” schemes in which one carefully protected authentication process grants access to a slew of services. The benefit to organizations is that there's only one account to protect and manage instead of many, and this cuts down on weaknesses like password reuse. The drawback, though, is that if an attacker compromises a single-sign-on account, they gain access to multiple internal services within an organization at once.

“At the end of the day, the flexibility of how you can abuse corporate accounts to move laterally and pivot over to other applications in the cloud—there are just so many different ways that attackers can use enterprise credentials,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI. “That's why phishing is so extremely popular with cybercriminals, because of that return on investment.”

There are stronger ways to implement two-factor authentication, and the new generation of “password-less” login schemes or “Passkeys” from the industry FIDO2 standard promise a much less phishable future. But organizations need to actually start implementing these more robust protections so they're in place when a ransomware actor (or restless teen) starts poking around.

“Phishing is obviously a huge problem, and most of the things that we normally think of as multifactor authentication, like using a code generator app, are at least somewhat phishable, because you can trick someone into revealing the code,” says Jim Fenton, an independent identity privacy and security consultant. “But with push notifications, it’s just too easy to get people to click ‘accept.’ If you have to plug something directly into your computer to authenticate or use something integrated with your endpoint, like a biometric sensor, those are phishing-resistant technologies."

Keeping attackers from clawing their way into an organization through phishing isn't the only problem, though. As the Uber incident showed, once Lapsus$ had compromised one account to gain access, they were able to burrow deeper into Uber's systems, because they found credentials for internal tools lying around unprotected. Security is all about raising the barrier to entry, not eliminating all threats, so strong authentication on external-facing accounts would certainly have gone a long way toward stopping a group like Lapsus$. But organizations must still implement multiple lines of defense so there's a fallback in case one is breached. 

In recent weeks, former Twitter security chief Peiter “Mudge” Zatko has publicly come out as a whistleblower against Twitter, testifying before a US Senate committee that the social media giant is woefully insecure. Zatko's claims—which Twitter denies—illuminate how high the cost could be when a company's internal defenses are lacking.

For its part, Lapsus$ may have a reputation as an outlandish and oddball actor, but researchers say that the extent of its success in compromising massive companies is not just remarkable but also disturbing.

“Lapsus$ has highlighted that the industry must take action against these weaknesses in common authentication implementations,” Demirkapi says. “In the short term we need to start by securing what we currently have, while in the longer term we must move toward forms of authentication that are secure by design.”

No wakeup call ever seems sufficiently dire to produce massive investment and quick, ubiquitous implementation of cybersecurity defenses, but with Lapsus$ organizations may have an additional motivation now that the group has shown the world just how much is possible if you're talented and have some time on your hands. 

“Cybercriminal enterprises are exactly the same as legitimate businesses in the sense that they look at what other people are doing and emulate the strategies that prove successful,” Emsisoft's Callow says. “So the ransomware gangs and other operations will absolutely be looking at what Lapsus$ has done to see what they can learn.”

The Dire Warnings in the Lapsus$ Hacker Joyride

Company unnecessarily collected consumers' personal data and failed to safeguard it, suit alleges, leading to two back-to-back data breaches.

OAKLAND, Calif., Sept. 23, 2022 /PRNewswire — Earlier this month, two Samsung users, Shelby Holtzclaw and Naeem Seirafi, fired a class action lawsuit at Samsung Electronics of America, accusing the company of unnecessarily collecting consumers' personal data and failing to safeguard it.

Represented by powerhouse public interest firm, Clarkson Law Firm, the Plaintiffs further allege that Samsung failed to take appropriate protective measures leading to two back-to-back data breaches. Samsung then exacerbated the problem, according to the lawsuit, by neglecting to inform consumers whose data may have been compromised. The 43-page complaint asserts that Samsung violated consumer protection laws in all 50 states.

According to the lawsuit, Samsung disabled functions and features of its electronics like TVs and printers unless consumers submitted personal identification data like their home address and date of birth. Samsung then stored, monitored, and sold that data without adequately securing it, despite having assured its customers that "security and privacy are at the core of what we do and what we think about every day." Samsung allegedly touted that it was "protecting users' security and privacy at all times" via "holistic" and "industry-leading security." However, the lawsuit claims the tech giant's deficient security measures led to two data breaches and distribution of consumers' private, personal information.

