Intro
This is the third installment in a series that delves into hacks spotlighted in CSA’s renowned paper on the Top Threats to Cloud Computing. Focusing on the threat actors behind the UBER hack, this article aims to provide a user-friendly guide complemented by illustrative details. Furthermore, we will provide detection guidelines.
What happened?
LAPSUS$, alternatively recognized as DEV-0537, represents a threat actor group that has remained active over recent years. They have directed their efforts towards big technology companies including Microsoft, Uber, Nvidia, and Samsung.
Within this article, we will delve into the documented hacks orchestrated by LAPSUS$ targeting Microsoft 365 and Microsoft Azure cloud platforms. Furthermore, we will examine the detection strategies derived from these incidents.
Understanding the Uber hack
The threat actor is notorious for purchasing credentials from disgruntled insiders (1). These credentials are then utilized by the threat actor to infiltrate the corporate network (2), moving laterally internally within the corporate network, and ultimately identify the global administrator account (3) necessary for complete access to the corporation’s cloud resources.
The accompanying screenshot depicts a text found in a Telegram channel where the threat actor actively solicits credentials from potential insiders.
In the past, attackers were known to move laterally from one machine to another within the on-premise network. However, it has become increasingly common for attackers to pivot laterally from the on-premise environment to the organization’s cloud.
These attackers were observed using NordVPN (4) to obfuscate their originating IP addresses.
Once inside the Azure portal, the attackers were observed creating a new global administrator account (5) —a super administrator equivalent in Azure—as a backup, along with a virtual machine (6) to serve as a tooling server to advance their attack.
To hinder the organization’s recovery efforts, the attackers established an organization-wide email transport rule to redirect (7) all emails to another email account under the attackers’ control. They also removed all other global administrator accounts (8) to impede the organization’s recovery from the attack.
Mapping Uber hack techniques: A focus on MITRE’s TTPs
We can map the cloud-related attacks to the following Tactics, Techniques, and Procedures (TTPs) in MITRE.
Detection strategies: Identifying and mitigating threats
There are multiple opportunities to notice if something is wrong. Let’s go through the steps in the timeline and find out how we can catch these problems.
In the fourth stage of the attack, we can find signs of suspicious logins into Azure AD by checking the Azure AD or Audit management log for logins coming from:
- Unusual country, when the user logs in from a country unusual for the account.
- Impossible travel, when the user hops from one country to another within an impossible period.
- Login from a known VPN (i.e. – NordVPN)
In the next stage of the attack, the attacker created a new global administrator account (5) and VM (6). We can detect these actions by monitoring the Audit Log or User Activity Log for such privileged activities.
In the final phase of the attack, the attacker created an organization-wide email transport rule (7) and removed the global administrator accounts (8). We can also detect these actions by monitoring the Audit Management Log for such privileged activities.
Below is a summary table outlining the threats demonstrated by the threat actor on the cloud and corresponding detection strategies:
Threats | Detection strategies | Stage in illustration |
Threat actor logins with stolen account | Login from known VPNLogin from one country to another within short span of timeLogin from an unusual country | 4 |
Creation for VM | VM creation from an unusual accountVM creation in an uncommon zone | 5 |
Creation of a global administrator account | Suspicious account creationAssignation of privileged role | 6 |
Forwarding all emails to an external email address | Suspicious creation of email transport rule | 7 |
Removal of administrator accounts | Suspicious account removal | 8 |
Staying ahead of cyber threats
Innovative solutions by InsiderSecurity
Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the CSX for ensuring cloud data security.
CSX is designed to detect sophisticated attacks described in this article, making it an essential subscription for any organization serious about its cybersecurity posture. Beyond detecting threats, CSX offers recommendations and a user-friendly avenue for executing remedial actions and implementing mitigation strategies.