Uber links breach to Lapsus$ group, blames contractor for hack

Uber links breach to Lapsus$ group, blames contractor for hack
By Sergiu Gatlan
September 19, 2022 02:26 PM 0
Uber

Uber believes the hacker behind last week's breach is affiliated with the Lapsus$ extortion group, known for breaching other high-profile tech companies such as Microsoft, Cisco, NVIDIA, Samsung, and Okta.

The company added that the attacker used the stolen credentials of an Uber EXT contractor in an MFA fatigue attack where the contractor was flooded with two-factor authentication (2FA) login requests until one of them was accepted.


This social engineering tactic has become very popular and has been used in recent attacks targeting well-known companies worldwide, including Twitter, Robinhood, MailChimp, and Okta.

Microsoft adds 'systemd' to the Windows Subsystem for Linux
"From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack," Uber explained in an update to the original statement.


"The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber's OpenDNS to display a graphic image to employees on some internal sites."

The company added that it found no evidence that the threat actor could access production systems that store sensitive user information, including personal and financial data (e.g., credit card numbers, user bank account info, personal health data, or trip history).

At the moment, the company is investigating the incident with help from the FBI and the US Department of Justice.

"We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts," Uber added.

Uber says it took some measures to prevent future breaches using such tactics, including:

We identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
We disabled many affected or potentially affected internal tools.
We rotated keys (effectively resetting access) to many of our internal services.
We locked down our codebase, preventing any new code changes.
When restoring access to internal tools, we required employees to re-authenticate. We are also further strengthening our multi-factor authentication (MFA) policies.
We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.
Throughout, we were able to keep all of our public-facing Uber, Uber Eats, and Uber Freight services operational and running smoothly. Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal. — Uber

Access to vulnerability reports confirmed
Uber added that it is yet to discover proof that the attacker has accessed and injected any malicious code within its codebase.


"First and foremost, we've not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection," Uber said.


"We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3)."

Unfortunately, the intrusion resulted in some confidential information being accessed, including some of Uber's invoices from an internal tool used by the company's finance team and HackerOne vulnerability reports (as BleepingComputer reported on Friday).

"However, any bug reports the attacker was able to access have been remediated," the company said. HackerOne has since disabled the Uber bug bounty program, thus cutting off access to the disclosed Uber vulnerabilities.

BleepingComputer was also told by a source that the threat actor was able to exfiltrate all vulnerability reports before losing access to Uber's bug bounty program, including reports that were waiting for a fix, presenting a severe security risk to the company.

It would not be surprising if the threat actor had already put these vulnerability reports for sale to cash in and for other threat actors to use if not (fully) patched in future attacks.

The attacker (known as 'teapots2022') also claimed the breach of video game studio Rockstar Games (under the 'teapotuberhacker' moniker) over the weekend after leaking in-game videos and screenshots of source code from both Grand Theft Auto V and Grand Theft Auto VI as proof.