The security breach that hit Uber last week was the work of Lapsus$. The South American hacking group has attacked a number of technology giants in the past year, including Microsoft, Samsung, and Okta.
Uber said it is in close coordination with the FBI and US Justice Department on the matter.
An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials.
The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.
From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack.
The attacker then posted a message to a company-wide Slack channel, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.
What Was The Impact?
The attacker accessed several internal systems, and their investigation has focused on determining whether there was any material impact.
The attacker accessed the production (i.e. public-facing) systems that power Uber apps; any user accounts; or the databases used to store sensitive user information, like credit card numbers, user bank account info, or trip history.
Credit card information and personal health data, were encrypted offering a further layer that kept that information protected.
Uber reviewed their codebase and have not found that the attacker made any changes or accessed any customer or user data stored by their cloud providers (e.g. AWS S3).
Uber said in their blog post, “It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads.”
“The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.”
They were able to keep all of their public-facing Uber, Uber Eats, and Uber Freight services operational and running smoothly. Uber took down some internal tools, customer support operations were minimally impacted and are now back to normal.
Who Is Responsible?
This attack appears to be affiliated with a hacking group Lapsus$, which has been increasingly active over the last year or so.
It’s “likely” that the Lapsus$ hacker obtained the contractor’s Uber corporate password by purchasing it on the dark web, after the contractor’s personal device had been infected with malware.
This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.
There are also reports over the weekend that this same actor breached video game maker Rockstar Games.
How Did Uber Respond?
Their existing security monitoring processes allowed their teams to quickly identify the issue and move to respond.
Uber stated, “Our top priorities were to make sure the attacker no longer had access to our systems; to ensure user data was secure and that Uber services were not affected; and then to investigate the scope and impact of the incident.”
Here are some of the key actions Uber took, and continue to take:
- They identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
- Disabled many affected or potentially affected internal tools.
- Rotated keys (effectively resetting access) to many internal services.
- Locked down our codebase, preventing any new code changes.
- When restoring access to internal tools, Uber required employees to re-authenticate.
- Further strengthening their multi-factor authentication (MFA) policies.
- We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.
Uber is working with several leading digital forensics firms as part of the investigation.
They are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.
They are using this experience as an opportunity to strengthen their policies, practices, and technology to further protect Uber against future attacks.
Good thing Uber has strong IT systems and an incident response plan in place!
Consider us your technical ninjas, your trusted partner to maximize your information technology and long-term success. We work hard to keep personal and business information safe from current and future threats.
Our custom IT services and solutions help businesses modernize processes, accelerate efficient workflows, strengthen security, defend data, and increase profitability.
Without proper information technology operations and contingency plans in place, you could be left to deal with catastrophic consequences.
Take control over your IT before something bad happens, Schedule a FREE Technical Assessment with us today!
We’ll come onsite to assess your current technology environment to find any issues that are costing your business in order to provide you with the best technical solutions customized for you.