Credential theft
Dark Reading / UpGuard / InfoQ
Primary Source βIncident Details
18-year-old Lapsus$-affiliated attacker purchased stolen contractor VPN credentials from dark web. Bypassed Duo MFA by bombing target with push notifications for >1 hour then impersonating Uber IT support via WhatsApp to get approval. Discovered plaintext Thycotic PAM admin credentials in a PowerShell script post-VPN. Accessed G-Suite, Slack, HackerOne reports, financial invoicing tool. No customer data confirmed stolen. Attacker publicly posted in Uber’s Slack.
Technical Details
- Initial Attack Vector
- CWE-1390: Weak Authentication (MFA push notification fatigue / bombing combined with social engineering via WhatsApp)
- Vendor / Product
- Uber corporate network / Thycotic PAM
Timeline
- 2022-09-15 Breach occurred
- 2022-09-19 Publicly disclosed
- 2022-09-19 Customers notified