Lapsus$ is probably behind Uber-Hack

Lapsus$ is probably behind Uber-Hack

Share post

A few days ago, there was news that Uber was the victim of a major hack. There are even suspicions that the attackers have captured a vulnerability list from a bug bounty program. Uber, the travel service provider, has now confirmed that the attacker is the Lapsus$ group.

In the first Report on the Uber hack, much was still unclear. According to the driving service provider Uber, the processes can now be described and precisely defined which data was stolen. Here's what happened, according to Uber: “An Uber EXT contractor's account was compromised by an attacker using malware and their credentials were stolen. It is likely that the attacker bought the contractor's Uber company password on the dark web. The attacker then tried repeatedly to log into the contractor's Uber account. Each time, the contractor received a two-factor login permission request, which initially blocked access. Eventually, however, the contractor accepted one and the attacker successfully logged in." This is called classic MFA bombing.

Once logged in, the attacker accessed several other employee accounts, which eventually gave the attacker elevated privileges to a range of tools, including G-Suite and Slack. The attacker then sent a message to a company-wide Slack channel and reconfigured Uber's OpenDNS to show employees a graphical image on some internal websites.

How did Uber react?

Uber says, “Our existing security monitoring processes enabled our teams to quickly identify and respond to the issue. Our top priority was to ensure that the attacker no longer had access to our systems; to ensure that user data is secure and Uber services are not compromised; and then to investigate the scope and impact of the incident."

Here are the key actions Uber claims it has taken:

  • It identified all employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
  • Many affected or potentially affected internal tools have been disabled.
  • Keys for many of the internal services have been rotated (effectively resetting access).
  • Codebase has been locked down to prevent new code changes.
  • Reestablishing access to internal tools required employees to re-authenticate. In addition, the guidelines for multi-factor authentication (MFA) have been strengthened.
  • Added additional monitoring of the internal environment to keep an even closer eye on other suspicious activity.

What was the impact?

Uber says it has everything under control: “The attacker accessed multiple internal systems and our investigation focused on determining whether there was a material impact. While the investigation is still ongoing, we have some details of our current findings to share. First of all, we did not see that the attacker accessed the production systems running our apps. All user accounts; or the databases we use to store sensitive user information, such as credit card numbers, user bank account information, or travel history. We also encrypt credit card information and personal health information, providing another layer of protection.

We checked our code base and found no changes made by the attacker. We also did not determine that the attacker accessed customer or user data stored at our cloud providers (e.g. AWS S3). It appears that the attacker downloaded some internal Slack messages and retrieved or downloaded information from an internal tool that our finance team uses to manage some invoices. We are currently analyzing these downloads.”

Were the vulnerability reports stolen?

According to Uber, this danger should be banned “The attacker was able to access our dashboard at HackerOne, where security researchers report errors and vulnerabilities. However, all bug reports that the attacker could access have been fixed. Throughout that time, we've been able to keep all of our public-facing Uber, Uber Eats, and Uber Freight services up and running smoothly. As we shut down some internal tools, customer service operations were minimally impacted and are now back to normal.”

Uber thinks it's a Lapsus$ attack

While there is no definitive evidence yet, Uber believes the attack was a Lapsus$ attack. “We believe this attacker (or attackers) is connected to a hacking group called Lapsus$, which has become increasingly active over the past year or so. This group typically uses similar techniques to attack tech companies and has breached Microsoft, Cisco, Samsung, Nvidia, and Okta, among others, in 2022 alone. There have also been reports over the weekend that the same actor has attacked video game maker Rockstar Games. We are in close coordination with the FBI and the U.S. Department of Justice on this matter and will continue to support their efforts."

What is Uber doing now?

Uber wants to continue evaluating the forensic data and uses a lot of expertise to do so. In addition, Uber wants to learn from the attack and work on policies, practices and technologies to strengthen defenses and protect against future attacks.

More at


Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

Data encryption: More security on cloud platforms

Online platforms are often the target of cyberattacks, such as Trello recently. 5 tips ensure more effective data encryption in the cloud ➡ Read more