Uber on Monday disclosed more details related to the security incident that happened last week, pinning the attack on a threat actor it believes is affiliated to the notorious LAPSUS$ hacking group. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games.
According to Hacker News, The financially motivated extortionist gang was dealt a huge blow in March 2022 when the City of London Police moved to arrest seven individuals aged between 16 and 21 for their alleged connections to the group. Two of those juvenile defendants are facing fraud charges.
The hacker behind the Uber breach, an 18-year-old teenager who goes by the moniker Tea Pot, has also claimed responsibility for breaking into video game maker Rockstar Games over the weekend.
Uber said in a press release that “We’re working with several leading digital forensics firms as part of the investigation. We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.”
How the Attack Unfolded
Uber said that a contractor had their personal device compromised with malware and their corporate account credentials stolen and sold on the dark web, corroborating an earlier report from Group-IB.
“The attacker then repeatedly tried to log in to the contractor’s Uber account,” the company said. “Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
Upon gaining a foothold, the miscreant is said to have accessed other employee accounts, thereby equipping the malicious party with elevated permissions to “several internal systems” such as Google Workspace and Slack.
Uber didn’t disclose how many employee accounts were potentially compromised, but it reiterated that no unauthorized code changes were made and that there was no evidence the hacker had access to production systems that support its customer-facing apps.
The company further said that Uber reviewed our codebase and have not found that the attacker made any changes.
We also have not found that the attacker accessed any customer or user data stored by our cloud providers (AWS S3). It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads.
According to the Hacker News, the alleged teen hacker is said to have downloaded some unspecified number of internal Slack messages and information from an in-house tool used by its finance team to manage certain invoices.0