This is a developing story, and I will keep updating it as more details emerge.There are major advantages to using a VPN. It is not known what, if any, customer data might have been accessed at this point in time. This leaves Uber with a lot of questions about how much data was compromised via such an easy method." Gaining entry to private data inside VPNs needs to be difficult and behind strict protections. "This is seemingly the work of a clever socially engineered attack. "This attack has left Uber with a significant amount of data leaked with the potential of including customer and driver’s personal data," Jake Moore, global cyber security advisor at ESET, said. Marten Mickos, the HackerOne CEO, has stated that the Uber account has been locked down and the company is working with Uber to assist in the investigation. This could yet prove to be one of the most valuable resources from the attacker's perspective, as it has been claimed that Uber's vulnerability reports were downloaded. It would also appear that the hacker gained access to Uber's HackerOne vulnerability bug bounty account, leaving comments on a number of report tickets. With all credentials being part of this PAM solution, now the entire org was compromised because the PAM had access to Amazon Web Services (AWS), Google Workspace, Slack and more." Uber security vulnerability reports could have been stolenīleeping Computer has been in contact with the alleged hacker and has seen screenshots showing access to "critical Uber IT systems" that include security software, Amazon Web Services console, Google Workspace email admin dashboard and the aforementioned Slack server. "He accepted and I added my device," the hacker claims.Ībhay Bhargav, CEO at AppSecEngineer, says that it appears the MFA phishing attack "led to a PowerShell script getting discovered, with admin credentials to their Thycotic PAM (Privileged Access Management) tool. However, the hacker has claimed that Uber was using 'push authentication' (where the user is asked if it's them logging in on a device such as their laptop or smartphone), and a targeted employee was spammed with these "for over an hour." The hacker says the user was then contacted via WhatsApp under the guise of being from the Uber IT team and told they needed to accept the authentication request in order to stop them from continuing. Multi-Factor Authentication, which most non-technical users will think of as Two-Factor Authentication (2FA) is a worthy layer in overall network defenses. The alleged hacker has boasted about how they used what is known in the cybersecurity industry as MFA fatigue as a weapon. Where there does appear to be a little more clarity is in the initial attack technique likely used to pry the Uber system’s front door open. Did MFA fatigue open the door for the Uber hacker? There hasn't been any notification in my Uber app on the iPhone, so one assumes that there will be users who are blissfully unaware that any cybersecurity breach has even happened. One can only hope that such clarity is provided in the coming days and weeks. Especially given the lack of any statement surrounding the extent of the network breach, the systems accessed, and the level of access acquired by the hacker. Saying 'no evidence' is not the same as saying it hasn't happened, combine that with 'sensitive user data' that is only defined in the statement as being 'like trip history', and there are more questions than answers here. The problem is that the more cynical of readers may cite the very specific language used as not providing real clarity. The update also says that internal software tools that were initially taken offline are also back in operation. This confirms that the investigation and response efforts continue and states that Uber has "no evidence that the incident involved access to sensitive user data (like trip history)" while confirming all Uber services are operational. ![]() ![]() ![]() Uber confirms incident and says no evidence of sensitive user data exposure Uber/Twitter
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |