Uber experienced yet another prominent data breach that exposed private employee and business information. This time, attackers gained access to the company through a Tequivity cloud server that was used by Amazon Web Services (AWS), which gives Uber asset management and tracking services.
The incident was initially reported by the New York Times.
The hacker known as “UberLeak” is unoriginal. “Hacked by autistic fisherman Arion and conned all LAPSUS$ members,” reads a post on BreachForums. Although Lapsus$ is a notorious hacker gang, there is no further evidence of a connection to the group outside the forum post.
Numerous files that purport to be source code for the mobile device management platforms used by Uber, the company’s food delivery service Uber Eats, and third-party vendor services are among the data that have been exposed. In contrast to internal code and corporate data, no information on an Uber user was discovered in the stolen data. The stolen information did, however, contain 77,000 Uber employees’ personal information.
AWS Server from Tequivity Breached by Hacker
According to Tequivity’s announcement, “customer data was compromised” as a result of “unauthorized access” to the business’s systems by “a malicious third party.” The company’s AWS backup server, which holds code and data files pertaining to Teqtivity clients, was specifically compromised by attackers, the company said.
According to the statement, Teqtivity has informed the customers who may have been impacted and is now looking into the situation and trying to limit it. It’s not clear if the security vulnerability impacts businesses besides Uber.
Ongoing Security Issues With Uber
Uber previously experienced a breach in 2016 that exposed the names, email addresses, and phone numbers of 57 million people worldwide. Approximately 600,000 American drivers’ license information was also provided. Two people had access to the data through “a third-party cloud-based service” that Uber had at the time.
Experts Insight On Latest Uber Breach
Information security and industry leaders reacted on this breach in our comment section below and highlight the growing security threat of third-party vendors, and how organizations can protect newly vulnerable information obtained by threat actors.
“Another day, another bug to fix – what’s great here is that Apple has invested in a way to get critical updates into the field and onto folks’ devices. It’s also good to see private industry coordinating to protect people.
“Apple invests a lot into operating system security, compartmentalisation of components, sandboxing, and assessments of WebKit – but it does show you that, for complex software like a web browser written in C++ , spending a lot of money on assurance won’t keep all the bugs out. A well practiced mechanism for getting fixes out to the field after a discovery is just as important as keeping those bugs out in the first place.
“Developers are slowly adopting new languages like Rust, and experimenting with sandbox approaches that can further isolate legacy code written in non-memory-safe languages like C and C++.”
“The recent cybersecurity incidents at Uber highlight the enhanced threat companies face when sensitive data is leaked to the public. Oftentimes, stories like these are focused on potential compromised customer information, but attackers are just as interested in data for internal employees. When data leaks include sensitive details for employees, such as their usernames, this information can be used by attackers in combination with publicly available sources such as LinkedIn to piece together a strong data set on employees. Threat actors can then craft more sophisticated, highly convincing phishing attacks based on correct internal company details. What does this look like? With enough information, threat actors can target a high-level employee through a credential harvester phishing email that includes their internal company username and domain name, along with important details, such as their department and location.
So what can be done? Companies should make sure that their phishing training keeps up with current threats to prepare their employees for more sophisticated phishing attacks. Regular training that deploys a level of sophistication is critical to ensure employees are ready for more targeted attacks, particularly those that are tailored to their business unit. For example, finance teams may come across invoice-themed schemes, while recruiters may see résumé-themed phishing lures.
Additionally, multi-factor authentication (MFA), ideally with phish-resistant FIDO security keys, will significantly reduce the risks associated with credential theft through phishing. Organizations can also consider deploying a secure email gateway to monitor incoming and outgoing emails for signs of an attack.”
“As Uber investigates its recent breach, thought to be via a third-party supply chain attack, distinct from late summer’s breach report, understandably attention will now turn to identifying the attacker and the point of intrusion. While the questions ‘who was the attacker’ or ‘how did they get inside’ are important, in parallel – and arguably more importantly – focus now also needs to be on reducing the risk of future attacks which may or may not be similar in nature.
“Proactive identity security-based strategies to protect against attacks from the supply chain, phishing or any other vector requires defence-in-depth – a mix of complementary security layers – which supports a Zero Trust strategy. Armed with high value employee details, attackers can now more easily target Uber again with potential goals including login credentials, to enable access to sensitive data and assets. By focusing on eliminating embedded credentials and utilising strong least privilege controls as part of its strategy, Uber can make a start on reducing its now amplified cyber risk.”
“Stolen data is often published and available to threat actor groups. The challenge that security teams have is that when stolen credentials are used it becomes extraordinarily difficult for them to identify what looks like a legitimate user or distinguish the external malicious activity from an insider threat. Compromised third parties and suppliers are also a big challenge for security organizations to identify as they often have authorized access to internal systems even if orphaned or if the company is longer a supplier. Security organizations need to incorporate identity and access analytics as part of their overall threat detection and response programs and identify risk behaviors as they evolve into malicious activity, regardless of insider or external threats.”
“Just a few months after Uber’s internal IT systems were breached by a social engineering attack, Uber employees’ personal information has been leaked via a third-party cybersecurity incident. With the newly-leaked Uber employee accounts, it’s critical for Uber to ensure that they have two-factor or two-step authentication enabled.
If threat actors are able to map password leaks to current employees, they may be able to identify employees who re-used the same password. With the leak of Windows Active Directory information, this could give threat actors an extra advantage if they were to try and compromise Uber’s internal infrastructure.
It is especially important for all employees to be on the lookout for phishing emails impersonating IT support. Indicators that an email may be a phishing attempt include an improper tone or greeting, grammar or spelling errors and inconsistencies in email addresses, links and domain names. Employees should also confirm all information directly with IT admins before responding to such emails.”