Uber Claims No Delicate Knowledge Uncovered in Newest Breach… However There’s Extra to This | Guard Tech

Uber, in an replace, mentioned there’s “no proof” that customers’ personal info was compromised in a breach of its inside laptop programs that was found late Thursday.

“We have now no proof that the incident concerned entry to delicate person knowledge (corresponding to journey historical past),” the corporate mentioned. “All of our companies, together with Uber, Uber Eats, Uber Freight and the Uber Driver app, are operational.”

The transportation firm additionally mentioned it has introduced all inside software program instruments it beforehand eliminated again on-line as a precautionary measure, reiterating that it notified police concerning the matter.

It is not instantly clear if the incident resulted within the theft of some other info or how lengthy the intruder was inside Uber’s community.

Uber has not supplied any additional particulars on how the incident unfolded apart from to say its investigation and response efforts are ongoing. However unbiased safety researcher Invoice Demirkapi characterised Uber’s “no proof” stance as “incomplete.”

“‘No proof’ might imply the attacker did have entry, Uber simply hasn’t discovered proof that the attacker *used* that entry for ‘delicate’ person knowledge,” Demirkapi said. “Explicitly saying ‘delicate’ person knowledge as a substitute of common person knowledge can be bizarre.”

The breach allegedly concerned a lone hacker, an 18-year-old teenager, who tricked an Uber worker into offering account entry by social engineering the sufferer into accepting a multi-factor authentication (MFA) immediate that allowed the attacker register your personal machine.

Gaining an preliminary foothold, the attacker discovered a internal network share that contained PowerShell scripts with privileged administrator credentials, granting carte blanche entry to different important programs, together with AWS, Google Cloud Platform, OneLogin, the SentinelOne Incident Response Portal, and Slack.

worrying, as revealed by safety researcher Sam Curry, the teenager hacker can be mentioned to have gotten maintain of privately disclosed vulnerability experiences submitted via HackerOne as a part of Uber’s bug bounty program.

HackerOne has since moved to disable Uber’s account, however unauthorized entry to unpatched safety flaws within the platform might pose an enormous safety danger to the San Francisco-based firm if the hacker chooses to promote the account. info to different risk actors for a fast revenue.

To this point, the attacker’s motivations behind the breach are unclear, though a message posted by the hacker announcing the breach in Slack included a name for larger wages for Uber drivers.

A separate report from The Washington Submit famous that the attacker broke into the corporate’s networks for enjoyable and will leak the corporate’s supply code in a matter of months, whereas describing Uber’s safety as “horrible.”

“Many occasions we simply discuss APTs, like nation states, and neglect about different risk actors, together with disgruntled staff, insiders and, as on this case, hacktivists,” mentioned Ismael Valenzuela Espejo, vice chairman of risk intelligence and analysis at BlackBerry. .

“Organizations ought to embody these as a part of their risk modeling workout routines to find out who might have a motivation to assault the enterprise, their talent stage and capabilities, and what the influence is likely to be based mostly on that evaluation.”

The assault focusing on Uber, in addition to the current collection of incidents towards Twilio, Cloudflare, Cisco, and LastPass, illustrate how social engineering stays a persistent thorn within the facet of organizations.

It additionally reveals that each one it takes for a breach to happen is for an worker to share their login credentials, demonstrating that password-based authentication is a weak hyperlink in account safety.

“As soon as once more, we see that an organization’s safety is simply nearly as good as its most weak staff,” mentioned Masha Sedova, co-founder and president of Elevate Safety, in a press release.

“We have to assume past generic coaching, as a substitute pairing our riskiest staff with extra particular safety controls. So long as we proceed to strategy cybersecurity solely as a technical problem, we’ll proceed to lose this battle,” Sedova added.

Incidents like these are additionally proof that time-based one-time password (TOTP) codes, sometimes generated via authenticator apps or despatched as SMS messages, are insufficient for securing 2FA locks.

One solution to counter such threats is using phishing-resistant FIDO2-compliant bodily safety keys, which ditch passwords in favor of an exterior {hardware} machine that handles authentication.

“MFA suppliers ought to *by default* routinely block accounts quickly when too many notices are despatched in a brief time period,” Demirkapi mentioned, urging organizations to restrict privileged entry.