The security breach that hit Uber last week was the work of Lapsus$.Uber said it is in close coordination with the FBI and US Justice Department on the matter.
An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials.
The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.
From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack.
The attacker then posted a message to a company-wide Slack channel, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.
What Was The Impact?
The attacker accessed several internal systems, and their investigation has focused on determining whether there was any material impact.
The attacker accessed the production (i.e. public-facing) systems that power Uber apps; any user accounts; or the databases used to store sensitive user information, like credit card numbers, user bank account info, or trip history.
Credit card information and personal health data, were encrypted offering a further layer that kept that information protected.
Uber reviewed their codebase and have not found that the attacker made any changes or accessed any customer or user data stored by their cloud providers (e.g. AWS S3).
Uber said in their blog post, “It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads.”
“The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.”
They were able to keep all of their public-facing Uber, Uber Eats, and Uber Freight services operational and running smoothly. Uber took down some internal tools, customer support operations were minimally impacted and are now back to normal.
Who Is Responsible?
This attack appears to be affiliated with a hacking group Lapsus$, which has been increasingly active over the last year or so.
It’s “likely” that the Lapsus$ hacker obtained the contractor’s Uber corporate password by purchasing it on the dark web, after the contractor’s personal device had been infected with malware.
This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.
There are also reports over the weekend that this same actor breached video game maker Rockstar Games.
How Did Uber Respond?
Their existing security monitoring processes allowed their teams to quickly identify the issue and move to respond.
Uber stated, “Our top priorities were to make sure the attacker no longer had access to our systems; to ensure user data was secure and that Uber services were not affected; and then to investigate the scope and impact of the incident.”
Here are some of the key actions Uber took, and continue to take:
- They identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
- Disabled many affected or potentially affected internal tools.
- Rotated keys (effectively resetting access) to many internal services.
- Locked down our codebase, preventing any new code changes.
- When restoring access to internal tools, Uber required employees to re-authenticate.
- Further strengthening their multi-factor authentication (MFA) policies.
- We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.
Uber is working with several leading digital forensics firms as part of the investigation.
They are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.
They are using this experience as an opportunity to strengthen their policies, practices, and technology to further protect Uber against future attacks.
Good thing Uber has strong IT systems and an incident response plan in place!
Maintaining an updated cyber security incident response plan within your company is the first step toward dealing with a cyber attack.
Being prepared is crucial in order to successfully respond to a potential cyber incident, and the way to do that is having a documented cyber security incident response plan.
Your business needs access to the proper resources and support in order to create a successful cyber security incident response plan.