The first breach allegedly occurred in April 2022 when confidential data was accessed, stolen, and published online. Samsung reassured customers that the leak only included "some source code relating to the operation of Galaxy devices" which the Plaintiffs assert "minimized entirely the impact of this first data breach." A preventable second attack then occurred when personal identification data was allegedly stolen by an "unauthorized third party." According to the complaint, "It is believed that greater than half of Samsung's U.S. consumers had their \[personal identifiable information\] compromised in the breach."

The plaintiffs allege that Samsung consumers have been left vulnerable to phishing scams, identity theft, and dual-authentication scams, requiring them to spend time, energy, and money on extra security protocols like credit monitoring.

Holtzclaw and Seirafi are demanding that Samsung notify all consumers whose data was stolen, improve their security systems, and compensate victims for the financial harm they've sustained.

The case is pending in the United States Federal District Court for the Northern District of California, Case Number 3:22-cv-05176. Visit clarksonlawfirm.com for updates.

SOURCE: Clarkson Law Firm, PC

Samsung Fails Consumers in Preventable Back-to-Back Data Breaches, According to Federal Lawsuit

For white hats who play by the rules, here are several ethical tenets to consider.

Earlier this year when international cyber-gang Lapsus$ attacked major tech brands including Samsung, Microsoft, Nvidia and password manager Okta, an ethical line seemed to have been crossed for many cybercriminals.

Even by their murky standards, the extent of the breach, the disruption caused, and the profile of the businesses involved was just too much. So, the cybercrime community came together to punish Lapsus$ by leaking information on the group, a move that ultimately led to their arrest and breakup.

So maybe there's honor amongst thieves after all? Now, don't get me wrong; this isn't a pat on the back for cybercriminals, but it does indicate that at least some professional code is being followed.

Which raises a question for the wider law-abiding hacking community: Should we have our own ethical code of conduct? And if so, what might that look like?

**What Is Ethical Hacking?**

 First let's define ethical hacking. It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.

Ethical hacking requires, at a bare minimum, the knowledge and permission of the business or organization which is the subject of your attempted infiltration.

Here are five other guiding principles for activity to be considered ethical hacking.

**Hack To Secure**

An ethical and white-hat hacker coming to assess the security of any company will look for vulnerabilities, not only in the system but also in the reporting and information handling processes. The goal these hackers is to discover vulnerabilities, provide detailed insights, and make recommendations for building a secure environment. Ultimately, they're looking to make the organization more secure.

**Hack Responsibly**

Hackers must ensure they have permission, outlining clearly the extent of access the company is giving, as well as the scope of the work they are doing. This is very important. Target knowledge, and a clear scope, help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal and from the rest of the security team.

**Document Everything**

All good hackers keep detailed notes of everything they do during an assessment and log all command and tool output. First and foremost, this is to protect themselves. For example, if an issue occurs during a penetration test, the employer will look to the hacker first. Having a timestamped log of the activities performed, be it exploiting a system or scanning for malware, gives piece of mind to organizations by reminding them that hackers work with them, not against them.

Good notes uphold the ethical and legal side of things; they are also the basis of the report hackers will produce, even when there are no major findings. The notes will allow them to highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.

**Keep Communications Active**

Open and timely communications should be clearly defined in the contract. Staying in communication throughout an assessment is key. Good practice is to always notify when assessments are running; a daily email with the assessment run times is vital.

While the hacker might not need to report all the vulnerabilities they find immediately to their client contact, they still should flag any critical, show-stopping flaw during an external penetration test. This could be an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers stop testing, issue a written vulnerability notification via email, and follow up with a phone call. This gives teams on the business side the chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged until the report is issued weeks later.

Hackers should keep their main points of contact aware of their progress and any major issues they discover as they proceed. This ensures everyone is aware of any issues ahead of the final report.

