Uber believes that the LAPSUS$ gang is behind the recent attack

Uber disclosed additional details about the security breach, the company blames a threat actor allegedly affiliated with the LAPSUS$ hacking group.

Uber revealed additional details about the recent security breach, the company believes that the threat actor behind the intrusion is affiliated with the LAPSUS$ hacking group.

Over the last months, the Lapsus$ gang compromised many high-profile companies such as NVIDIA, Samsung, Ubisoft, Mercado Libre, Vodafone, Microsoft, Okta, and Globant.

“We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.” reads a new update provided by the company early this week.

This week the leak of GTA6 gameplay videos made the headlines, it is the result of the data breach of the video game maker Rockstar Games. The 18-year-old hacker behind this attack, who goes online by the moniker Tea Pot, claims to have also hacked Uber.

On April 2022, the City of London Police charged two of the seven teenagers arrested in March by the UK police for their alleged membership in the Lapsus$ extortion gang.

UK police suspect that a 16-year-old from Oxford is one of the leaders of the popular Lapsus$ group.

Uber added that it is investigating the security breach with the help of several leading digital forensics firms.

“We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.” continues the update.

The company explained that threat actors compromised the account of a Uber EXT contractor, they likely purchased the contractor’s credentials on the dark web. The attacker attempted to log in to the contractor’s Uber account multiple times. Each time, the contractor received a two-factor login approval request, and evidently, he finally accepted one of them, allowing the attacker successfully log in to the account.

“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.” concludes the update.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, LAPSUS$)

[adrotate banner=”5″]

[adrotate banner=”13″]