Tue | Sep 20, 2022 | 3:49 PM PDT

Last week, Uber announced it was responding to a cybersecurity incident, which led to the ride-sharing giant taking internal communications and engineering systems offline.

The individual who claimed to be responsible for the breach said that he or she is 18 years old and had been working on cybersecurity skills for years. The motivation for breaching Uber, the hacker said, is because the company had weak security systems in place and that drivers should receive higher pay.

Uber has now provided additional information regarding the incident, saying it believes the threat actor is affiliated with the infamous Lapsus$ hacking collective.

Lapsus$ responsible for Uber hack

Lapsus$ has had quite the fascinating year when it comes to cybercrime. The group has executed successful attacks against huge tech companies such as Nvidia, Microsoft, Cisco, Samsung, and Okta. Following these attacks, London police arrested seven individuals associated Lapsus$, but the story gets even better.

Remarkably, all seven who were arrested were teenagers, with the mastermind behind the cyber gang reportedly being only 16 years old.

The culprit behind the Uber hack claimed to be 18-years-old, aligning with Lapsus$' typical age range. Along with the similar age, Uber says the threat actor used similar techniques to what the group has used throughout its attacks on tech companies this year.

The same individual also took credit for breaching Rockstar Games this week, leaking early game footage of the highly anticipated Grand Theft Auto 6, as well as attempting to sell the game's stolen source code.

Technical details of Uber hack and company response

While Uber's investigation into the incident is still ongoing, the company has provided additional information about the hack, as well as how it responded.

Uber says the threat actor was able to compromise an Uber EXT contractor's account with credentials likely purchased on the Dark Web, after the contractor's personal device had been infected with malware. Uber continues:

"The attacker then repeatedly tried to log in to the contractor's Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber's OpenDNS to display a graphic image to employees on some internal sites."

While the threat actor was able to access several internal systems, they did not access any production systems, user accounts, or databases where sensitive user information is stored. The attacker did not make any changes to its codebase and all user data stored by Uber's cloud providers was untouched.

Uber did not escape the situation completely unscathed, though:

"It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads.

The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated."

Uber also provided some key actions it took upon learning of the incident:

  • We identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
  • We disabled many affected or potentially affected internal tools.
  • We rotated keys (effectively resetting access) to many of our internal services.
  • We locked down our codebase, preventing any new code changes.
  • When restoring access to internal tools, we required employees to re-authenticate. We are also further strengthening our multi-factor authentication (MFA) policies.
  • We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.

Follow SecureWorld News for more cybersecurity coverage.