Menu
Uber links cyber attack to LAPSUS$, says sensitive user data remains protected

Uber links cyber attack to LAPSUS$, says sensitive user data remains protected

Attacker likely bought employee account credentials on the dark web and then escalated privileges to access internal tools.

Credit: Dreamstime

Uber has linked its recent cyber attack to an actor (or actors) affiliated with the notorious LAPSUS$ threat group, responsible for breaching the likes of Microsoft, Cisco, Samsung, Nvidia and Okta this year. The announcement came as the ride-hailing giant continues to investigate a network data breach that occurred on Thursday, September 15.

Attacker gained elevated permissions to tools including G-Suite and Slack

In a security update published on Monday, September 19, Uber wrote, “An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials.

"The attacker then repeatedly tried to log in to the contractor’s Uber account.” Each time, the contractor received a two-factor login approval request, which initially blocked access, it added.

“Eventually, however, the contractor accepted one, and the attacker successfully logged in.” From there, the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to tools, including G-Suite and Slack.

"The attacker then posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.

Uber’s response includes key rotating and re-authentication

Outlining its response, Uber said its security monitoring processes allowed its teams to quickly identify the issue. 

“Our top priorities were to make sure the attacker no longer had access to our systems, to ensure user data was secure and that Uber services were not affected, and then to investigate the scope and impact of the incident,” it wrote. According to the firm, its actions included:

  • Identify employee accounts that were compromised or potentially compromised, either blocking their access to Uber systems or requiring a password reset.
  • Disable affected or potentially affected internal tools.
  • Rotate keys (effectively resetting access) to internal services.
  • Require employees to re-authenticate and further strengthen multi-factor authentication (MFA) policies.
  • Add more monitoring of the internal environment.

Sensitive user data, accounts appear to remain protected

Uber assured users that, while the attacker accessed several of its internal systems, its investigations have (so far) not revealed unauthorised access to the production (i.e., public-facing) systems that power its apps, any user accounts, or the databases it uses to store sensitive user information such as credit card numbers, user bank account info, or trip history.

“We also encrypt credit card information and personal health data, offering a further layer of protection,” it stated.

Uber also said that it reviewed its codebase and has not found that the attacker made any changes, nor have they accessed any customer or user data stored by is cloud providers. 

“It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analysing those downloads,” it wrote.

“The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.”

Uber said it is working alongside several leading digital forensics firms as part of the investigation and is in close coordination with the FBI and US Department of Justice on this matter.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Ubercyber security

Events

ARN Innovation Awards 2022

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

EDGE 2022

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.

Show Comments