Uber asserts the threat actor behind last week’s cyberattack did not access the company’s production environment, any user accounts or databases it uses to store sensitive information.
The rideshare and food delivery company, in a Monday security update, said it found no evidence its codebase was altered nor was any customer or user data stored by its cloud providers accessed.
The attacker did, however, gain access and exfiltrate Slack messages, data for a tool Uber’s finance team uses to manage invoices, and the company’s dashboard at HackerOne, where it stores vulnerability reports.
“Any bug reports the attacker was able to access have been remediated,” the company said in the update.
Uber, following an initial investigation, said the threat actor compromised a contractor’s account. The company said the attacker likely purchased the individual’s corporate password on the dark web after their personal device was infected with malware, exposing their credentials.
The threat actor initiated a multifactor authentication fatigue attack, wherein they repeatedly tried to log in to the contractor’s Uber account, which prompted two-factor authentication requests.
The contractor eventually accepted one of those requests, which allowed the threat actor to log in successfully, according to Uber.
Uber pinned the blame for last week’s cyberattack on a threat actor affiliated with Lapsus$, the extortion group responsible for attacks this year on Cisco, Nvidia, Microsoft, Okta, Samsung and, reportedly, Rockstar Games over the weekend.
Uber said it’s closely coordinating recovery and response efforts with the FBI and Department of Justice. The company also pledged to strengthen its cyber policies, practices and technology to improve its defenses.
Uber’s services were not impacted by the attack and remain operational. The company has not yet responded to requests for comment.
“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including Google Workspace and Slack,” the company said in the update.
The threat actor posted a message on a companywide Slack channel and reconfigured Uber’s OpenDNS to “display a graphic image to employees on some internal sites,” the company said.
Uber did not explain how the threat actor accessed other employee accounts after the contractor’s account was compromised.
The company said it took multiple protective measures in response to the attack:
- Compromised or potentially compromised accounts were identified and blocked or required password resets to regain access.
- Many internal tools were disabled.
- Access parameters were reset on many of Uber’s internal services via key rotations.
- The company’s codebase was locked down, preventing any new code changes.
- When Uber restored access to internal tools it required employees to reauthenticate credentials.