Uber provided new details regarding a cybersecurity incident that resulted in a data breach of its network systems.
The ride-sharing company explained in a post online that the attack stemmed from an Uber contractor who had their account compromised by an attacker allegedly linked to the Lapsus$ hacking group.
Uber tweeted on September 15 that it was responding to a cybersecurity incident:
According to Sam Curry, a security engineer from Yuga labs, an attacker claimed “to have completely compromised Uber showing screenshots where they’re full admin on AWS and GCP,” according to a tweet sent on September 15.
As the New York Time reported, Uber had then shut down online internal employee access to communications and engineering systems while the company performed an investigation of the breach.
Uber incident update
The Uber team posted an update online on September 19, 2022 with more details regarding the incident:
“An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
After the initial compromise, the attacker then proceeded to access several other employee accounts used to then elevate permissions to G-Suite and Slack tools, among others.
“The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites,” Uber added.
Uber also explained they had seen no evidence yet where the attacker accessed public-facing production systems, user accounts, databases or sensitive user information.
Moreover, Uber believes the attacker(s) may be affiliated with a hacking group called Lapsus$, most recently linked to attacks against Okta and others.
- Okta investigating reports of data breach by Lapsus$ ransomware cybercriminal group (updated)
- T-Mobile to pay $350 million over 2021 data breach
- FBI releases Lockbit 2.0 ransomware-as-a-service IoCs
- FBI: Cuba ransomware compromised 49 critical infrastructure entities
- Morgan Stanley confirms breach of customer SSNs via an exploit of vendor’s Accellion FTA vulnerability