Uber’s Internal Networks Breached!: Uber Suspects Lapsus$ is responsible.

On Thu, 15-Sep-2022, Uber discovered and admitted that its internal network had been breached by hackers. It led to the company switching off several Engineering and Internal Communications Systems. This report was first brought to light by The New York Times. Uber officially admitted to the cyber security incident and stated in a Twitter Post that it is analyzing and responding to this Incident and is in touch with the Law Enforcement Agency and will provide further updates as they become available.

Uber suspects that the hackers are the associates of the hacking group Lapsus$ which has become increasingly active over the past year. Earlier this year, Lapsus targeted tech giants and released a massive data dump of source codes of around 70 GB from the hack that was performed on a number of Organizations which also included Apple and Facebook. Click here to know more on the attack on Apple and Facebook.

An eighteen (18) year old teenager claimed to be responsible for this hack and shared email images, screenshots of Cloud Storage and Code Repositories to the New York Times. He said that the Company had weak security implementation and he made use of Social Engineering techniques. He claimed that he posed as an Information Technology person and asked the Uber employee to share the password, thus gaining access to an employee’s Slack account and compromising the system. The hacker was also believed to have Admin access to AWS & GCP where Uber stores the data and source code access also.

Series of Events that led to Uber’s Internal Networks Breach:

It is speculated that the attacker purchased a contractor’s corporate password on the dark web, after malware on the contractor’s personal device exposed those credentials. The attacker repeatedly attempted to log in to the contractor’s Uber account and eventually gained access. Multiple Two factor Authentication requests were sent to the Contractor which were initially denied. Later on, when the Contractor accepted one of the codes, the attacker was able to successfully log in.

Once logged in, the attacker was able to access several other employee accounts which in-turn gave him elevated permissions to a number of tools including G-Suite and Slack. The hacker then posted a message to a company-wide Slack channel and reconfigured Uber’s OpenDNS to display a graphic image on its internal sites.

It was initially not clear how the Hacker bypassed the Two Factor Authentication [2FA] to obtain access. Later the hacker shared this information during interaction with one of the Security Researcher and claimed that he used an MFA Fatigue Attack by pretending to be from Uber’s IT Support team. In this attack, a user receives multiple back to back 2FA login requests, to stop this, the user is convinced or forced to accept them and this is how the hacker got access to Confidential data.

Uber Employees also received a message in Slack which read “I announce I am a hacker and Uber has suffered a data breach,”. The Company had then instructed the employees to stop using the Slack platform for Internal Communication until the problem was resolved.
Click here to read Uber’s official analysis on the attack and know more about the incident.

Hacking groups like Lapsus$ exploit people through Social Engineering methods to carry out their hacks. Uber’s internal networks breach is yet another example that shows us the importance of conducting InfoSec Awareness programs throughout the Organization. Even though a product is secure from vulnerabilities, if employees are not properly trained on InfoSec and Cyber Security, the Organization is prone to cyber attacks.