Cyber Security

Uber Claims No Delicate Information Uncovered in Newest Breach… However There’s Extra to This

Uber Claims No Delicate Information Uncovered in Newest Breach… However There’s Extra to This
Written by admin


Uber Claims No Delicate Information Uncovered in Newest Breach… However There’s Extra to This

Uber, in an replace, mentioned there may be “no proof” that customers’ personal info was compromised in a breach of its inside pc techniques that was found late Thursday.

“We’ve got no proof that the incident concerned entry to delicate person knowledge (like journey historical past),” the corporate mentioned. “All of our providers together with Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”

The ride-hailing firm additionally mentioned it is introduced again on-line all the interior software program instruments it took down beforehand as a precaution, reiterating it is notified legislation enforcement of the matter.

It is not instantly clear if the incident resulted within the theft of some other info or how lengthy the intruder was inside Uber’s community.

Uber has not offered extra specifics of how the incident performed out past saying its investigation and response efforts are ongoing. However unbiased safety researcher Invoice Demirkapi characterised Uber’s “no proof” stance as “sketchy.”

“‘No proof’ might imply the attacker did have entry, Uber simply hasn’t discovered proof that the attacker *used* that entry for ‘delicate’ person knowledge,” Demirkapi mentioned. “Explicitly saying “delicate” person knowledge reasonably than person knowledge general can be bizarre.”

CyberSecurity

The breach allegedly concerned a lone hacker, an 18-year-old teenager, tricking an Uber worker into offering account entry by social engineering the sufferer into accepting a multi-factor authentication (MFA) immediate that allowed the attacker to register their very own system.

Upon gaining an preliminary foothold, the attacker discovered an inside community share that contained PowerShell scripts with privileged admin credentials, granting carte blanche entry to different essential techniques, together with AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack.

Worryingly, as revealed by safety researcher Sam Curry, the teenager hacker can be mentioned to have gotten maintain of privately disclosed vulnerability stories submitted through HackerOne as a part of Uber’s bug bounty program.

HackerOne has since moved to disable Uber’s account, however the unauthorized entry to unpatched safety flaws within the platform might pose an enormous safety threat to the San Francisco-based agency ought to the hacker choose to promote the data to different menace actors for a fast revenue.

Uber Hack
Uber Hack
Uber Hack
Uber Hack

Thus far, the attacker’s motivations behind the breach are unclear, though a message posted by the hacker saying the breach on Slack included a name for increased pay for Uber’s drivers.

A separate report from The Washington Put up famous that the attacker broke into the corporate’s networks for enjoyable and would possibly leak the corporate’s supply code in a matter of months, whereas describing Uber’s safety as “terrible.”

“Many instances we solely discuss APTs, like nation states, and we overlook about different menace actors together with disgruntled staff, insiders, and like on this case, hacktivists,” Ismael Valenzuela Espejo, vice chairman of menace analysis and intelligence at BlackBerry, mentioned.

“Organizations ought to embrace these as a part of their menace modeling workout routines to find out who could have a motivation to assault the corporate, their talent stage and capabilities, and what the influence might be in line with that evaluation.”

The assault focusing on Uber, in addition to the current string of incidents towards Twilio, Cloudflare, Cisco, and LastPass, illustrates how social engineering continues to be a persistent thorn within the flesh for organizations.

CyberSecurity

It additionally exhibits that every one it takes for a breach to happen is an worker to share their login credentials, proving that password-based authentication is a weak hyperlink in account safety.

“As soon as once more, we see that an organization’s safety is simply nearly as good as their most susceptible staff,” Masha Sedova, co-founder and president of Elevate Safety, mentioned in an announcement.

“We have to suppose past generic coaching, as an alternative let’s pair our riskiest staff with extra particular protecting controls. So long as we proceed to deal with cybersecurity as solely a technical problem, we’ll proceed to lose this battle,” Sedova added.

Incidents like these are additionally proof that Time-based One Time Password (TOTP) codes – usually generated through authenticator apps or despatched as SMS messages – are insufficient at securing 2FA roadblocks.

One strategy to counter such threats is using phishing-resistant FIDO2-compliant bodily safety keys, which drops passwords in favor of an exterior {hardware} system that handles the authentication.

“MFA suppliers ought to *by default* mechanically lock accounts out briefly when too many prompts are despatched in a brief time frame,” Demirkapi mentioned, urging organizations to restrict privileged entry.



About the author

admin

Leave a Comment