What We Know
In the third quarter of 2022, information indicating potential data breaches at both Uber and Rockstar began circulating. Initially, the hacker had targeted Uber whilst also claiming fame and notoriety for the Rockstar leaks of the much anticipated release of ‘GTA VI’ . The adversary has since been arrested, held in a youth detention center.
Within this paper we explore what happened, how it happened with vectors of entry, the risks and methods of mitigation.
On the 15th of September 2022, an attacker responsible for the Rockstar Hack “teapotuberhacker” had compromised an Uber external contractor account allowing then adversary to access internal servers over the company's VPN. A statement issued by Uber had said the contractor's password was accessed after a personal device had become infected with malware and sold via the dark-web.
The vector used to gain an initial foothold on the system goes by the name 'Multi-Factor Authentication Fatigue', essentially the adversary would continuously spam the contractor's device with two factor approval requests in the hopes that it would eventually be accepted. Eventually, the contractor complied with one of the requests allowing the hacker to gain a foothold. Once in, the attacker claims to have then located a network share storing powershell scripts which contained credentials for a system administrator.
The attacker then proceeded to access several other employee accounts with elevated permissions giving access to tools such as Google Workspace, Slack, Uber’s AWS, Onelogin amongst others. The adversary proceeded to post messages on a company wide Slack channel, as well as reconfiguring the Uber OpenDNS displaying a graphic image to employees on internal infrastructure.
Uber claims the adversary had not gained access to the production systems, however, the attacker had posted images of their SentinelOne EDR, Uber Eats and Uber itself. This also clarified that actions taken by the hacker did not result in the extraction of personal customer information nor did they cause any alteration to program codebases. Whilst personal information had not been disclosed, the adversary had posted several screenshots of SentinelOne and financial dashboards.
AAdditionally, the hacker had managed to access Uber’ HackerOne account which is used by the company to coordinate responsible disclosure with bug bounty hunters. Since the hack, Uber has gone on to confirm that any vulnerabilities exploited in the database have since been remediated.
As with Rockstar; the implementation of physical security keys could have prevented adversaries from gaining access to important systems.
So, what do we know about the recent attack against Rockstar? Firstly, the attack was discovered on the 19th of September 2022. A user by the name of “teapotuberhacker” had posted on the fan site GTAForums, ninety (90) clips containing development footage of GTA VI. The nefarious user went on to state “It’s possible I could leak more data soon”.
The leak was confirmed by Rockstar in a statement via Twitter, it raises the question of how the user achieved such an attack against a multi-billion dollar company.
A network intrusion had allowed the adversary to breach Rockstar Games Slack server and Confluence Wiki, once achieved this allowed the user to download and extract debugging footage of early game development. The individual behind these attacks is allegedly connected to the infamous group “Laspus$” widely known for other high profile digital intrusions on large companies such as Microsoft, Cisco and Nvidia.
As to how the adversary had gained privileged access to Rockstar's internal systems remains unclear, however, it is claimed that the attacker was able to gain employee login credentials, presumably, with methods such as phishing and other social engineering techniques. Social engineering, deemed to have been a heavy contributor, relies on manipulation and deception and emphasizes the idea that humans remain the weakest link in cyber-security.
o, what could have been done to prevent this? An example can be seen by Cloudflare who have managed to mitigate many social engineering tactics by using hardware-based security keys. This method is extremely effective against social engineering attempts particularly in comparison to multifactor authentication methods such as text messages and one-time passwords.
Another example demonstrating the effectiveness of hardware-based security keys is an observation made at Google in 2018, where 85,000 employees had been targeted in a phishing attack but had avoided any data breaches after mandating the use of physical security keys the year before.
Avoid hardcoding credentials within code. Hard-coded passwords and secrets provide hackers with a trivial entry point. Incorporating the use of secret management mechanisms such as PAM solutions and password management tools can be an effective remedy.
Use FIDO2 passkeys and hardware tokens as a second authentication factor to secure critical internal accounts. FIDO2 enables users to authenticate to online services, password-free, across both mobile and desktop platforms. An example of this is Yubikey - This standard is based on cryptographic keys which are generated and stored on users’ devices before exchanging with the server to which the user is authenticating to.
Encourage employees to participate in cyber-security classes designed to raise awareness of social engineering tactics and to provide instructions on how to appropriately respond to real life situation. Within any company it is ESSENTIAL to ensure clear concise Security Education Awareness Training programs (SETA). This can greatly benefit employees' in being able to identify potential malicious actors.
Whilst not much information has been released by Rockstar Games, social engineering was prominent in the malicious actors’ vector of entry. Likewise with Uber, having a clear concise Security Education Training Awareness programme can help employees in identifying social engineering attacks.
A Fallback Communication Channel
In a security emergency, having a line of communication which can be relied on can also help to keep businesses operating efficiently. In the case of an intrusion, employees’ can continue to work whilst the IT department can work to prevent further damage to systems.