Incident Response, Breach, Ransomware

Uber pins security breach on Lapsus$ ransomware group

A traveller waits for an Uber rider at Midway International Airport on May 9, 2022, in Chicago. (Photo by Scott Olson/Getty Images)
A traveller waits for an Uber rider at Midway International Airport on May 9, 2022, in Chicago. (Photo by Scott Olson/Getty Images)

Ride-sharing firm Uber released a statement late Monday saying that although its investigation is ongoing, the company blames last week’s breach of its systems on the same hacking group responsible for a number of ransomware attacks.

“We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others,” said the security update posted to the Uber website. The statement said the company is working closely with the FBI and the Justice Department.

The company said it believes a contractor’s corporate password was purchased on the dark web and repeated attempts to log into the contractor’s Uber account were blocked because of two-factor authorization before one was eventually accepted. After successfully logging in, the attacker accessed several other employee accounts and was able to elevate permissions to a number of tools, including G-Suite and Slack.

The statement said Uber’s security teams quickly identified the issue and responded accordingly, including:

  • identifying compromised employee accounts to either block access or reset passwords;
  • disabled affected internal tools; 
  • rotated keys to many of its internal services; 
  • locked down its codebase; 
  • required employees to re-authenticate and strengthening its multi-factor authentication policies;
  • Added additional monitoring of its environment

Uber said that it didn’t appear that the attacker accessed production systems that run its apps, user accounts or databases containing sensitive information such as credit cards, banking information or trip history. However, it said the attacker downloaded internal Slack messages and accessed or downloaded information from an internal invoicing tool. 

Uber also said its HackerOne dashboard where security researchers report bugs and vulnerabilities was access, but have since been remediated. Uber confirmed the breach Sept. 16 after the New York Times reported an investigation of a compromise on Sept. 15. 

Lapsus$ has been incredibly active this year, which has led to warnings and calls for assistance from U.S. government agencies. The FBI in March asked the public for help identifying individuals tied to the group that claimed responsibility for breaches at Nvidia and Samsung, among others. The Department of Health and Human Services also warned the healthcare sector about the group in an April alert.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.