Uber Says Lapsus$ Hacker Breached Its Internal Systems
Lapsus$ Previously Breached Okta, Microsoft, Nvidia, Samsung and UbisoftA member of teenage extortion gang Lapsus$ used social engineering to break into the internal systems of Uber, the ride-hailing app says.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
Investigators from the FBI and Department of Justice are probing the event, which began when a self-proclaimed 18-year-old last week spammed the company's Slack channel with vulgar messages, reconfigured the company's DNS settings to redirect intranet websites to a picture of a penis and shared online screenshots of the company's cloud storage and code repositories. The hacker boasted of the disruption to The New York Times, saying that Uber has weak security. Customer-facing operations "were minimally impacted and are now back to normal," the company says.
In an update on the incident, Uber says the hacker likely purchased an external contractor's password on the dark web after the contractor's personal device was infected with malware. As detailed by the company, the hacker badgered the contractor's account with login requests but was foiled by multifactor authentication - until eventually the contractor approved a logon request, opening the door to the company's systems.
"From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack," Uber says.
An actor using the same "Teapot" alias used in the Uber hack may have stolen early development footage of the next Grand Theft Auto video game from developer Rockstar Games.
The teenager-dominated Lapsus$ hacking group has previously claimed responsibility for data breaches involving Okta, Microsoft, Nvidia, Samsung, Ubisoft and others (see: UK Police Arrest 7 Allegedly Tied to Lapsus$ Hacking Group).
Impact on Uber
Uber says that the attacker was unable to access the production systems containing user accounts or the databases that the company uses to store sensitive user information such as payments cards or trip history.
As part of its investigation, Uber reviewed its codebase and found that the attacker did not make any changes. "It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads," the company says.
In addition, the hacker accessed Uber's dashboard at HackerOne, where security researchers report exploitable bugs. Those vulnerabilities have since been fixed, the company says.
Uber says it took the following key actions:
- Identified compromised employee accounts or potentially compromised accounts and either blocked their access to Uber systems or required a password reset;
- Disabled affected or potentially affected internal tools;
- Rotated keys, effectively resetting access, to many of its internal services;
- Locked down the codebase, preventing any new code changes;
- Added services to monitor the internal environment to keep a closer eye on any further suspicious activity.