Wednesday, September 28, 2022
Home Tech News Uber says compromised credentials of a contractor led to data breach

Uber says compromised credentials of a contractor led to data breach

Uber has added more detail to the narrative of its latest breach of security controls, saying  the compromise of an external contractor’s credentials was the starting point for the attack. It also believes the attacker was linked to the Lapsu$ extortion gang.

“It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials,” the company said Monday.

The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

This tactic was successfully used by an attacker earlier this year against a Cisco Systems employee.

“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you [reporters] saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.”

Uber believes the attacker or attackers are affiliated with the Lapsus$ gang, which was thought to have been seriously damaged in March when U.K. police arrested seven people between the ages of 16 and 21. Ultimately two teens who allegedly hacked for the gang were charged.

Lapsus$ has gained notoriety for claiming attacks on graphics card maker Nvidia, Samsung, Cisco Systems and online games developer Ubisoft. Microsoft acknowledged in March it was hit by the gang.

In an analysis of the gang’s tactics, Microsoft said it is known for purchasing credentials and session tokens from criminal underground forums and searching public code repositories for exposed credentials. If an organization uses multifactor authentication as an extra step to protect logins, the gang has been known to use session token replay and stolen passwords to trigger simple-approval MFA prompts, hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval. if an employee’s personal email or smartphone is hacked, they use that access to reset passwords and complete account recovery actions.

Uber acknowledged the attacker downloaded some internal Slack messages, as well as accessing or downloading information from an internal tool its finance team uses to manage some invoices. Those downloads are being analyzed.

It also admits the attacker was able to access Uber’s dashboard at HackerOne, where security researchers report bugs and vulnerabilities for cash. However, Uber said, any bug reports the attacker was able to access have been remediated.

So far, Uber says, it has no evidence the attacker accessed its production (i.e. public-facing) systems, or the databases it uses to store sensitive user information, like credit card numbers, user bank account info, or trip history. Uber noted the company encrypts credit card information and personal health data.

Nor is there evidence the attacker made any changes to application code bases. It also has not found that the attacker accessed any customer or user data stored by Uber’s cloud providers (e.g. AWS S3).

Uber, Uber Eats, and Uber Freight services are still operational and running smoothly, the company said. “Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal,” it added.

Among the actions Uber says it has taken as a result of this breach

  • any employee accounts that were compromised or potentially compromised have either  been blocked or had to have a password reset;
  • credential keys have been rotated, effectively resetting access to many Uber internal services.
  • application codebases have been locked down to prevent any new code changes;
  • employees accessing development tools have to re-authenticate. Uber said it is also “further strengthening our multi-factor authentication (MFA) policies;”
  • additional monitoring of Uber’s internal environment has been added to keep an even closer eye on any further suspicious activity.
- Advertisment -

Most Popular

Former Calgary Dino now a rookie with NFL’s Los Angeles Chargers

Canadian Deane Leonard has certainly taken the path less travelled to the NFL’s Los Angeles Chargers. The 22-year-old cornerback is in his rookie season with...

‘Impact success!’ Nasa spacecraft smashes asteroid in first ever ‘planetary defence test’

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video Nasa has successfully crashed a spacecraft into a small asteroid...

TikTok could face £27m fine for failing to protect children’s privacy

TikTok could face £27m fine for failing to protect children’s privacyInvestigation finds video-sharing app may have breached UK data protection law between 2018 and...

Eight states sue crypto lender Nexo over security sales and misleading marketing

/ New York’s attorney general alleges that the company’s Earn Interest Product was a security, one that the company wasn’t registered to sell,...