The credentials of an Uber contractor were stolen and used to access multiple accounts and company files in a targeted attack. Uber released an initial security update statement that they were dealing with a cybersecurity incident when this breach was first identified and have since updated this post to give details about the attack and following investigation. No sensitive user data such as trip history was exposed as the attackers did not target this data, but instead targeted the company’s internal systems and files. There is also no evidence of any malicious code within Uber’s codebase so far. 

It is believed that the threat actor behind this attack is Lapsus$, who are also responsible for high profile attacks on Okta and T-Mobile, among other large tech companies. These attackers used the same method for this Uber attack as they have done in previous attacks, in which they purchase a user’s corporate password on the dark web. They achieved this through malware previously infecting the target user’s device. Once the credentials are obtained, they attempted to log in to this user account multiple times, however access to the account was usually prevented by two-factor authentication (2FA) which the user denied. In the case of Uber, the contractor accepted one of these 2FA requests, and the attackers were then able to successfully log on. 

 Once they had access to the contractor’s account, the attackers attempted to access other employee accounts. By doing this, they managed to obtain elevated permissions to multiple tools used by employees at Uber, such as Slack and G-Suite. The attackers also sent messages to the company-wide Slack channel and configured the OpenDNS to display an image of their choice. Although no customer data is thought to have been accessed in this breach, some confidential financial information including invoices are believed to be compromised. The attackers also managed to access HackerOne vulnerability reports, which is where Uber stored their bug reports in the Uber bug bounty program. This has now been disabled, so the attackers will no longer have access to this program, however all current vulnerability reports stored here were exfiltrated as a part of the attack. 

This attack did not appear to affect the functionality of Uber, Uber Eats, Uber Freight, and the Uber Driver app, however due to some internal systems being disabled by Uber in the incident response process, some customer support operations were impacted. Lapsus$ appear to still be a very active group, despite the arrest of seven teens earlier this year believed to members. This group is also credited for the Rockstar breach this week, in which test videos and game design for Grand Theft Auto 6 were leaked online. The user who released these images and source code goes by the names ‘teapotuberhacker’ and ‘teapots2022’ and claims to be responsible for both the Rockstar and Uber attacks.