Reports Uber and Rockstar incidents work by same attacker
Two high-impact cyberattacks against ride-sharing service Uber and video game developer Rockstar Games that took place over the course of three days are tentatively being linked after a threat actor going by the handle teapotuberhacker claimed to be behind both incidents.
Details of the Uber incident first emerged on Thursday 15 and Friday 16. September, while the attack on Rockstar – developer of some of the most high-profile and influential franchises in modern gaming – took place on September 18 and 19.
Rockstar is still fighting to contain the leak, which has seen about 50 minutes of early video footage from the upcoming Grand Theft Auto 6 the game shared on GTAForum’s fan page, and has since spread widely.
The leaker also claimed to have stolen additional data, including a test build of Grand Theft Auto 6 and source code for Grand Theft Auto 6 and Grand Theft Auto 5. They appear to be demanding an unspecified payout from the organization, saying, “I’m looking to negotiate a deal.”
A Rockstar spokesperson said: “We recently suffered a network intrusion where an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto.
“At this time, we do not expect any disruption to our live gaming services or any long-term effect on the development of our ongoing projects.
“We are extremely disappointed to have shared any details about our next game with you all in this way. Our work on the next Grand Theft Auto the game will continue as planned and we are as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations,” they said.
“We will update everyone again soon and of course will introduce you to this next game when it is ready. We want to thank everyone for their continued support throughout this situation.”
Rockstar’s attackers reportedly further claimed they gained access to the company’s systems after gaining access to the Slack channel via social engineering, although this is unconfirmed. However, if accurate, it provides more evidence of a connection between the two events.
Erfan Shadabi, a cybersecurity expert at comforte AG, commented: “Give that 2013’s GTA 5 is considered one of the most successful video games of all time, and there is a growing demand for the new game, it is no surprise that it became a target for hackers.
“What comes to mind when we think of security breaches is usually the theft and sale of personal user or employee data, but this attack is a little different. The hacker stole, through the Slack messaging platform, many new game-related assets that could be very valuable in the dark the web and/or highly sought after by fans on social media. When stolen data like this is published on social media, it can be nearly impossible to limit the damage and reach of the data.”
Erfan Shadabi, consoled AG
Sophos principal researcher Chester Wisniewski said the attacks felt like “reliving” the Lapsus$ cyberattacks of late 2021 and early 2022, and over the weekend Uber actually attributed the breach to Lapsus$ — a gang that specializes in exploiting multifactorial failures. authentication (MFA) to trick employees into giving up their credentials.
An Uber spokesperson said: “We believe this attacker or attackers are associated with a hacker group called Lapsus$, which has been increasingly active over the past year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.
“We are in close coordination with the FBI and the US Department of Justice on this matter and will continue to support their efforts.”
Sophos Wisniewski said social engineering was an “incredibly effective technique for initial compromise and exploiting the trust of privileged insiders”.
“Security is a system, and it needs redundancy no different than an airplane or spaceship. You have to design it to be fault tolerant. In all these cases, it seems that gaining access as a trusted insider was enough to do it possible for a cunning criminal to go through a number of systems.
“Networks must be designed to challenge a person’s identity and credentials every time a new or privileged asset is accessed,” he added.
Additionally, Uber provided more information gleaned from its ongoing investigation, saying the incident was caused by an external vendor whose account was compromised after the attacker purchased their corporate password, which was stolen in a malware attack, on the dark web.
They then repeatedly attempted to log into the contractor’s Uber account, leading to multiple MFA challenges, one of which was unfortunately accepted, giving the attacker access to other employee accounts and, from there, tools including G-Suite, Slack and more.
“Our existing security monitoring processes allowed our teams to quickly identify the issue and move to respond,” Uber said.
“The attacker gained access to multiple internal systems and our investigation has focused on determining whether there was any significant impact. While the investigation is still ongoing, we have some details about our current findings to share.
“First of all, we have not seen that the attacker gained access to the production (ie public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, such as credit card numbers, user bank account information or travel history. We also encrypt credit card information and personal health data, offering an additional layer of protection.
“We have reviewed our code base and have not found that the attacker has made any changes. We also did not find that the attacker gained access to any customer or user data stored by our cloud providers, the company said.
It also revealed that all bug reports seen by the attacker through the HackerOne bug bounty program had already been patched and therefore posed no further threat.
Uber said it has already identified all compromised or potentially compromised accounts and either blocked them or forced a credential reset; disabled affected and potentially affected internal tools; rotated keys for internal services; locked its code base; re-authenticated employees accessing said tools and services; strengthened its foreign policy; and added additional internal threat monitoring.
Although no customer data appears to have been compromised, Kaspersky’s chief security researcher David Emm said users of the service may want to take precautions as there is still a chance the attack could lead to Uber being co-opted into further malicious campaigns, such as as a phishing lure.
David Emm, Kaspersky
“Our recommendation is first and foremost to delete your Uber account and create a new one with immediate effect. It may sound drastic, but if you care about your personal information, it’s a small price to pay and can be done quickly, Emm said.
“Then, as always, we recommend setting passwords that are unique and difficult for anyone to guess. In the case of Uber accounts, we advise people to change passwords that have been used elsewhere to avoid a domino effect. Also, use this as an opportunity to set up two-factor authentication, which is mandatory on some sites but optional on others.
“And finally, when setting up an online account, consider using fake security questions – these providers don’t need to know your mother’s actual maiden name or your real-life favorite car, and the same goes for personal information like your date of birth. Unless this is for an official purpose such as renewing your driver’s license, it is perfectly reasonable to settle to prevent data leaks.”