Uber says compromised credentials of a contractor led to data breach | Mob Tech
Uber has added additional ingredient to the narrative of its latest breach of security controls, saying the compromise of a third-party contractor’s credentials was the beginning line of the assault. He moreover believes the attacker was linked to the Lapsu$ extortion ring.
“The attacker seemingly purchased the contractor’s Uber firm password on the darkish web, after the contractor’s personal machine was contaminated with malware, exposing these credentials,” the company talked about Monday.
The attacker then repeatedly tried to log into the contractor’s Uber account. Each time, the contractor acquired a two-factor login approval request, which initially blocked entry. Lastly, however, the contractor accepted one and the attacker effectively logged on.
This tactic was effectively utilized by an attacker earlier this yr in direction of a Cisco Packages employee.
“From there, the attacker accessed a lot of completely different employee accounts that ultimately gave the attacker elevated permissions to numerous devices, along with G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which a lot of you [reporters] observed and reconfigured Uber’s OpenDNS to point out a graphical image to staff on some interior web sites.”
Uber believes the attacker or attackers are affiliated with the Lapsus$ gang, which is believed to have suffered extreme damage in March when UK police arrested seven of us between the ages of 16 and 21. Ultimately, two children who allegedly hacked for the gang have been charged.
Lapsus$ has gained notoriety for exposing assaults in direction of graphics card maker Nvidia, Samsung, Cisco Packages, and on-line sport developer Ubisoft. Microsoft acknowledged in March that it was attacked by the gang.
In an analysis of the gang’s methods, Microsoft talked about it’s acknowledged to buy credentials and session tokens from underground jail boards and search for uncovered credentials in public code repositories. If an organization makes use of multi-factor authentication as a further step to protected logins, the gang has been acknowledged to utilize session token replay and stolen passwords to set off simple approval MFA requests, hoping that the individual The genuine individual of the compromised account finally accepts the requests and grants the necessary approval. if an employee’s personal e mail or smartphone is hacked, they use that entry to reset passwords and full account restoration actions.
Uber acknowledged that the attacker downloaded some interior messages from Slack, along with accessed or downloaded information from an interior software program that its finance group makes use of to deal with some invoices. These downloads are being analyzed.
He moreover admits that the attacker was ready to entry Uber’s dashboard on HackerOne, the place security researchers report bugs and vulnerabilities for cash. Nonetheless, Uber talked about, any bug evaluations the attacker was ready to entry have been remediated.
Up to now, Uber says, it has no proof that the attacker has accessed its manufacturing (ie, public-facing) applications, or the databases it makes use of to retailer delicate individual information, harking back to financial institution card numbers. , individual checking account information or journey historic previous. Uber well-known that the company encrypts financial institution card information and personal nicely being information.
There could also be moreover no proof that the attacker made any changes to the equipment’s code bases. It has moreover not found that the attacker has accessed any purchaser or individual information saved by Uber’s cloud suppliers (for example, AWS S3).
Uber, Uber Eats and Uber Freight suppliers are nonetheless operational and working simply, the company talked about. “On account of we eradicated some interior devices, purchaser assist operations have been minimally affected and for the time being are once more to common,” he added.
Among the many many actions Uber says it has taken due to this violation
- any employee account that was compromised or doubtlessly compromised was locked out or wanted to have its password reset;
- Credential keys have been rotated, efficiently restoring entry to many interior Uber suppliers.
- utility code bases have been locked to cease extra code changes;
- staff accessing the occasion devices ought to re-authenticate. Uber talked about it’s often “extra strengthening our multi-factor authentication (MFA) insurance coverage insurance policies”;
- Additional monitoring of Uber’s interior ambiance has been added to keep up a good nearer eye on any suspicious train.
