Uber discloses more details on the breach of its internal system last week, blaming the attack on notorious hacking group Lapsus$.
Uber discloses more details on the breach of its internal system last week, blaming the attack on notorious hacking group Lapsus$.
The company reported that the attacker exploited the stolen credentials of an Uber EXT contractor in an MFA fatigue attack where the contractor was inundated with two-factor authentication (2FA) login requests until one of them was accepted.
Uber explained that the attacker accessed several other employee accounts, which ultimately gave the attacker elevated permissions to several tools, including G-Suite and Slack.
The attacker then published a message to a company-wide Slack channel and reconfigured Uber's OpenDNS to exhibit a graphic image to employees on some internal sites.
This hacking group typically uses similar tactics to target technology companies, and in 2022 alone, it has breached Cisco, Microsoft, Okta, Nvidia and Samsung, among others.
The company also added that it found no evidence of threat actors having access to production systems that hold sensitive user data, including personal and financial data (e.g., credit card numbers, personal health data, user bank account info, or trip history).
The company stated the attacker purchased an Uber contractor’s corporate password on the dark web after the contractor’s device had been contaminated with malware, exposing those credentials.
Uber says it has taken some measures to prevent future breaches using such tactics, including:
- We identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or needed a password reset.
- We disabled many impacted or potentially impacted internal tools.
- We rotated keys (effectively resetting access) to many of our internal services.
- We locked down our codebase, preventing any new code changes.
- When restoring access to internal tools, we needed employees to re-authenticate. We are also further strengthening our multi-factor authentication policies.
- We added additional monitoring of our internal environment to keep an eye on any further suspicious activity.
The hack, which was uncovered last Thursday, forced the company to take several of its internal systems offline, including Amazon Web Services, Slack, and Google Cloud Platform.
It happened a few days before video game maker Rockstar Games was also breached by a hacker who claimed to be the same person who attacked Uber.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?