Security News

Today, the Brazilian Federal Police arrested a Brazilian suspect in Feira de Santana, Bahia, believed to be part of the Lapsus$ extortion gang. The suspect was detained following an investigation started in December 2021 after last year's breach of the Brazilian Ministry of Health.

As we mentioned back in March lapsus is as good a modern Latin word as any for "Data breach", and the trailing dollar sign signifies both financial value and programming, being the traditional way of denoting that BASIC variable is a text string, not a number. Okta, a 2FA service provider, was another high-profile victim, where the hackers acquired RDP access to an support techie's computer, and were therefore able to access a wide range of Okta's internal systems as if they were logged in directly to Okta's own network.

Uber exposes Lapsus$ extortion group for security breach. Uber has laid the blame for its recent security breach at the feet of Lapsus$, a cybercrime group that uses social engineering to target technology firms and other organizations.

Uber on Monday disclosed more details related to the security incident that happened last week, pinning the attack on a threat actor it believes is affiliated to the notorious LAPSUS$ hacking group. As for how the attack unfolded, the ridesharing firm said an "EXT contractor" had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, corroborating an earlier report from Group-IB. The Singapore-headquartered company, the previous week, noted that at least two of Uber's employees located in Brazil and Indonesia were infected with Raccoon and Vidar information stealers.

Uber has confirmed that the recent breach of its systems started with a compromised account belonging to a contractor."It is likely that the attacker purchased the contractor's Uber corporate password on the dark web, after the contractor's personal device had been infected with malware, exposing those credentials," the company said.

Uber, four days after suffering a substantial cybersecurity breach, has admitted its attacker accessed "Several internal systems" including the corporation's G Suite account, and downloaded internal Slack messages and a tool used by its finance department to manage "Some" invoices. The investigation is still ongoing, we're told, though according to Uber it also doesn't appear the intruder accessed "The production systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history."

Uber believes the hacker behind last week's breach is affiliated with the Lapsus$ extortion group, known for breaching other high-profile tech companies such as Microsoft, Cisco, NVIDIA, Samsung, and Okta. The company added that the attacker used the stolen credentials of an Uber EXT contractor in an MFA fatigue attack where the contractor was flooded with two-factor authentication login requests until one of them was accepted.

Cisco disclosed on Wednesday that its corporate network was accessed by cyber-criminals in May after an employee's personal Google account was compromised - an act a ransomware gang named "Yanluowang" has now claimed as its work.A Cisco statement asserts the company "Did not identify any impact to [its] business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations."

Okta has completed its analysis of the March 2022 incident that saw The Lapsus$ extortion crew get a glimpse at some customer information, and concluded that its implementation of zero trust techniques foiled the attack - and that its outsourced customer service provider Sitel was largely to blame for the confusion surrounding the incident. Winterford explained that the incident started in January when an Okta analyst observed a Sitel support engineer attempting to reset a password - but did so from outside the expected network range, did not attempt to fulfil a multifactor authentication challenge, and requested the new login details be sent to a Sitel email address managed under Microsoft 365 rather than the expected Okta address managed under Google Workspaces.

Some of these passwords were common words, which are extremely susceptible to dictionary attacks. Setting up a password policy that requires lengthy and complex passwords is a good start, but there is more that companies should be doing.