Uber has embarked on a hiring spree for security personnel in the wake of its data breach last week and has also revealed new details about who was behind the attack.
On Friday last week, several open positions appeared on LinkedIn just one day after the ride-hailing tech giant confirmed the breach to the public.
Roles that are still open for applications include senior security incident commander to lead incident response, security engineer and security engineering manager at the company's threat detection division, and senior security engineers across applications security, enterprise security, and investigations.
The positions opened for applicants the day after the attack was confirmed and shows Uber’s commitment to tightening its security following the breach.
In an update to customers on Monday, Uber also confirmed several other details about who was behind the attack and how the cyber criminals were able to successfully breach the company.
Uber attributed the attack to the LAPSUS$ hacking group which came to prominence in early 2022, claiming successful attacks on major companies such as Microsoft, Okta, Nvidia, Samsung, and T-Mobile.
The group has been described as both “competent and incompetent at the same time” by experts and is believed to be run by young cyber criminals in Portugal, Brazil, and the UK whose ages range between 16 and 21.
Unlike many emerging cyber criminal organisations, LAPSUS$ does not operate on a ransomware model and in the case of the Uber hack, the company said the group managed to gain access to a contractor’s account by spamming multi-factor authentication (MFA) prompts.
Uber believed the contractor’s device had been infected with malware, allowing hackers to steal credentials and sell them to LAPSUS$ on the dark web.
From there, the attackers repeatedly tried to gain access to the contractor’s account using the stolen credentials, and the repeated attempts would have delivered a frustrating number of prompts to the contractor’s phone.
The contractor eventually accepted one of the prompts allowing the attackers full access to their account.
This is a known attack method in the industry and relies on sending so many prompts that the target becomes annoyed with all the notifications and accepts one to make them stop.
LAPSUS$ is also known for having deployed such tactics in the past, saying they prefer to carry them out while the target sleeps to maximise effectiveness.
“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G Suite and Slack,” said Uber.
“The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.”
Uber said the attackers were able to access and download Slack messages - the content of which was not specified - and download data from its finance team’s invoice management tool.
RELATED RESOURCE
Introducing IBM Security QRadar XDR
A comprehensive open solution in a crowded and confusing space
LAPSUS$ also accessed Uber’s HackerOne dashboard. HackerOne is a security bug and vulnerability reporting platform, though the only reports available to the hackers were regarding vulnerabilities that had already been remediated, Uber said.
The company confirmed nothing else was affected, including its code base or any of its public-facing apps or technologies.
Uber also confirmed that LAPSUS$ was unable to access any customer data stored by its cloud providers, including AWS’ S3.
“We’re working with several leading digital forensics firms as part of the investigation,” said Uber, which also said the investigation is still ongoing.
“We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.”
The Rockstar link
Uber also revealed that it believed LAPSUS$ was the hacking group behind the recent breach of Rockstar Games - the developers of popular video game franchises such as Grand Theft Auto and Red Dead Redemption.
The studio announced over the weekend that it had fallen victim to a significant data breach which involved the leaking of footage from the company's pre-alpha version of the upcoming Grand Theft Auto VI game.
“We recently suffered a network intrusion in which an unauthorised third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto [game],” said Rockstar Games.
Uber said it is working with the FBI and US Justice Department to investigate the incident further. It’s unclear if the authorities are also investigating the incident at Rockstar Games, too.
-
Uber hit with €290m fine for storing European driver data in the USNews The fine marks the latest imposed on Uber by the Dutch data protection authority
-
Uber says compromised third-party to blame for data breachNews Vulnerable third-party vendor Teqtivity sparks second major incident for Uber in the space of three months
-
Uber hacked via basic smishing attackNews The self-taught hacker impersonated an IT worker to gain an Uber employee's password, obtaining broad access to internal systems and posting taunting messages
-
Former Uber security chief to face fraud charges over hack coverup
News This is thought to be the first instance of a corporate information security officer criminally charged with concealing a hack
-
Former Uber CSO charged for data breach cover-upNews Joseph Sullivan allegedly paid $100,000 to conceal the ride-hailing firm's 2016 data breach
-
Uber CISO: There was no justification for hiding data breachNews Senators slam taxi firm for cover-up of hack affecting 57 million people
-
ICO: Uber data breach raises huge concernsNews The ICO and NCSC will investigate the impact on UK customers
-
Uber paid $100,000 for hackers' silence over huge data breachNews Hackers stole 57 million drivers' and users' details, but Uber didn't say a word
