Uber has confirmed that the recent breach of its systems started with a compromised account belonging to a contractor.
“It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” the company said.
Who’s behind the Uber breach?
The breach happened last Thursday (September 15) and has been claimed by a hacker who claims to be 18 years old.
Uber did not explain why, but said that they believe that this attacker (or attackers) are affiliated with the Lapsus$ hacking group.
“This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games.”
The techniques they are talking about include bombarding employees with a high volume of two-factor login approval requests and relying on “MFA fatigue” for one finally being accepted.
What was and was not accessed
When the Uber contractor finally accepted the request, the attacker logged into their account and, from there,” the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack.”
The attacker also posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites, Uber added.
The company delineated a number of actions they took to boot the intruder out and keep them out, including strenghtening MFA policies.
Uber says that they have so far found no evidence that the attacker accessed public-facing systems powering their apps, user accounts, or their databases (on-prem or in the public cloud); nor that the attacker made changes to their codebase.
“It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices,” they admitted, and added that, while the attacker had access to their dashboard at HackerOne, “any bug reports the attacker was able to access have been remediated.”