**Have a Hacker Mindset**

The term hacking was used even before information security grew in importance. It just means to use things in unintended ways. For this, hackers first seek to understand all the intended use cases of a system and take into consideration all its components.

Hackers must keep developing this mindset and never stop learning. This allows them to think both from a defensive and an offensive perspective and is useful when looking at something you have never experienced before. By creating best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results.

Should Hacking Have a Code of Conduct?

By Deeba Ahmed
The teen was arrested from Oxfordshire and is still in police custody but his involvement in Uber and GTA hacks is unconfirmed.
This is a post from HackRead.com Read the original post: UK Teen Arrested Amid Uber and GTA 6 Hacking Saga

The City of London Police has arrested a seventeen-year-old teenager over suspicion of hacking amid the recent security breaches at Uber and Rockstar Games’ GTA 6. It is worth noting that the teen’s role in these hacks is still not confirmed.

**Arrest Details**

The teen was arrested from Oxfordshire and is still in police custody. However, the officials haven’t yet shared more details on the arrest and declined to confirm if the teen was arrested for the recent high-profile hacking incidents including Uber and Rockstar Games’ GTA 6.

According to the department’s tweet, the arrest was part of an ongoing investigation carried out in collaboration with the cybercrime unit of the National Crime Agency, UK. The police shared no other detail.

For your information, a couple of months ago, London police arrested and released 7 teens in connection with an investigation into the LAPSUS$ hacking gang.

Lapsus$ is a notorious group of teen hackers that mainly hunts for the source code of high-profile and large tech firms. Some of its previous and successful attacks include Samsung, Microsoft, Nvidia, Okta, and Ubisoft.

The Uber and GTA 6 hacker had also claimed to have access to the source code of both companies.

**Uber and Rockstar Games Hacking**

Uber hacking resulted in the halting of the company’s internal systems for some time. In contrast, Rockstar Games suffered a network intrusion that caused the leaking of unreleased footage of Grand Theft Auto 6.

The two hacks are believed to be committed by the same hacker, who’s identified as Tea Pot or “teapotuberhacker.”

Uber, on the other hand, has blamed the LAPSUS$ hackers for the breach, alleging that the attacker(s) are linked with the LAPSUS$ extortion gang that has remained active over the past year.

It must be noted that the Rockstar Games hacker also claimed responsibility for the Uber hack on his Telegram and fan-run GTA forum. It is assumed that “teapotuberhacker” is a LAPSUS$ ringleader.

1.  Microsoft and Okta Confirm Data Breach Claims by LAPSUS$
2.  Popular YouTuber Scuba Jake’s channel hacked to run crypto scam
3.  Ex-Uber CSO Joseph Sullivan charged over 2016 data breach cover up
4.  Russian Hacker Exploits GTA 5 PC Mod to Install Cryptocurrency Miner
5.  Grand Theft Auto (GTA) Fan Forum Hacked; Thousands of Accounts Stolen

UK Teen Arrested Amid Uber and GTA 6 Hacking Saga

Uber on Monday disclosed more details related to the security incident that happened last week, pinning the attack on a threat actor it believes is affiliated to the notorious LAPSUS$ hacking group.
"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based

Uber on Monday disclosed more details related to the security incident that happened last week, pinning the attack on a threat actor it believes is affiliated to the notorious LAPSUS$ hacking group.

"This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, NVIDIA, and Okta, among others," the San Francisco-based company said in an update.

The financially-motivated extortionist gang was dealt a huge blow in March 2022 when the City of London Police moved to arrest seven suspected LAPSUS$ gang members aged between 16 and 21. Weeks later, two of them were charged for their actions.

The hacker behind the Uber breach, an 18-year-old teenager who goes by the moniker Tea Pot, has also claimed responsibility for breaking into video game maker Rockstar Games over the weekend.

Uber said it's working with "several leading digital forensics firms" as the company's investigation into the incident continues, in addition to coordinating with the U.S. Federal Bureau of Investigation (FBI) and the Justice Department on the matter.

As for how the attack unfolded, the ridesharing firm said an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, corroborating an earlier report from Group-IB.

