On Thursday, September 15th, rideshare platform Uber released a short brief claiming to be “responding to a cybersecurity incident.” However, according to the media outlets that first covered the news, we quickly realized that this was no small incident but a hack that struck the company to their core.
Across multiple updates and days of investigation, Uber announced that on September 15th, their internal system had been hacked and employee-facing software tools were taken down “as a precaution.” The attacker gained access to the system through an Uber EXT contractor by purchasing their credentials on the dark web after one of their personal device’s was infected with malware. In an MFA Fatigue attack, multiple attempts were made to log into the account, with two-factor authentication requests going to the contractor themselves each time. While most of those requests were denied and access was initially blocked, the contractor finally accepted one request, allowing the attacker to log-in and successfully gain access.
The Uber hack included access to their intranet, security software, Windows domain, many other systems, and Slack where the message notifying of the hack was originally posted. For companies of all industries, this incident stresses the importance of having a security awareness training program for employees and contractors. When dealing with the MFA Fatigue Attack tactic, it’s especially important to bring the issue up with the security team to notify them, in addition to having the individual change their password as it was likely compromised.
Originally confirmed by the New York Times, information about the Uber breach has gradually surfaced, with Uber revealing on Monday that they believed the hacker belongs to Lapsus$ and is the alleged group behind the attack. The same group also claims to have breached video game company, Rockstar Games, within just days of the attack on the popular rideshare platform, leaking 90 videos of footage of the upcoming Grand Theft Auto VI.
Lapsus$, often stylized as LAPSUS$, is an English group of hackers with a history of targeting other large companies like Microsoft, Nvidia, Okta, Samsung, and Cisco, with similar techniques as those used in the Uber breach. The group gained worldwide attention in March of this year after an attack on T-Mobile, among other brands, resulting in the arrest of seven teenagers by London police. In the Uber hack, a person who claimed to be only 18-years old going by the moniker “Tea Pot” allegedly took to the Uber Slack channels to complain about drivers being underpaid and alerted the company to the hack, something many employees initially took as a joke.
From Security Week, researcher Corben Leo reported that after obtaining the employee’s credentials, the hacker allegedly logged into the company’s VPN and scanned its intranet, where he found a network share containing PowerShell scripts. One of these scripts contained admin user credentials for a privilege access management service that the hacker claimed enabled him to obtain “secrets for all services,” including cloud and identity services.
While it’s currently unclear if personally identifiable information connected to companies and individuals have been compromised, we will see the reach of the hack in the coming weeks; however, the rideshare platform told Reuters that sensitive user data was not accessed during the breach. Uber will continue to work with “several leading digital forensics firms” to investigate the incident, in conjunction with the U.S. Federal Bureau of Investigation (FBI) and Department of Justice. For now, we are left to wait to hear more from Uber and Lapsus$ to see how it will affect both the company and the individuals whose information may have been compromised.
There is some concern that the threat actor had downloaded Uber’s vulnerability report from HackerOne, which could raise concerns for unpatched and undisclosed vulnerabilities that have not yet been fixed. At this time, HackerOne has disabled the Uber program. While the company has a bug bounty program that was also accessed, this does not mean that such programs pose a security risk or are unimportant. Instead, bug bounty programs should be encouraged because they are a great way to find often overlooked issues and greatly increase the security posture of an organization.
For now, the ridesharing company has noted that their existing security processes “allowed [their] teams to quickly identify the issue and move to respond.” Additional monitoring was quickly implemented, and many users were required to update their passwords and re-authenticate, with some having their access temporarily blocked to ensure the attacker lost their own access. Uber plans on strengthening their MFA (multi-factor authentication) policies moving forward, a task that many companies should now strongly consider visiting in the wake of Uber’s breach.