Lapsus$ is probably behind Uber-Hack

Lapsus$ is probably behind Uber-Hack

Share post

A few days ago, there was news that Uber was the victim of a major hack. There are even suspicions that the attackers have captured a vulnerability list from a bug bounty program. Uber, the travel service provider, has now confirmed that the attacker is the Lapsus$ group.

In the first Report on the Uber hack, much was still unclear. According to the driving service provider Uber, the processes can now be described and precisely defined which data was stolen. Here's what happened, according to Uber: “An Uber EXT contractor's account was compromised by an attacker using malware and their credentials were stolen. It is likely that the attacker bought the contractor's Uber company password on the dark web. The attacker then tried repeatedly to log into the contractor's Uber account. Each time, the contractor received a two-factor login permission request, which initially blocked access. Eventually, however, the contractor accepted one and the attacker successfully logged in." This is called classic MFA bombing.

Once logged in, the attacker accessed several other employee accounts, which eventually gave the attacker elevated privileges to a range of tools, including G-Suite and Slack. The attacker then sent a message to a company-wide Slack channel and reconfigured Uber's OpenDNS to show employees a graphical image on some internal websites.

How did Uber react?

Uber says, “Our existing security monitoring processes enabled our teams to quickly identify and respond to the issue. Our top priority was to ensure that the attacker no longer had access to our systems; to ensure that user data is secure and Uber services are not compromised; and then to investigate the scope and impact of the incident."

Here are the key actions Uber claims it has taken:

  • It identified all employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
  • Many affected or potentially affected internal tools have been disabled.
  • Keys for many of the internal services have been rotated (effectively resetting access).
  • Codebase has been locked down to prevent new code changes.
  • Reestablishing access to internal tools required employees to re-authenticate. In addition, the guidelines for multi-factor authentication (MFA) have been strengthened.
  • Added additional monitoring of the internal environment to keep an even closer eye on other suspicious activity.

What was the impact?

Uber says it has everything under control: “The attacker accessed multiple internal systems and our investigation focused on determining whether there was a material impact. While the investigation is still ongoing, we have some details of our current findings to share. First of all, we did not see that the attacker accessed the production systems running our apps. All user accounts; or the databases we use to store sensitive user information, such as credit card numbers, user bank account information, or travel history. We also encrypt credit card information and personal health information, providing another layer of protection.

We checked our code base and found no changes made by the attacker. We also did not determine that the attacker accessed customer or user data stored at our cloud providers (e.g. AWS S3). It appears that the attacker downloaded some internal Slack messages and retrieved or downloaded information from an internal tool that our finance team uses to manage some invoices. We are currently analyzing these downloads.”

Were the vulnerability reports stolen?

According to Uber, this danger should be banned “The attacker was able to access our dashboard at HackerOne, where security researchers report errors and vulnerabilities. However, all bug reports that the attacker could access have been fixed. Throughout that time, we've been able to keep all of our public-facing Uber, Uber Eats, and Uber Freight services up and running smoothly. As we shut down some internal tools, customer service operations were minimally impacted and are now back to normal.”

Uber thinks it's a Lapsus$ attack

While there is no definitive evidence yet, Uber believes the attack was a Lapsus$ attack. “We believe this attacker (or attackers) is connected to a hacking group called Lapsus$, which has become increasingly active over the past year or so. This group typically uses similar techniques to attack tech companies and has breached Microsoft, Cisco, Samsung, Nvidia, and Okta, among others, in 2022 alone. There have also been reports over the weekend that the same actor has attacked video game maker Rockstar Games. We are in close coordination with the FBI and the U.S. Department of Justice on this matter and will continue to support their efforts."

What is Uber doing now?

Uber wants to continue evaluating the forensic data and uses a lot of expertise to do so. In addition, Uber wants to learn from the attack and work on policies, practices and technologies to strengthen defenses and protect against future attacks.

More at Uber.com

 

Matching articles on the topic

Wireless security for OT and IoT environments

Wireless devices are becoming more and more common. This increases the number of access points through which attackers can penetrate networks. A new ➡ Read more

Professional cybersecurity for SMEs

Managed detection and response (MDR) for SMEs 24/7, 365 days a year. The IT security manufacturer ESET has expanded its offering ➡ Read more

Prevent malicious software from starting

A cyber protection provider has added a new feature to its security platform. It improves cybersecurity by preventing the launch of malicious or ➡ Read more

Pikabot: camouflage and deceive

Pikabot is a sophisticated and modular backdoor Trojan that first appeared in early 2023. His most notable quality lies in ability ➡ Read more

Ransomware-resistant WORM archives for data backup 

A data archive is a must for every company. Few people know: An active WORM archive can help to streamline data backup, ➡ Read more

Danger of election manipulation through cyber attacks

Cyberattackers are attempting to influence elections around the world using generative AI technology. The latest findings from the Global Threat Report ➡ Read more

Detect and defend against threats

In today's digitalized business landscape, combating threats requires a continuous, proactive and holistic approach. Open Extended ➡ Read more

Backup for Microsoft 365 – new extension

A simple and flexible Backup-as-a-Service (BaaS) solution extends data backup and ransomware recovery functionality for Microsoft 365, reducing downtime ➡ Read more