Uber has laid the blame for its recent security breach at the feet of Lapsus$, a cybercrime group that uses social engineering to target technology firms and other organizations. In an update about the security incident that Uber posted on Monday, the ride-hailing company expressed its belief that the attacker or attackers are affiliated with Lapsus$, which has been active over the past year and has hit such tech giants as Microsoft, Cisco, Samsung, NVIDIA and Okta.
How did Lapsus$ carry out the attack on Uber?
In the security attack against Uber, the culprit took advantage of social engineering to trick an Uber contractor into approving a two-factor login request. In this chain of events, the external contractor’s personal device had likely been infected with malware, thereby exposing the person’s account credentials. Those credentials were then sold on the dark web where the attacker purchased them, Uber explained.
SEE: Protect your business from cybercrime with this dark web monitoring service (TechRepublic Academy)
Armed with the necessary account information, the culprit then tried to log in to the contractor’s Uber account. Each attempt triggered a two-factor authentication request sent to the actual user. Though initially denying those requests, the contractor eventually accepted one, allowing the attacker to successfully sign in, according to Uber.
After signing in using the contractor’s credentials, the attacker was able to access other employee accounts, thereby giving them elevated privileges to various internal tools, including G-Suite and Slack. Boasting of their achievement, the attacker posted a message on the company’s Slack channel that said: “I announce I am a hacker and Uber has suffered a data breach.” The culprit also modified Uber’s OpenDNS system to display a graphic image to employees on certain internal sites.
What data or information was affected by the breach?
Analyzing the extent of the damage, Uber said that the attacker downloaded some internal Slack messages and accessed or downloaded data from an internal tool used by the finance staff to manage invoices. The attacker also accessed Uber’s dashboard at HackerOne, a tool used by security researchers to report bugs. But the accessed bug reports have since been resolved, the company added.
The attacker did not access any production or public-facing systems, any user accounts, or any sensitive databases with credit card and financial data or trip information, according to Uber. Nor did they make any modifications to Uber’s codebase or access data stored by the company’s cloud providers, Uber added.
What did Uber do after the attack?
In response to the breach, Uber took several actions.
The company said it identified any employee accounts that were compromised or possibly compromised and blocked their access to Uber systems or forced a password reset. It disabled certain affected internal tools, reset access to many internal services, locked down its codebase to prevent any changes and forced employees to re-authenticate access to internal tools. The company added that it’s enhancing its multi-factor authentication policies and set up additional monitoring of its internal environment for any suspicious activity.
Though the attack could have been more severe, and Uber has taken steps to clean up the damage, the breach points to an unfortunate truth about cybersecurity. Even with the proper security tools in place, such as MFA, an organization can fall victim to a cyberattack due to the carelessness of a single employee or contractor.
“There is only one solution to making push-based MFA more resilient, and that is to train your employees, who use push-based MFA, about the common types of attacks against it, how to detect those attacks, and how to mitigate and report them if they occur,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “If you’re going to rely on push-based MFA, and really any easily phished MFA to protect your organization, you need to aggressively educate employees. Expecting them to handle every security situation appropriately without the appropriate education is wishing and hoping, and wishing and hoping does not stop malicious hackers.”