Uber Blames Lapsus$ for Breach

Written by

The threat actor responsible for hacking Uber last week is likely connected to the prolific Lapsus$ group, the firm has claimed.

The ride-hailing giant admitted last Thursday that it was investigating a security incident after reports revealed a malicious actor claiming to be 18 years old had managed to access email and cloud systems, code repositories, an internal Slack account and HackerOne tickets.

In an update yesterday, Uber explained that the attacker targeted an Uber EXT contractor, most likely obtaining their corporate password on the dark web after the credential had been stolen via malware installed on their personal device.

“The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in,” it continued.

“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.”

As it stands, Uber said the threat actor didn’t access any user accounts, databases storing personal info, or production systems for its app. The firm also encrypts credit card and health information, it said.

Although Slack messages and an internal invoice management tool were accessed, there are no signs that customer or user data stored in the cloud was compromised, Uber claimed. It added that any HackerOne tickets accessed by the threat actor related to bugs that had already been remediated.

If it is Lapsus$, the breach will be one of many by the group targeting technology companies over recent months. Microsoft, Cisco, Samsung, Nvidia and Okta have all been compromised by Lapsus$. There are reports that the same actor may have breached Rockstar Games over the weekend.

What’s hot on Infosecurity Magazine?