Uber says compromised credentials of a contractor led to data breach

Share post:

Uber has added more detail to the narrative of its latest breach of security controls, saying  the compromise of an external contractor’s credentials was the starting point for the attack. It also believes the attacker was linked to the Lapsu$ extortion gang.

“It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” the company said Monday.

The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

This tactic was successfully used by an attacker earlier this year against a Cisco Systems employee.

“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you [reporters] saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.”

Uber believes the attacker or attackers are affiliated with the Lapsus$ gang, which was thought to have been seriously damaged in March when U.K. police arrested seven people between the ages of 16 and 21. Ultimately two teens who allegedly hacked for the gang were charged.

Lapsus$ has gained notoriety for claiming attacks on graphics card maker Nvidia, Samsung, Cisco Systems and online games developer Ubisoft. Microsoft acknowledged in March it was hit by the gang.

In an analysis of the gang’s tactics, Microsoft said it is known for purchasing credentials and session tokens from criminal underground forums and searching public code repositories for exposed credentials. If an organization uses multifactor authentication as an extra step to protect logins, the gang has been known to use session token replay and stolen passwords to trigger simple-approval MFA prompts, hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval. if an employee’s personal email or smartphone is hacked, they use that access to reset passwords and complete account recovery actions.

Uber acknowledged the attacker downloaded some internal Slack messages, as well as accessing or downloading information from an internal tool its finance team uses to manage some invoices. Those downloads are being analyzed.

It also admits the attacker was able to access Uber’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities for cash. However, Uber said, any bug reports the attacker was able to access have been remediated.

So far, Uber says, it has no evidence the attacker accessed its production (i.e. public-facing) systems, or the databases it uses to store sensitive user information, like credit card numbers, user bank account info, or trip history. Uber noted the company encrypts credit card information and personal health data.

Nor is there evidence the attacker made any changes to application code bases. It also has not found that the attacker accessed any customer or user data stored by Uber’s cloud providers (e.g. AWS S3).

Uber, Uber Eats, and Uber Freight services are still operational and running smoothly, the company said. “Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal,” it added.

Among the actions Uber says it has taken as a result of this breach

  • any employee accounts that were compromised or potentially compromised have either  been blocked or had to have a password reset;
  • credential keys have been rotated, effectively resetting access to many Uber internal services.
  • application codebases have been locked down to prevent any new code changes;
  • employees accessing development tools have to re-authenticate. Uber said it is also “further strengthening our multi-factor authentication (MFA) policies;”
  • additional monitoring of Uber’s internal environment has been added to keep an even closer eye on any further suspicious activity.

The post Uber says compromised credentials of a contractor led to data breach first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Cyber Security Today, Week in Review for week ending Friday, March 22, 2024

This episode features discussion on lessons learned from the ransomware attack on the British Library, advice for managing expectations of IT/security teams, why firms are leaving Google Firebase unprotecte

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways