Uber has added extra element to the narrative of its newest breach of safety controls, saying the compromise of a third-party contractor’s credentials was the start line of the assault. He additionally believes the attacker was linked to the Lapsu$ extortion ring.
“The attacker seemingly bought the contractor’s Uber company password on the darkish net, after the contractor’s private machine was contaminated with malware, exposing these credentials,” the corporate mentioned Monday.
The attacker then repeatedly tried to log into the contractor’s Uber account. Every time, the contractor acquired a two-factor login approval request, which initially blocked entry. Finally, nevertheless, the contractor accepted one and the attacker efficiently logged on.
This tactic was efficiently utilized by an attacker earlier this yr towards a Cisco Programs worker.
“From there, the attacker accessed a number of different worker accounts that in the end gave the attacker elevated permissions to quite a lot of instruments, together with G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which lots of you [reporters] noticed and reconfigured Uber’s OpenDNS to show a graphical picture to workers on some inner websites.”
Uber believes the attacker or attackers are affiliated with the Lapsus$ gang, which is believed to have suffered severe injury in March when UK police arrested seven folks between the ages of 16 and 21. In the end, two youngsters who allegedly hacked for the gang have been charged.
Lapsus$ has gained notoriety for exposing assaults towards graphics card maker Nvidia, Samsung, Cisco Programs, and on-line sport developer Ubisoft. Microsoft acknowledged in March that it was attacked by the gang.
In an evaluation of the gang’s techniques, Microsoft mentioned it’s recognized to purchase credentials and session tokens from underground prison boards and seek for uncovered credentials in public code repositories. If a company makes use of multi-factor authentication as an additional step to safe logins, the gang has been recognized to make use of session token replay and stolen passwords to set off easy approval MFA requests, hoping that the person The authentic person of the compromised account ultimately accepts the requests and grants the mandatory approval. if an worker’s private e mail or smartphone is hacked, they use that entry to reset passwords and full account restoration actions.
Uber acknowledged that the attacker downloaded some inner messages from Slack, in addition to accessed or downloaded data from an inner software that its finance group makes use of to handle some invoices. These downloads are being analyzed.
He additionally admits that the attacker was in a position to entry Uber’s dashboard on HackerOne, the place safety researchers report bugs and vulnerabilities for money. Nonetheless, Uber mentioned, any bug reviews the attacker was in a position to entry have been remediated.
To this point, Uber says, it has no proof that the attacker has accessed its manufacturing (ie, public-facing) programs, or the databases it makes use of to retailer delicate person data, reminiscent of bank card numbers. , person checking account data or journey historical past. Uber famous that the corporate encrypts bank card data and private well being knowledge.
There may be additionally no proof that the attacker made any adjustments to the appliance’s code bases. It has additionally not discovered that the attacker has accessed any buyer or person knowledge saved by Uber’s cloud suppliers (for instance, AWS S3).
Uber, Uber Eats and Uber Freight providers are nonetheless operational and operating easily, the corporate mentioned. “As a result of we eliminated some inner instruments, buyer help operations have been minimally affected and at the moment are again to regular,” he added.
Among the many actions Uber says it has taken because of this violation
- any worker account that was compromised or doubtlessly compromised was locked out or needed to have its password reset;
- Credential keys have been rotated, successfully restoring entry to many inner Uber providers.
- utility code bases have been locked to stop additional code adjustments;
- workers accessing the event instruments should re-authenticate. Uber mentioned it is usually “additional strengthening our multi-factor authentication (MFA) insurance policies”;
- Further monitoring of Uber’s inner atmosphere has been added to maintain a fair nearer eye on any suspicious exercise.
– Uber says compromised credentials of a contractor led to data breach