EXECUTIVE SUMMARY:

Last week, Uber Technologies Inc. experienced a high-impact cyber attack. “They pretty much have full access to Uber,” said Sam Curry, a security engineer who managed to correspond with the party responsible for the attack.

The group behind the breach is affiliated with the Lapsus$ extortion group, which recently compromised systems belonging to Okta, a leading identity management service, along with those of four other high-profile technology brands.

How it happened

According to Uber representatives, the attacker weaponized an Uber contractor’s credentials. The credentials were stolen, after which point attackers delivered an ‘MFA fatigue attack’ to the contractor’s phone. Overwhelmed with multi-factor authentication verification requests, one of them was eventually accepted.

This social engineering methodology is popular among hackers. In recent months it has been used to target MailChimp, Robinhood, Twitter and Okta, among other major corporations.

After obtaining corporate login credentials, the Uber attacker then accessed a series of other employee accounts, which ultimately granted the attacker elevated permissions to a number of tools, including G-Suite and Slack.

Slack channel usage

The hackers co-opted Uber’s Slack channel. In the Slack message that announced the breach, the attacker stated that he/she had broken into Uber’s systems due to the fact that the company had weak security. The message also advocated for drivers to receive higher pay.

Shortly after the attacker message appeared on the Slack channel, employees were instructed to temporarily cease usage of the messaging service.

In explaining the attack to employees, Uber wrote, “…the attacker then posted a message to a company-wide Slack channel, which many of you saw and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites”.

Production systems access

Uber noted that it found no evidence showing that the threat actor could not access production systems that hold sensitive user information, including personal and financial data (e.g., credit card numbers, bank account information, personal health data or trip history).

Uber’s preventative measures

To prevent future breaches, the company has shared a sampling of its tactics:

• The company identified compromised or potentially compromised employee accounts and either blocked access to Uber systems or required a password reset.
• Uber disabled a series of affected and potentially affected internal tools.
• The company rotated keys (effectively resetting access) to many internal services.
• IT personnel locked down the codebase, which will prevent any unexpected code changes.
• When restoring access to internal tools, Uber asked employees to re-authenticate. Further, Uber is strengthening its multi-factor authentication (MFA) policies.
• Security staff have added additional monitoring for internal environments, which will help the company keep an even closer eye on suspicious activity.

Intrusion details

Uber reported that it has yet to discover proof that an attacker accessed and injected malicious code within its codebase. However, the attack did appear to result in access of some confidential information.

Stolen information included details pertaining to the Uber bug bounty program and associated bug reports. Nonetheless, HackerOne has disabled the bug bounty program, limiting the potential impact of the information theft.

The same attacker claimed the breach of video game studio Rockstar Games over the weekend, allegedly leaking screenshots of source code from both Grand Theft Auto V and Grand Theft Auto VI as proof.

Uber cyber attacks

This breach is not the first instance where an attacker has accessed Uber’s systems. In 2016, hackers stole information from 57 million Uber driver and rider accounts, and then approached Uber demanding $100,000 in exchange for the hackers’ destruction of the files that they had obtained. According to the New York Times, Uber arranged the payment and kept silent about the breach for over a year.

Lapsus$ attacker information

• Lapsus$ group strikes Globant, publishing startling client data
• High-profile Lapsus$ group operated by teens in London?
• Lapsus$ group hits Okta with breach

For more on this story, visit The New York Times. Lastly, to receive cutting-edge cyber security news, exclusive interviews, high-minded expert analyses and leading security resources, please sign up for the CyberTalk.org newsletter.