Uber, in an replace, mentioned there may be “no proof” that customers’ personal data was compromised in a breach of its inner pc techniques that was found late Thursday.
“We’ve got no proof that the incident concerned entry to delicate person information (like journey historical past),” the corporate mentioned. “All of our providers together with Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.”
The ride-hailing firm additionally mentioned it is introduced again on-line all the interior software program instruments it took down beforehand as a precaution, reiterating it is notified legislation enforcement of the matter.
It isn’t instantly clear if the incident resulted within the theft of another data or how lengthy the intruder was inside Uber’s community.
Uber has not offered extra specifics of how the incident performed out past saying its investigation and response efforts are ongoing. However impartial safety researcher Invoice Demirkapi characterised Uber’s “no proof” stance as “sketchy.”
“‘No proof’ may imply the attacker did have entry, Uber simply hasn’t discovered proof that the attacker *used* that entry for ‘delicate’ person information,” Demirkapi mentioned. “Explicitly saying “delicate” person information relatively than person information general can also be bizarre.”
The breach allegedly concerned a lone hacker, an 18-year-old teenager, tricking an Uber worker into offering account entry by social engineering the sufferer into accepting a multi-factor authentication (MFA) immediate that allowed the attacker to register their very own gadget.
Upon gaining an preliminary foothold, the attacker discovered an inner community share that contained PowerShell scripts with privileged admin credentials, granting carte blanche entry to different crucial techniques, together with AWS, Google Cloud Platform, OneLogin, SentinelOne incident response portal, and Slack.
Worryingly, as revealed by safety researcher Sam Curry, the teenager hacker can also be mentioned to have gotten maintain of privately disclosed vulnerability studies submitted by way of HackerOne as a part of Uber’s bug bounty program.
HackerOne has since moved to disable Uber’s account, however the unauthorized entry to unpatched safety flaws within the platform may pose an enormous safety threat to the San Francisco-based agency ought to the hacker choose to promote the data to different menace actors for a fast revenue.
Up to now, the attacker’s motivations behind the breach are unclear, though a message posted by the hacker saying the breach on Slack included a name for increased pay for Uber’s drivers.
A separate report from The Washington Submit famous that the attacker broke into the corporate’s networks for enjoyable and may leak the corporate’s supply code in a matter of months, whereas describing Uber’s safety as “terrible.”
“Many instances we solely discuss APTs, like nation states, and we neglect about different menace actors together with disgruntled workers, insiders, and like on this case, hacktivists,” Ismael Valenzuela Espejo, vice chairman of menace analysis and intelligence at BlackBerry, mentioned.
“Organizations ought to embrace these as a part of their menace modeling workouts to find out who might have a motivation to assault the corporate, their ability degree and capabilities, and what the influence may very well be in accordance with that evaluation.”
The assault focusing on Uber, in addition to the latest string of incidents towards Twilio, Cloudflare, Cisco, and LastPass, illustrates how social engineering continues to be a persistent thorn within the flesh for organizations.
It additionally reveals that each one it takes for a breach to happen is an worker to share their login credentials, proving that password-based authentication is a weak hyperlink in account safety.
“As soon as once more, we see that an organization’s safety is barely pretty much as good as their most weak workers,” Masha Sedova, co-founder and president of Elevate Safety, mentioned in a press release.
“We have to suppose past generic coaching, as a substitute let’s pair our riskiest workers with extra particular protecting controls. So long as we proceed to deal with cybersecurity as solely a technical problem, we are going to proceed to lose this battle,” Sedova added.
Incidents like these are additionally proof that Time-based One Time Password (TOTP) codes – usually generated by way of authenticator apps or despatched as SMS messages – are insufficient at securing 2FA roadblocks.
One option to counter such threats is the usage of phishing-resistant FIDO2-compliant bodily safety keys, which drops passwords in favor of an exterior {hardware} gadget that handles the authentication.
“MFA suppliers ought to *by default* routinely lock accounts out quickly when too many prompts are despatched in a brief time period,” Demirkapi mentioned, urging organizations to restrict privileged entry.
