Uber says data breach occurred after contractor’s credentials were compromised

Uber added more detail to its description of its latest security control breach, saying that the compromise of an outside contractor’s credentials was the starting point of the attack. The attacker also believes he has ties to the Lapsu$ extortion gang.

“The attackers likely bought the contractor’s Uber corporate password on the dark web after the contractor’s personal device was infected with malware and those credentials were exposed,” the company said Monday. rice field.

The attackers then made repeated attempts to log into the contractor’s Uber account. Each time, the contractor received her two-factor login authorization request, initially blocking access. However, the contractor eventually accepted and the attacker successfully logged in.

This tactic was successfully used by attackers against Cisco Systems employees earlier this year.

“From there, the attackers accessed several other employee accounts, and eventually the attackers elevated privileges to a number of tools, including G-Suite and Slack. I posted a message on the Slack channel. [reporters] We looked at Uber’s OpenDNS and reconfigured some internal sites to display graphic images to employees. ”

Uber believes one or more of the attackers are associated with the Lapsus$ gang. The Lapsus$ gang was believed to have been seriously injured when British police arrested seven of him, aged 16 to her 21, in March.

Lapsus$ is infamous for alleged attacks against graphics card makers Nvidia, Samsung and Cisco Systems, and online game developer Ubisoft. Microsoft admitted he was attacked by a gang in March.

Microsoft, which analyzed the gang’s tactics, said it was known to purchase credentials and session tokens from criminal underground forums and search public code repositories for exposed credentials. If your organization uses multi-factor authentication as an additional step to secure your logins, gangsters can use session token replays and stolen passwords to trigger simple authorization MFA prompts to unlock compromised accounts. A legitimate user eventually agrees to the prompt and gives the required authorization. If an employee’s personal email or smartphone is hacked, the employee uses that access to reset passwords and complete account recovery actions.

Uber admitted that the attackers downloaded internal Slack messages and accessed or downloaded information from internal tools used by its finance team to manage some of its bills. These downloads are under analysis.

It also acknowledges that the attackers gained access to Uber’s dashboard on HackerOne, where security researchers report bugs and vulnerabilities for cash. However, Uber says it has fixed all bug reports the attackers had access to.

So far, according to Uber, the attackers have accessed either its production (i.e. public) systems or databases used to store sensitive user information such as credit card numbers, user bank account information, travel history, etc. No proof. Uber says it encrypts credit card information and personal health data.

Also, there is no evidence that the attacker made any changes to the application code base. It’s also not known that the attacker accessed any customer or user data stored by her Uber’s cloud provider (such as AWS S3).

Uber, Uber Eats and Uber Freight services are still up and running, the company said. “We’ve stopped some internal tools, so the impact on our customer support operations has been minimal and things are back to normal now,” he added.

Among the actions taken by Uber as a result of this violation

• Compromised or potentially compromised employee accounts were either blocked or had to have their passwords reset.
• Credential keys have been rotated, effectively resetting access to many Uber internal services.
• The application’s codebase is locked down to prevent new code changes.
• Employees accessing development tools must re-authenticate. Uber also said it will “further strengthen its multi-factor authentication (MFA) policy.”
• Additional monitoring of Uber’s internal environment has been added to monitor further suspicious activity more closely.