In an update on Uber’s recent data breach incident, the transport service firm has attributed the notorious Lapsus$ threat group to the attack against their systems and suspects an external contractor of not setting up adequate securities that allowed hackers to conduct an MFA fatigue attack.
Based on a statement released by Uber, the accused Lapsus$ group used a social engineering tactic to access several employee accounts, providing them elevated permissions to some of the firm’s corporate tools like Slack and G-Suite. The hackers posted graphic messages throughout the company’s Slack channel upon accessing these tools, raising concern among all affected individuals.
Uber has implemented several incident mitigation measures to contain the incident. These measures include identifying compromised employee accounts to block their access or resetting their passwords, disabling all affected internal tools, locking down the codebase to prevent new modifications, rotating and resetting access to many internal services, re-authentication of employees’ internal tools, and further monitoring their internal environment against suspicious activities.
Uber highlighted that the accused Lapsus$ group could not have accessed their production systems.
Uber’s production systems store all customers’ sensitive data, such as personal and banking information. The transportation service firm verified that this system had not been compromised by the alleged Lapsus$ group, ensuring the safety of critical customer data. The customers’ credit card details have also been encrypted for additional protection.
Despite these assurances, the firm said the hack on their systems still allowed the threat actors to exfiltrate confidential corporate data, such as invoices from their financial department and HackerOne’s bug bounty program.
In contrast to the initial reports of the hackers having access to the vulnerability reports, Uber said that all of the reports compromised in the incident were remediated. Hence, the hackers will be unable to abuse them for further attacks.
Initial reports on this incident also stated that the hackers had sold the compromised vulnerability reports on underground forums, although there is no confirmation if the claim is legitimate.
Uber’s attribution of the data breach to the Lapsus$ group also pointed out the gang’s previous attacks on other giant corporations, such as Okta, Samsung, Nvidia, Microsoft, and Cisco. For the affected customers, it is recommended to keep an eye out for suspicious activities exploiting any compromised data from the Uber breach.