The Singapore-headquartered company, the previous week, noted that at least two of Uber's employees located in Brazil and Indonesia were infected with Raccoon and Vidar information stealers.

"The attacker then repeatedly tried to log in to the contractor's Uber account," the company said. "Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in."

Upon gaining a foothold, the miscreant is said to have accessed other employee accounts, thereby equipping the malicious party with elevated permissions to "several internal systems" such as Google Workspace and Slack.

The company further said it took a number of steps as part of its incident response measures, including disabling impacted tools, rotating keys to the services, locking down codebase, and also blocking compromised employee accounts from accessing Uber systems or alternatively issuing a password reset for those accounts.

Uber didn't disclose how many employee accounts were potentially compromised, but it reiterated that no unauthorized code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps.

That said, the alleged teen hacker is said to have downloaded some unspecified number of internal Slack messages and information from an in-house tool used by its finance team to manage certain invoices.

Uber also confirmed that the attacker accessed HackerOne bug reports, but noted that "any bug reports the attacker was able to access have been remediated."

"There is only one solution to making push-based \[multi-factor authentication\] more resilient and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur," Roger Grimes, data-driven defense evangelist at KnowBe4, said in a statement.

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said it's crucial for organizations to realize that MFA is not a "silver bullet" and that not all factors are created equal.

While there has been a shift from SMS-based authentication to an app-based approach to mitigate risks associated with SIM swapping attacks, the attack against Uber and Cisco highlights that security controls once considered infallible are being bypassed by other means.

The fact that threat actors are banking on attack paths such as adversary-in-the-middle (AiTM) proxy toolkits and MFA fatigue (aka prompt bombing) to trick an unsuspecting employee into inadvertently handing over MFA codes or authorizing an access request signals the need to adopt phishing-resistant methods.

"To prevent similar attacks, organizations should move to more secure versions of MFA approval such as number matching that minimize the risk of a user blindly approving an authentication verification prompt," Clements said.

"The reality is that if an attacker only needs to compromise a single user to cause significant damage, sooner or later you are going to have significant damage," Clements added, underscoring strong authentication mechanisms "should be one of many in-depth defensive controls to prevent compromise."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Uber Blames LAPSUS$ Hacking Group for Recent Security Breach

The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an external contractor's credentials, as researchers parse the incident for takeaways.

Uber has attributed last week's massive breach at Uber to the notorious Lapsus$ hacking group and released additional details on the attack. Researchers say the incident has highlighted the risks that can come from trusting too much in multifactor authentication (MFA), as well as unmanaged risk around cloud-service adoption.

In an update on Monday, Uber laid out the attribution: "We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so." Uber's announcement pointed to other companies that had been targeted by the notorious gang via similar techniques, including Cisco, Microsoft, Nvidia, Okta, and Samsung,

Lapsus$ has attracted considerable attention in recent months for its brazen attacks on some of the world's largest and well-known companies. One well-known tactic that the group has been known to use is co-opt MFA-circumventing tools into its attack chain.

And indeed, Uber on Monday said the attacker who breached its network last week had first obtained the VPN credentials of an external contractor, likely by purchasing them on the Dark Web. The attacker then repeatedly tried to log in to the Uber account using the illegally obtained credentials, prompting a two-factor login approval request each time. 

After the contractor initially blocked those requests, the attacker contacted the target on WhatsApp posing as tech support, telling the person to accept the MFA prompt — thus allowing the attacker to log in.

"The Uber breach appears to be a result of an MFA fatigue attack, also referred to as an MFA bombing attack," says Duncan Greenwood, CEO of Xage. "It’s a technique in which hackers send multiple authentication approval requests to a secondary device like a mobile phone, in hopes that a user unintentionally provides access, or grows so frustrated that they eventually approve a request." 

**Remediation Process Begins**

Once in, the attacker breached multiple internal systems, and Uber is currently in the process of doing an impact analysis, the company said: "The attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack."

