A few days ago, there was news that Uber was the victim of a major hack. There are even suspicions that the attackers have captured a vulnerability list from a bug bounty program. Uber, the travel service provider, has now confirmed that the attacker is the Lapsus$ group.
In the first Report on the Uber hack, much was still unclear. According to the driving service provider Uber, the processes can now be described and precisely defined which data was stolen. Here's what happened, according to Uber: “An Uber EXT contractor's account was compromised by an attacker using malware and their credentials were stolen. It is likely that the attacker bought the contractor's Uber company password on the dark web. The attacker then tried repeatedly to log into the contractor's Uber account. Each time, the contractor received a two-factor login permission request, which initially blocked access. Eventually, however, the contractor accepted one and the attacker successfully logged in." This is called classic MFA bombing.
Once logged in, the attacker accessed several other employee accounts, which eventually gave the attacker elevated privileges to a range of tools, including G-Suite and Slack. The attacker then sent a message to a company-wide Slack channel and reconfigured Uber's OpenDNS to show employees a graphical image on some internal websites.
How did Uber react?
Uber says, “Our existing security monitoring processes enabled our teams to quickly identify and respond to the issue. Our top priority was to ensure that the attacker no longer had access to our systems; to ensure that user data is secure and Uber services are not compromised; and then to investigate the scope and impact of the incident."
Here are the key actions Uber claims it has taken:
- It identified all employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
- Many affected or potentially affected internal tools have been disabled.
- Keys for many of the internal services have been rotated (effectively resetting access).
- Codebase has been locked down to prevent new code changes.
- Reestablishing access to internal tools required employees to re-authenticate. In addition, the guidelines for multi-factor authentication (MFA) have been strengthened.
- Added additional monitoring of the internal environment to keep an even closer eye on other suspicious activity.
What was the impact?
Uber says it has everything under control: “The attacker accessed multiple internal systems and our investigation focused on determining whether there was a material impact. While the investigation is still ongoing, we have some details of our current findings to share. First of all, we did not see that the attacker accessed the production systems running our apps. All user accounts; or the databases we use to store sensitive user information, such as credit card numbers, user bank account information, or travel history. We also encrypt credit card information and personal health information, providing another layer of protection.
We checked our code base and found no changes made by the attacker. We also did not determine that the attacker accessed customer or user data stored at our cloud providers (e.g. AWS S3). It appears that the attacker downloaded some internal Slack messages and retrieved or downloaded information from an internal tool that our finance team uses to manage some invoices. We are currently analyzing these downloads.”
Were the vulnerability reports stolen?
According to Uber, this danger should be banned “The attacker was able to access our dashboard at HackerOne, where security researchers report errors and vulnerabilities. However, all bug reports that the attacker could access have been fixed. Throughout that time, we've been able to keep all of our public-facing Uber, Uber Eats, and Uber Freight services up and running smoothly. As we shut down some internal tools, customer service operations were minimally impacted and are now back to normal.”
Uber thinks it's a Lapsus$ attack
While there is no definitive evidence yet, Uber believes the attack was a Lapsus$ attack. “We believe this attacker (or attackers) is connected to a hacking group called Lapsus$, which has become increasingly active over the past year or so. This group typically uses similar techniques to attack tech companies and has breached Microsoft, Cisco, Samsung, Nvidia, and Okta, among others, in 2022 alone. There have also been reports over the weekend that the same actor has attacked video game maker Rockstar Games. We are in close coordination with the FBI and the U.S. Department of Justice on this matter and will continue to support their efforts."
What is Uber doing now?
Uber wants to continue evaluating the forensic data and uses a lot of expertise to do so. In addition, Uber wants to learn from the attack and work on policies, practices and technologies to strengthen defenses and protect against future attacks.
More at Uber.com