searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
September 20, 2022
Share

Uber says Lapsus$ gang is behind the recent breach

Uber has confirmed that the recent breach of its systems started with a compromised account belonging to a contractor.

“It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” the company said.

Who’s behind the Uber breach?

The breach happened last Thursday (September 15) and has been claimed by a hacker who claims to be 18 years old.

Uber did not explain why, but said that they believe that this attacker (or attackers) are affiliated with the Lapsus$ hacking group.

“This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games.”

The techniques they are talking about include bombarding employees with a high volume of two-factor login approval requests and relying on “MFA fatigue” for one finally being accepted.

What was and was not accessed

When the Uber contractor finally accepted the request, the attacker logged into their account and, from there,” the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack.”

The attacker also posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites, Uber added.

The company delineated a number of actions they took to boot the intruder out and keep them out, including strenghtening MFA policies.

Uber says that they have so far found no evidence that the attacker accessed public-facing systems powering their apps, user accounts, or their databases (on-prem or in the public cloud); nor that the attacker made changes to their codebase.

“It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices,” they admitted, and added that, while the attacker had access to their dashboard at HackerOne, “any bug reports the attacker was able to access have been remediated.”

More about
  • account hijacking
  • data breach
  • hack
  • MFA
  • social engineering
  • Uber
Share this

Featured news

  • CISA releases free tool for detecting malicious activity in Microsoft cloud environments
  • Top ways attackers are targeting your endpoints
  • Why organizations shouldn’t fold to cybercriminal requests
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

CISA releases free tool for detecting malicious activity in Microsoft cloud environments

Top ways attackers are targeting your endpoints

Why organizations shouldn’t fold to cybercriminal requests

Fake ChatGPT for Google extension hijacks Facebook accounts

A common user mistake can lead to compromised Okta login credentials

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us