Uber has added more detail to the narrative of its recent breach of security controls, stating that the compromise of an outside contractor’s credentials was the starting point for the attack. It is also believed that the attacker was connected to the Lapsu$ extortion gang.
“It is likely that the attacker purchased the contractor’s Uber company password on the dark web after the contractor’s personal device was infected with malware and disclosed those credentials,” the company said Monday.
The attacker then tried repeatedly to log into the contractor’s Uber account. Each time, the contractor received a two-factor login permission request, which initially blocked access. Eventually, however, the contractor accepted one and the attacker successfully logged in.
This tactic was successfully used by an attacker against a Cisco Systems employee earlier this year.
“From there, the attacker accessed several other employee accounts, which ultimately gave the attacker elevated privileges across a range of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you [reporters] saw and reconfigured Uber’s OpenDNS to show employees a graphical image on some internal websites.”
Uber believes the attacker or attackers are linked to the Lapsus$ gang, who were believed to have been badly damaged in March when British police arrested seven people between the ages of 16 and 21. Ultimately, two teenagers were charged who allegedly hacked for the gang.
Lapsus$ has gained notoriety for allegedly claiming attacks on graphics card maker Nvidia, Samsung, Cisco Systems, and online game developer Ubisoft. Microsoft admitted in March that it was attacked by the gang.
In an analysis of the gang’s tactics, Microsoft said it has been known to buy credentials and session tokens from underground criminal forums and to search public code repositories for leaked credentials. When an organization uses multifactor authentication as an additional step to protect logins, the gang has been known to use session token replay and stolen passwords to trigger MFA prompts for simple approval, hoping that the legitimate user of the compromised Account finally agrees to the prompts and provides the required consent. If an employee’s personal email address or smartphone is hacked, they use that access to reset passwords and complete account recovery actions.
Uber acknowledged that the attacker downloaded some internal Slack messages and accessed or downloaded information from an internal tool its finance team uses to manage some invoices. These downloads are analyzed.
It also admits the attacker was able to access Uber’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities for cash. However, according to Uber, all bug reports that the attacker could access have been fixed.
So far, Uber says it has no evidence that the attacker accessed its production systems (i.e., publicly-facing systems) or the databases it uses to store sensitive user information, such as credit card numbers, bank account information, or travel history. Uber found that the company encrypts credit card information and personal health information.
There is also no evidence that the attacker made any changes to the application code bases. The attacker was also not found to have accessed customer or user data stored at Uber’s cloud providers (e.g. AWS S3).
Uber, Uber Eats and Uber Freight services are still operational and running smoothly, the company said. “As we shut down some internal tools, customer support operations were minimally impacted and are now back to normal,” it added.
Among the actions taken by Uber as a result of this violation
- all compromised or potentially compromised employee accounts were either locked or had to be reset with a password;
- Login keys were rotated, effectively resetting access to many of Uber’s internal services.
- Application code bases have been locked down to prevent new code changes;
- Employees accessing development tools will need to re-authenticate. Uber said it was also “a further strengthening of our multi-factor authentication (MFA) policies;”
- Added additional monitoring of Uber’s internal environment to keep an even closer eye on other suspicious activity.