Uber Breached, Again, After Attackers Compromise Third-Party Cloud

  /     /     /  
Publicated : 23/11/2024   Category : security


Uber Breached, Again, After Attackers Compromise Third-Party Cloud


Threat actors leak employee email addresses, corporate reports, and IT asset information on a hacker forum after an attack on an Uber technology partner.



Uber has suffered yet another high-profile data leak that exposed sensitive employee and company data. This time, attackers breached the company by compromising an Amazon Web Services (AWS) cloud server used by a third party that provides Uber with asset management and tracking services.
The incident happened over the weekend, when a threat actor named UberLeaks began posting data they claimed was stolen from Uber and Uber Eats. The data turned up on the
BreachForums hacking forum
, the successor of now-defunct
RaidForums
, media outlets reported, and included employee email addresses, corporate reports, and IT asset information stolen.
Hackers posted a number of archives that they said are source-code associated with various mobile device management (MDM) platforms used by Uber, as well as by Uber Eats and third-party vendor services,
according to reports
. While no user information appears to have been compromised in the breach — which appears to entirely have affected corporate assets — the personal information of 77,000 Uber employees was leaked.
Uber acknowledged the incident and pointed the media to
a breach notification
by a company called Teqtivity, which it uses for asset management and tracking services.
Teqtivity explained that customer data was compromised due to unauthorized access to the companys systems by a malicious third party, according Teqtivitys release. Specifically, attackers gained access to the companys AWS backup server, which houses code and data files related to Teqtivity customers, the company said.
Its unclear if that access was due to a
misconfiguration of the cloud bucket,
or if there was an actual compromise to blame.
Information exposed by the attack included information housed on various Uber employees IT devices, including serial number, make, models, and technical specifications, as well as employee information, including first and last names, work email addresses, and work location details, according to Teqtivity.
Teqtivity has notified affected customers and is currently investigating as well as working to contain the incident, according to the notification. Its unclear if the breach affects other companies beyond Uber.
This latest incident is indeed not Ubers first rodeo when it comes to data breaches, as the company has experienced several highly publicized incidents over the past several years that have had significant ramifications for the company.
In fact, a previous third-party breach that occurred in 2016 and
exposed the data
of some 57 million customers and drivers turned into an absolute public-relations nightmare for Uber, the effects of which are still being felt.
That incident — in which attackers also gained access to Uber data stored in third-party cloud storage — resulted in the firing of its now-former CISO Joe Sullivan after it was discovered that the company engaged in a
cover-up of the incident
. Sullivan was even
found guilty
in federal court on charges related to the incident in October.
Uber also experienced a significant breach in September and was forced to take some of its operations offline due to the compromise of its own internal systems, when an attacker socially engineered his way into an employees VPN account before
pivoting deeper into the network
.
While no particular threat group has claimed responsibility or has yet been found to be the guilty party behind the latest breach, there are some initial clues that tie the incident to the well-known cybercriminal extortion group
Lapsus$
.
The post on BreachForums about the Uber leak reportedly mentions the threat group, while Lapsus$ is believed to be responsible for the Uber September breach as well, Robert Ames, threat researcher from SecurityScorecard, tells Dark Reading.
Ames also notes the responsibility of Lapsus$ for a January
incident at Okta
, another major third-party service for many firms, as a potential clue that the threat group also is at play here. That incident was determined to have affected about 366 Okta customers, the
company acknowledged.
Lapsus$
went quiet around July
after a spate of incidents earlier in the year including not only the one against Okta, but also attacks on Microsoft and Nvidia. Its responsibility for the September attack on Uber could be a sign of another flurry of activity from the threat group, experts say.
No matter whos responsible, the latest Uber incident, like the one in 2016, once again highlights the third-party risk that all enterprises face when partner companies are responsible for or have access to corporate data and assets, security experts say.
A core issue is that many organizations dont secure third-party access to internal data in the same way they secure it within organization IT assets, which leaves that data unnecessarily exposed to outside threats, Ames says.
Vendors and other third-parties are often granted the same access as employees but with fewer security measures, making them a weak link and therefore a popular target for threat actors, he says. When hackers access a third party’s systems, they can access whatever data that system stores, even if it belongs to other organizations.
Indeed, this is an issue not unique to Uber, but one that demonstrates that companies everywhere must better prioritize their cybersecurity measures, especially when it comes to third parties, Stephan Chenette, co-founder and CTO at AttackIQ, says.
Some ways companies can do this include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent, and respond to these threats, he says.
They should also continuously evaluate their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses, Chenette says.
Enterprises also should be continuously monitoring their specific third-party cybersecurity posture to reduce the likelihood of attacks, Ames says. This will help give them a more complete picture of their entire attack surface as they seek ways to gain visibility into potential and existing vulnerabilities.
Ames adds that participating in tabletop exercises and threat emulation to ensure that security administrators and employees alike are familiar with countering and responding to threat actors also can help organizations better respond to third-party threats.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Uber Breached, Again, After Attackers Compromise Third-Party Cloud