Uber Hack – A Deeper Dive

Table of Contents

Table of Contents


This is the third installment in a series that delves into hacks spotlighted in CSA’s renowned paper on the Top Threats to Cloud Computing. Focusing on the threat actors behind the UBER hack, this article aims to provide a user-friendly guide complemented by illustrative details. Furthermore, we will provide detection guidelines.

What happened?

LAPSUS$, alternatively recognized as DEV-0537, represents a threat actor group that has remained active over recent years. They have directed their efforts towards big technology companies including Microsoft, Uber, Nvidia, and Samsung.

Within this article, we will delve into the documented hacks orchestrated by LAPSUS$ targeting Microsoft 365 and Microsoft Azure cloud platforms. Furthermore, we will examine the detection strategies derived from these incidents.

Understanding the Uber hack

The threat actor is notorious for purchasing credentials from disgruntled insiders (1). These credentials are then utilized by the threat actor to infiltrate the corporate network (2), moving laterally internally within the corporate network, and ultimately identify the global administrator account (3) necessary for complete access to the corporation’s cloud resources.

The accompanying screenshot depicts a text found in a Telegram channel where the threat actor actively solicits credentials from potential insiders.

In the past, attackers were known to move laterally from one machine to another within the on-premise network. However, it has become increasingly common for attackers to pivot laterally from the on-premise environment to the organization’s cloud.

These attackers were observed using NordVPN (4) to obfuscate their originating IP addresses.

Once inside the Azure portal, the attackers were observed creating a new global administrator account (5) —a super administrator equivalent in Azure—as a backup, along with a virtual machine (6) to serve as a tooling server to advance their attack.

To hinder the organization’s recovery efforts, the attackers established an organization-wide email transport rule to redirect (7) all emails to another email account under the attackers’ control. They also removed all other global administrator accounts (8) to impede the organization’s recovery from the attack.

Mapping Uber hack techniques: A focus on MITRE’s TTPs

We can map the cloud-related attacks to the following Tactics, Techniques, and Procedures (TTPs) in MITRE.

Detection strategies: Identifying and mitigating threats

There are multiple opportunities to notice if something is wrong. Let’s go through the steps in the timeline and find out how we can catch these problems.

In the fourth stage of the attack, we can find signs of suspicious logins into Azure AD by checking the Azure AD or Audit management log for logins coming from:

  • Unusual country, when the user logs in from a country unusual for the account.
  • Impossible travel, when the user hops from one country to another within an impossible period.
  • Login from a known VPN (i.e. – NordVPN) 

In the next stage of the attack, the attacker created a new global administrator account (5) and VM (6). We can detect these actions by monitoring the Audit Log or User Activity Log for such privileged activities.

In the final phase of the attack, the attacker created an organization-wide email transport rule (7) and removed the global administrator accounts (8). We can also detect these actions by monitoring the Audit Management Log for such privileged activities.

Below is a summary table outlining the threats demonstrated by the threat actor on the cloud and corresponding detection strategies:

ThreatsDetection strategiesStage in illustration
Threat actor logins with stolen accountLogin from known VPNLogin from one country to another within short span of timeLogin from an unusual country4
Creation for VMVM creation from an unusual accountVM creation in an uncommon zone5
Creation of a global administrator accountSuspicious account creationAssignation of privileged role6
Forwarding all emails to an external email addressSuspicious creation of email transport rule7
Removal of administrator accountsSuspicious account removal8

Staying ahead of cyber threats

Innovative solutions by InsiderSecurity

Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the CSX for ensuring cloud data security.

CSX is designed to detect sophisticated attacks described in this article, making it an essential subscription for any organization serious about its cybersecurity posture. Beyond detecting threats, CSX offers recommendations and a user-friendly avenue for executing remedial actions and implementing mitigation strategies.

CSX provides an easy way to perform mitigation and remediation

APT29 in the cloud: A deeper dive

Dive into our detailed exploration of APT29’s cloud-based attacks. Discover how this sophisticated cyber threat operates and learn practical detection strategies to protect your organization’s cloud infrastructure.

Read More »