Several days ago, Uber suffered a breach of their internal systems, allegedly by a threat actor associated with the Lapsus$ Group.
This compromise included access to Uber’s internal systems, reportedly including Slack, Email, cloud storage, and code repositories.
“They pretty much have full access to Uber, This is a total compromise, from what it looks like.”
Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “
According to “TeaPot”, the person claiming to be responsible for the attack, this hack was all possible thank to a malicious text message sent to an Uber Employee, claiming to be IT and requesting the user’s password.
That’s right, Uber, a $50 billion+ company, suffered a total system compromise because a teenager asked a user for their password and the user complied.
So, what can we learn?
First, social engineering training is a must for any organization. Employees should all be aware of social engineering tactics, and what they should do if something doesn’t seem quite right.
Second, Clear company policies should discourage, if not forbid, the sharing of user passwords.
There is almost no good reason a remote IT technician should ever need to have an employee provide their password. In the rare case that an employees password is required, a temporary password should be setup and used, without the need for the user to provide any information.
If this is not possible for whatever reason, the employees should have a very clear process to follow for this scenario. Having a random number reach out to you via text should not be in that scenario. Ideally, a direct, trusted, method of communication should be used.
references:
Killian Sherer 