Uber has added more detail to the narrative of its latest breach of security controls, saying the compromise of an external contractor’s credentials was the starting point for the attack. It also believes the attacker was linked to the Lapsu$ extortion gang.
“It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” the company said Monday.
The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.
“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you [reporters] saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.”
Uber believes the attacker or attackers are affiliated with the Lapsus$ gang, which was thought to have been seriously damaged in March when U.K. police arrested seven people between the ages of 16 and 21. Ultimately two teens who allegedly hacked for the gang were charged.
Lapsus$ has gained notoriety for claiming attacks on graphics card maker Nvidia, Samsung, Cisco Systems and online games developer Ubisoft. Microsoft acknowledged in March it was hit by the gang.
In an analysis of the gang’s tactics, Microsoft said it is known for purchasing credentials and session tokens from criminal underground forums and searching public code repositories for exposed credentials. If an organization uses multifactor authentication as an extra step to protect logins, the gang has been known to use session token replay and stolen passwords to trigger simple-approval MFA prompts, hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval. if an employee’s personal email or smartphone is hacked, they use that access to reset passwords and complete account recovery actions.
Uber acknowledged the attacker downloaded some internal Slack messages, as well as accessing or downloading information from an internal tool its finance team uses to manage some invoices. Those downloads are being analyzed.
It also admits the attacker was able to access Uber’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities for cash. However, Uber said, any bug reports the attacker was able to access have been remediated.
So far, Uber says, it has no evidence the attacker accessed its production (i.e. public-facing) systems, or the databases it uses to store sensitive user information, like credit card numbers, user bank account info, or trip history. Uber noted the company encrypts credit card information and personal health data.
Nor is there evidence the attacker made any changes to application code bases. It also has not found that the attacker accessed any customer or user data stored by Uber’s cloud providers (e.g. AWS S3).
Uber, Uber Eats, and Uber Freight services are still operational and running smoothly, the company said. “Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal,” it added.
Among the actions Uber says it has taken as a result of this breach
- any employee accounts that were compromised or potentially compromised have either been blocked or had to have a password reset;
- credential keys have been rotated, effectively resetting access to many Uber internal services.
- application codebases have been locked down to prevent any new code changes;
- employees accessing development tools have to re-authenticate. Uber said it is also “further strengthening our multi-factor authentication (MFA) policies;”
- additional monitoring of Uber’s internal environment has been added to keep an even closer eye on any further suspicious activity.