The American mobility provider Uber blamed the Lapsus$ Ransomware Gang for the recent internet system attacks on the company. The ransomware gang is a famous threat actor (TA) involved in high-profile cases like Microsoft, Cisco, NVIDIA, Samsung, and Okta.
The perpetrator allegedly used an MFA fatigue attack, via the stolen credential for an Uber EXT contractor. The hacker group then persuaded the contractor by flooding two-factor authentication (2FA) login requests until one was accepted.
Uber explains the recent attack
On September 19, 2022, Uber released an official statement, sharing details about the attack and who was possibly behind it. In the report, the company explained how after flooding the contractor account with two-factor authentication (2FA) login requests, the attacks moved to other employees’ accounts, where the hackers took control of different tools, including G-Suite and Slack, as reported earlier.
— Colton (@ColtonSeal) September 16, 2022
The hacker then posted a message to the company’s Slack channel, where it reconfigured Uber’s OpenDNS to display a graphic image to employees on internal channels and websites. However, despite the level of penetration and access the hacker had, the company could not find evidence that the threat actor accessed production systems, financial data of employees, credit card numbers, bank details, and other important information.
Uber blames Lapsus$ ransomware gang
Uber announced through the statement that the attacker (or attackers) were “affiliated with a hacking group called Lapsus$,” which was behind the recent attacks on similar companies. Among tech giants, the group has allegedly breached Microsoft, Cisco, Samsung, Nvidia, and Okta in the last few months. The same group was also responsible for the breach of video game developer giant Rockstar Games, where it released clips and source files on an early version of the highly anticipated Grand Theft Auto VI.
Uber is working closely with the FBI and the US Department of Justice to bring down the perpetrators behind the attack and is aiming for some preventive measures to protect itself in the future from these kinds of attacks. The company also released a list of tactics it would be using to prevent such incidents from happening.
- Uber will disable access to Uber systems for compromised accounts affected by the breach.
- A past reset would be required to re-enter the account.
- It will disable internal tools affected by the attack.
- Uber will change the keys to internal services, effectively resetting access.
- It will secure our codebase and stop any further code additions.
- The company will require users to re-authenticate to regain access to internal tools.
- Uber will increase internal environment monitoring to check any new questionable behavior closely.
- It will enhance multi-factor authentication (MFA) guidelines.