The company said the attacker does not appear to have made any changes to its codebase, nor does he appear to have access to any customer or user data stored by cloud providers. The attacker did appear to have downloaded some internal Slack messages and accessed or downloaded an internal tool that Uber's finance team uses to manage invoices. Though the attacker also accessed a database of vulnerability disclosures in its platform submitted via external researchers through the HackerOne bug-bounty program, all the bugs have been remediated, Uber said.  

**Breach Shows MFA's Weaknesses**

Greenwood describes MFA fatigue attacks as being a very effective tactic for breaching target organizations. He says his company has observed attackers typically sending frequent MFA requests in the middle of the night or sending less frequent requests over a few days. 

"Either way, in traditional MFA architectures, all it takes is just one approved request for a hacker to access internal systems, from which they can further infiltrate the target organization," he says.

Uber's security practices are sure to come under scrutiny because of the breach. But the reality is that the company was the victim of practices that are common to many organizations, researchers note.

Patrick Tiquet, vice president of security and architecture at Keeper Security, says the Uber attack highlights a fundamental misconception around MFA's strength as a method to secure access. 

"Although MFA adds a critical second layer of security to your accounts, the biggest misconception about MFA is that all forms are equally secure," he says.

One example of how MFA can fail is SIM card porting, aka SIM-swapping, Tiquet notes. This is where attackers port a mobile number to a SIM card or device that they control to receive SMS messages or phone calls for the target number. 

"Use of SMS text messages as MFA should be discouraged and never used as MFA for high-value assets," Tiquet says. "The use of an authenticator app, security key, or biometrics are stronger and more effective methods to protect your accounts." 

Security researcher Bill Demirkapi explains that another very common misconception is that standard forms of MFA — such as push, touch, and mobile — protect against social engineering. The reality is that MFA remains vulnerable to man-in-the-middle (MitM) attacks, he says.  

He notes that best practices include using phishing- and MiTM-resistant forms of MFA rather than time-based one-time passwords (TOTP), not centralizing access keys, and rotating keys regularly. On the latter point, organizations also often do not limit access keys to the minimum privileges required for the key's intended purpose.   

"Uber may not have followed best practices, but many other companies don't either," he says. "The main point I'd like to drive home is the importance of not only investing into security for your organization, but specifically investing into these best practices as well."

It should be noted that the Uber breach is not the only high-profile hit in the last few days; the same Lapsus$ hacker who claimed responsibility in that incident (or at least someone using the same "Teapot" alias that the Uber hacker used) now appears to have also breached Take-Two Interactive's Rockstar Games, posting videos of an early development copy of the Grand Theft Auto 6 video game. In a message, the company acknowledged the breach and said it was "extremely disappointed" to have details of the game leaked in advance of its release.

**Cloud Service Adoption Increases Risk **

MFA is not the only weak link for many companies. At a higher level, breaches like the one at Uber show the impact that rapid cloud services adoption and distributed work models are having on enterprise security strategies, says Russell Spitler, co-founder and CEO of Nudge Security. 

The move to a more distributed model has increased enterprise reliance on asynchronous communications tools such as Slack and WhatsApp in business-critical environments, he says. The rapid adoption of SaaS has created an unmanaged risk in the form of complex integrations between poorly managed services.

"The recent breach at Uber points to the fact that security orgs are outpaced by the sprawling complexity of modern, distributed IT environments and sprawling digital supply chains," Spitler notes. "This complexity creates opportunities for even the most novice of threat actors to gain access using compromised credentials and \[finding\] their way to critical assets."

Uber: Lapsus$ Targeted External Contractor With MFA Bombing Attack

A Buffer Access with Incorrect Length Value vulnerablity in the TEE_MACComputeFinal function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_MACComputeFinal with an excessive size value of messageLen.

CVE-2022-40757: mTower/tee_api_operations.c at efd36709306a9afcca5b4782499d01be0c7a02a5 · Samsung/mTower

A Buffer Access with Incorrect Length Value vulnerablity in the TEE_CipherUpdate function in Samsung mTower through 0.3.0 allows a trusted application to trigger a Denial of Service (DoS) by invoking the function TEE_CipherUpdate with an excessive size value of srcLen.

Tag

#samsung