Cyber Security

Uber exposes Lapsus$ extortion group for safety breach

In final week’s safety breach towards Uber, the attackers downloaded inside messages from Slack in addition to data from a instrument used to handle invoices.

August 21, 2019 San Francisco / CA / USA - Close up of UBER sign at their headquarters in SOMA district; Uber Technologies, Inc. is an American multinational transportation network company (TNC)
Picture: Sundry Images/Adobe Inventory

Uber has laid the blame for its current safety breach on the toes of Lapsus$, a cybercrime group that makes use of social engineering to focus on expertise companies and different organizations. In an replace concerning the safety incident that Uber posted on Monday, the ride-hailing firm expressed its perception that the attacker or attackers are affiliated with Lapsus$, which has been lively over the previous yr and has hit such tech giants as Microsoft, Cisco, Samsung, NVIDIA and Okta.

How did Lapsus$ perform the assault on Uber?

Within the safety assault towards Uber, the perpetrator took benefit of social engineering to trick an Uber contractor into approving a two-factor login request. On this chain of occasions, the exterior contractor’s private gadget had probably been contaminated with malware, thereby exposing the particular person’s account credentials. These credentials have been then bought on the darkish net the place the attacker bought them, Uber defined.

SEE: Shield what you are promoting from cybercrime with this darkish net monitoring service (TechRepublic Academy)

Armed with the required account data, the perpetrator then tried to log in to the contractor’s Uber account. Every try triggered a two-factor authentication request despatched to the precise consumer. Although initially denying these requests, the contractor ultimately accepted one, permitting the attacker to efficiently check in, based on Uber.

After signing in utilizing the contractor’s credentials, the attacker was in a position to entry different worker accounts, thereby giving them elevated privileges to varied inside instruments, together with G-Suite and Slack. Boasting of their achievement, the attacker posted a message on the corporate’s Slack channel that mentioned: “I announce I’m a hacker and Uber has suffered a knowledge breach.” The perpetrator additionally modified Uber’s OpenDNS system to show a graphic picture to staff on sure inside websites.

What information or data was affected by the breach?

Analyzing the extent of the harm, Uber mentioned that the attacker downloaded some inside Slack messages and accessed or downloaded information from an inside instrument utilized by the finance employees to handle invoices. The attacker additionally accessed Uber’s dashboard at HackerOne, a instrument utilized by safety researchers to report bugs. However the accessed bug stories have since been resolved, the corporate added.

The attacker didn’t entry any manufacturing or public-facing programs, any consumer accounts, or any delicate databases with bank card and monetary information or journey data, based on Uber. Nor did they make any modifications to Uber’s codebase or entry information saved by the corporate’s cloud suppliers, Uber added.

What did Uber do after the assault?

In response to the breach, Uber took a number of actions.

The corporate mentioned it recognized any worker accounts that have been compromised or presumably compromised and blocked their entry to Uber programs or pressured a password reset. It disabled sure affected inside instruments, reset entry to many inside companies, locked down its codebase to forestall any modifications and compelled staff to re-authenticate entry to inside instruments. The corporate added that it’s enhancing its multi-factor authentication insurance policies and arrange further monitoring of its inside surroundings for any suspicious exercise.

Although the assault may have been extra extreme, and Uber has taken steps to wash up the harm, the breach factors to an unlucky reality about cybersecurity. Even with the correct safety instruments in place, resembling MFA, a company can fall sufferer to a cyberattack as a result of carelessness of a single worker or contractor.

“There is just one resolution to creating push-based MFA extra resilient, and that’s to coach your staff, who use push-based MFA, concerning the widespread kinds of assaults towards it, tips on how to detect these assaults, and tips on how to mitigate and report them in the event that they happen,” mentioned Roger Grimes, data-driven protection evangelist at KnowBe4. “When you’re going to depend on push-based MFA, and actually any simply phished MFA to guard your group, you could aggressively educate staff. Anticipating them to deal with each safety state of affairs appropriately with out the suitable schooling is wishing and hoping, and wishing and hoping doesn’t cease malicious hackers.”

What's your reaction?

Leave A Reply

Your email address will not be published.