In final week’s safety breach towards Uber, the attackers downloaded inside messages from Slack in addition to data from a software used to handle invoices.
Uber has laid the blame for its current safety breach on the ft of Lapsus$, a cybercrime group that makes use of social engineering to focus on expertise companies and different organizations. In an replace in regards to the safety incident that Uber posted on Monday, the ride-hailing firm expressed its perception that the attacker or attackers are affiliated with Lapsus$, which has been energetic over the previous 12 months and has hit such tech giants as Microsoft, Cisco, Samsung, NVIDIA and Okta.
How did Lapsus$ perform the assault on Uber?
Within the safety assault towards Uber, the wrongdoer took benefit of social engineering to trick an Uber contractor into approving a two-factor login request. On this chain of occasions, the exterior contractor’s private gadget had seemingly been contaminated with malware, thereby exposing the particular person’s account credentials. These credentials have been then bought on the darkish net the place the attacker bought them, Uber defined.
SEE: Shield your small business from cybercrime with this darkish net monitoring service (TechRepublic Academy)
Armed with the mandatory account data, the wrongdoer then tried to log in to the contractor’s Uber account. Every try triggered a two-factor authentication request despatched to the precise consumer. Although initially denying these requests, the contractor ultimately accepted one, permitting the attacker to efficiently sign up, in keeping with Uber.
After signing in utilizing the contractor’s credentials, the attacker was capable of entry different worker accounts, thereby giving them elevated privileges to numerous inside instruments, together with G-Suite and Slack. Boasting of their achievement, the attacker posted a message on the corporate’s Slack channel that stated: “I announce I’m a hacker and Uber has suffered a knowledge breach.” The wrongdoer additionally modified Uber’s OpenDNS system to show a graphic picture to staff on sure inside websites.
What information or data was affected by the breach?
Analyzing the extent of the harm, Uber stated that the attacker downloaded some inside Slack messages and accessed or downloaded information from an inside software utilized by the finance workers to handle invoices. The attacker additionally accessed Uber’s dashboard at HackerOne, a software utilized by safety researchers to report bugs. However the accessed bug stories have since been resolved, the corporate added.
The attacker didn’t entry any manufacturing or public-facing methods, any consumer accounts, or any delicate databases with bank card and monetary information or journey data, in keeping with Uber. Nor did they make any modifications to Uber’s codebase or entry information saved by the corporate’s cloud suppliers, Uber added.
What did Uber do after the assault?
In response to the breach, Uber took a number of actions.
The corporate stated it recognized any worker accounts that have been compromised or presumably compromised and blocked their entry to Uber methods or compelled a password reset. It disabled sure affected inside instruments, reset entry to many inside companies, locked down its codebase to stop any adjustments and compelled staff to re-authenticate entry to inside instruments. The corporate added that it’s enhancing its multi-factor authentication insurance policies and arrange further monitoring of its inside setting for any suspicious exercise.
Although the assault might have been extra extreme, and Uber has taken steps to scrub up the harm, the breach factors to an unlucky fact about cybersecurity. Even with the correct safety instruments in place, corresponding to MFA, a company can fall sufferer to a cyberattack as a result of carelessness of a single worker or contractor.
“There is just one answer to creating push-based MFA extra resilient, and that’s to coach your staff, who use push-based MFA, in regards to the widespread varieties of assaults towards it, learn how to detect these assaults, and learn how to mitigate and report them in the event that they happen,” stated Roger Grimes, data-driven protection evangelist at KnowBe4. “In case you’re going to depend on push-based MFA, and actually any simply phished MFA to guard your group, it’s good to aggressively educate staff. Anticipating them to deal with each safety scenario appropriately with out the suitable schooling is wishing and hoping, and wishing and hoping doesn’t cease malicious hackers.”
