Uber has linked its recent cyberattack to an actor (or actors) affiliated with the notorious LAPSUS$ threat group, responsible for breaching the likes of Microsoft, Cisco, Samsung, Nvidia and Okta this year. The announcement came as the ride-hailing giant continues to investigate a network data breach that occurred on Thursday, September 15.
Attacker gained elevated permissions to tools including G-Suite and Slack
In a security update published on Monday, September 19, Uber wrote, “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account.” Each time, the contractor received a two-factor login approval request, which initially blocked access, it added.
“Eventually, however, the contractor accepted one, and the attacker successfully logged in.” From there, the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.
Uber’s response includes key rotating and re-authentication
Outlining its response, Uber said its security monitoring processes allowed its teams to quickly identify the issue. “Our top priorities were to make sure the attacker no longer had access to our systems, to ensure user data was secure and that Uber services were not affected, and then to investigate the scope and impact of the incident,” it wrote. According to the firm, its actions included:
- Identify employee accounts that were compromised or potentially compromised, either blocking their access to Uber systems or requiring a password reset.
- Disable affected or potentially affected internal tools.
- Rotate keys (effectively resetting access) to internal services.
- Require employees to re-authenticate and further strengthen multi-factor authentication (MFA) policies.
- Add more monitoring of the internal environment.
Sensitive user data, accounts appear to remain protected
Uber assured users that, while the attacker accessed several of its internal systems, its investigations have (so far) not revealed unauthorized access to the production (i.e., public-facing) systems that power its apps, any user accounts, or the databases it uses to store sensitive user information such as credit card numbers, user bank account info, or trip history. “We also encrypt credit card information and personal health data, offering a further layer of protection,” it stated.
Uber also said that it reviewed its codebase and has not found that the attacker made any changes, nor have they accessed any customer or user data stored by is cloud providers. “It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads,” it wrote. “The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.”
Uber said it is working alongside several leading digital forensics firms as part of the investigation and is in close coordination with the FBI and US Department of Justice on this matter.