IOTW: Hacker allegedly hits both Uber and Rockstar

It has been alleged that the hacker who gained unauthorized access to rideshare service Uber’s servers was also responsible for a similar hack into the systems of Rockstar Games, developer of the Grand Theft Auto (GTA) game series.

The hack into Rockstar Games was discovered on September 19, 2022 after a user called teapotuberhacker posted on Grand Theft Auto game series fan site GTAForums:

“Here are 90 footage/clips from GTA 6. It’s possible I could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build.”

In the post’s comments, the hacker claimed they had “downloaded [the gameplay videos] from Slack” via hacking into channel used for communicating about the game.

Teapotuberhacker also alleged tried to “negotiate an agreement” with Rockstar Games regarding the return of the source code and assets. After Rockstar Games did not communicate with them, however, they announced that they would be selling the GTA 6 source code and documents they had downloaded.

Bloomberg journalist Jason Schreier initially confirmed the hack in a tweet, saying he had “confirmed with Rockstar sources that this weekend’s massive Grand Theft Auto VI leak is indeed real”. Rockstar Games later made a statement via Twitter.

It said that Rockstar had suffered a “network intrusion” which had allowed an unauthorized third party to "illegally access and download confidential information form [its] systems”, including the leaked GTA 6 footage.  

Rockstar confirmed that they will continue to work on the game and GTA’s publisher Take Two has been issuing takedown notices to get clips of the game removed from social media.

What happened in the Uber hack?

The hack into Uber’s database took place on September 15, 2022 and involved a compromised Uber EXT account that led to internal servers being accessed. 

In a statement, the rideshare service company said the contractor’s password was accessed as their personal device became infected with malware and sold on the dark web.  

When attempting to log in using the stolen credentials, the hacker employed a technique called Multi-Factor Authentication (MFA) fatigue, wherein they spammed the contractor with two-factor approval requests. While this initially blocked access, the contractor eventually accepted one of the requests, allowing the hacker access to Uber’s systems.

According to Uber, the hacker then “accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack”, then “posted a message to a company-wide Slack channel...and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites”.

Uber responded to the hack by identifying the accounts that were compromised and blocking their access to Uber’s internal network. It then disabled and reset access to affected internal tools, locked down its code database to prevent any changes and added additional monitoring to its internal environment.

An investigation into the hack is still ongoing, however, Uber noted that it had not seen any evidence that the hacker had “accessed the production...systems that power [its] apps”. This means the hacker most likely did not retrieved any customer personal information or made any changes to its codebase.  

Additionally, while the hacker was able to access Uber’s HackerOne database, which the company uses to report any vulnerabilities, “any bug reports the attacker was able to access have been remediated”. 

The hack was linked to the Lapsus$ hacking group by Uber, it “typically uses similar techniques to target technology companies”. The group has been responsible for a number of hacks against technology companies in 2022 including Samsung, Microsoft, RobinHood, MailChimp and Okta. Uber also suggested that Lapsus$ was responsible for the hack into Rockstar Games.

What are Lapsus$?

Lapsus$ are a malicious hacking group that has been classified as DEV-0537 by Microsoft. The group is known for using social engineering attacks to gain access to employee credentials at the companies they target.  

According to Microsoft, Lapsus$ frequently “announc[e] their attacks on social media or advertis[e] their intent to buy credentials from employees of target organizations”.

Lapsus$ have been linked to a number of high-profile hacking cases, including one in March of this year where the group hacked both Okta and Microsoft within a week. In both cases, a single employee’s account was compromised, leading to access to both companies’ internal servers.