Lapsus$ Hacking Group Allegedly Behind the Uber Security Breach
Hackers Gained Access after Buying Credentials on the Dark Web.
Last updated on September 20, 2022
On Monday, September 19, Uber posted on its blog updates about the security breach that happened on September 15 and affected several internal systems.
The company pointed to the Lapsus$ hacking group as the authors of the attack, but the investigation is still ongoing. Uber collaborates with the FBI and US Justice Department on the matter.
Lapsus$ is a South American hacking group responsible for a series of attacks on technology giants like Microsoft, Samsung, and Okta.
What Data Was Affected by the Breach
The cybercriminals reached several internal systems, however, Uber says that no sensitive data was stolen.
First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.
Lapsus$ managed to exfiltrate some internal messages and financial information, and access several internal tools, including G-Suite and Slack.
A big red flag was that the attackers infiltrate Uber’s dashboard at HackerOne accessing reports about bugs and vulnerabilities discovered by cybersecurity specialists on Uber apps. But the company announced that bugs have been fixed since then.
“On Thursday, news of the breach spread after a hacker posted a message to a company-wide Slack channel. The hacker then reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites”, according to ZDNet.
How Was the Attack Possible
Initially, The New York Times announced that hackers gained access through social engineering. They had information about an employee that was tricked to give up his credentials to a false corporate IT staffer.
But Uber says that Lapsus$ hackers used credentials from a third-party vendor. These credentials were most probably purchased from the Dark Web after malware had corrupted the contractor’s personal device.
The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.
Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.