{"id":28679,"date":"2022-09-19T22:28:18","date_gmt":"2022-09-20T02:28:18","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=503802"},"modified":"2022-09-20T12:00:11","modified_gmt":"2022-09-20T16:00:11","slug":"uber-says-compromised-credentials-of-a-contractor-led-to-data-breach","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/uber-says-compromised-credentials-of-a-contractor-led-to-data-breach\/","title":{"rendered":"Uber says compromised credentials of a contractor led to data breach"},"content":{"rendered":"<p data-ar-index=\"0\">Uber has added more detail to the narrative of its latest breach of security controls, saying\u00a0 the compromise of an external contractor\u2019s credentials was the starting point for the attack. It also believes the attacker was linked to the Lapsu$ extortion gang.<\/p>\n<p data-ar-index=\"1\">\u201cIt is likely that the attacker purchased the contractor\u2019s Uber corporate password on the dark web, after the contractor\u2019s personal device had been infected with malware, exposing those credentials,\u201d <a href=\"https:\/\/www.uber.com\/newsroom\/security-update\/\" rel=\"noopener\">the company said Monday<\/a>.<\/p>\n<p data-ar-index=\"2\">The attacker then repeatedly tried to log in to the contractor\u2019s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.<\/p>\n<p data-ar-index=\"3\"><a href=\"https:\/\/www.itworldcanada.com\/article\/cisco-report-on-mfa-hack-backs-up-black-hat-conference-presentation\/497585\" rel=\"noopener\">This tactic was successfully used by an attacker earlier this year against a Cisco Systems employee.<\/a><\/p>\n<p data-ar-index=\"4\">\u201cFrom there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you [reporters] saw, and reconfigured Uber\u2019s OpenDNS to display a graphic image to employees on some internal sites.\u201d<\/p>\n<p data-ar-index=\"5\">Uber believes the attacker or attackers are affiliated with the Lapsus$ gang, which was thought to have been seriously damaged in March <a href=\"https:\/\/www.itworldcanada.com\/article\/seven-in-uk-arrested-allegedly-linked-to-lapsus-news-reports\/477647\" rel=\"noopener\">when U.K. police arrested seven people between the ages of 16 and 21.<\/a> Ultimately two teens who allegedly hacked for the gang were charged.<\/p>\n<p data-ar-index=\"6\">Lapsus$ has gained notoriety for claiming attacks on graphics card maker Nvidia, Samsung, Cisco Systems and online games developer Ubisoft. Microsoft acknowledged in March it was hit by the gang.<\/p>\n<p data-ar-index=\"7\">In an analysis of the gang\u2019s tactics, <a href=\"https:\/\/www.itworldcanada.com\/article\/microsoft-admits-lapsus-hacked-an-employees-account-provides-analysis-of-groups-tactics\/477489\" rel=\"noopener\">Microsoft said<\/a> it is known for purchasing credentials and session tokens from criminal underground forums and searching public code repositories for exposed credentials. If an organization uses multifactor authentication as an extra step to protect logins, the gang has been known to use session token replay and stolen passwords to trigger simple-approval MFA prompts, hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval. if an employee\u2019s personal email or smartphone is hacked, they use that access to reset passwords and complete account recovery actions.<\/p>\n<p data-ar-index=\"8\">Uber acknowledged the attacker downloaded some internal Slack messages, as well as accessing or downloading information from an internal tool its finance team uses to manage some invoices. Those downloads are being analyzed.<\/p>\n<p data-ar-index=\"9\">It also admits the attacker was able to access Uber\u2019s dashboard at HackerOne, where security researchers report bugs and vulnerabilities for cash. However, Uber said, any bug reports the attacker was able to access have been remediated.<\/p>\n<p data-ar-index=\"10\">So far, Uber says, it has no evidence the attacker accessed its production (i.e. public-facing) systems, or the databases it uses to store sensitive user information, like credit card numbers, user bank account info, or trip history. Uber noted the company encrypts credit card information and personal health data.<\/p>\n<p data-ar-index=\"11\">Nor is there evidence the attacker made any changes to application code bases. It also has not found that the attacker accessed any customer or user data stored by Uber\u2019s cloud providers (e.g. AWS S3).<\/p>\n<p data-ar-index=\"12\">Uber, Uber Eats, and Uber Freight services are still operational and running smoothly, the company said. \u201cBecause we took down some internal tools, customer support operations were minimally impacted and are now back to normal,\u201d it added.<\/p>\n<p data-ar-index=\"13\">Among the actions Uber says it has taken as a result of this breach<\/p>\n<ul>\n<li aria-level=\"1\">any employee accounts that were compromised or potentially compromised have either\u00a0 been blocked or had to have a password reset;<\/li>\n<li aria-level=\"1\">credential keys have been rotated, effectively resetting access to many Uber internal services.<\/li>\n<li aria-level=\"1\">application codebases have been locked down to prevent any new code changes;<\/li>\n<li aria-level=\"1\">employees accessing development tools have to re-authenticate. Uber said it is also \u201cfurther strengthening our multi-factor authentication (MFA) policies;\u201d<\/li>\n<li aria-level=\"1\">additional monitoring of Uber\u2019s internal environment has been added to keep an even closer eye on any further suspicious activity.<\/li>\n<\/ul>\n<p data-ar-index=\"14\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/uber-says-compromised-credentials-of-a-contractor-led-to-data-breach\/503802\">Uber says compromised credentials of a contractor led to data breach<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Company also alleges those behind the attack are linked to t<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[361,16],"tags":[425,391,396,393,275,95],"class_list":["post-28679","post","type-post","status-publish","format-standard","hentry","category-privacy","category-security","tag-data-breach","tag-di","tag-postmedia","tag-security-strategies","tag-top-story","tag-uber"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/28679","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=28679"}],"version-history":[{"count":2,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/28679\/revisions"}],"predecessor-version":[{"id":28720,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/28679\/revisions\/28720"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=28679"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=28679"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=28679"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}