Uber suffers a hack: the company places the responsibility on Lapsus$

On September 15th Uber confirmed the cybersecurity breach and said they are investigating the incident. They have assured everyone that they are in touch with law enforcement and that we will provide updates as they become available.

What happened?

A hacker gained access to Uber’s internal systems after compromising an employee’s Slack account. Many businesses in the technology industry rely on the instant messaging service Slack for their regular communications. This attack caused a 5% drop in Uber stock value on Friday. 

What has actually happened in this attack?

In this case, the attackers first launched a social engineering campaign against Uber employees, which allowed them to gain access to the company’s VPN and, eventually, Uber’s internal network (*.corp.uber.com).

After the hacker/attacker gained access to the network, the attacker got some PowerShell scripts in the network share. One of the scripts had hard-coded credentials for a domain administrator account for Thycotic Uber’s Privileged Access Management (PAM) solution.

Using admin access, the attacker logged in and took multiple services and tools used at Uber. 

After this incident, Uber blamed the Lapsus$a cybercrime group that uses social engineering to target technology firms and other organizations. In an update, Uber said, “We believe that this attacker (or attackers) is affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so.” Researchers are saying that the incident has highlighted risks that can come from relying too much on Multi-Factor Authentication (MFA). 

Uber’s investigation revealed that the attacker gained access to internal Slack messages and then gained access to or downloaded data from a finance department tool used to manage invoices. The attacker also accessed Uber’s dashboard on the bug tracking platform HackerOne. However, the company added that the accessed bug reports have since been resolved.