Rewterz Threat Alert – APT SideWinder Group Targeting Pakistani Telecom – Active IOCs
September 16, 2022Rewterz Threat Alert – STOP/DJVU Ransomware – Active IOCs
September 16, 2022Rewterz Threat Alert – APT SideWinder Group Targeting Pakistani Telecom – Active IOCs
September 16, 2022Rewterz Threat Alert – STOP/DJVU Ransomware – Active IOCs
September 16, 2022Severity
High
Analysis Summary
On Thursday, Uber Technologies Inc suffered a cyber attack, the attackers gained access to sensitive data, including vulnerability reports, after breaching the company’s internal network. The company tweet that they are in contact with law enforcement and would provide more information when it becomes available.
The hacker published pictures of the company’s internal systems, email dashboard, and Slack server as well as access to vulnerability reports.
Some researchers have spoken with the accused hacker and have seen screenshots appear to reveal complete access to “important Uber IT systems,” which include Windows domain, security software, an Amazon Web Services panel, an email admin dashboard for Google Workspace, and the aforementioned Slack server.
According to The New York Times, who first reported this breach, the threat actors claim to have broken into Uber using a social engineering attack on an employee and stolen their password. Using the stolen credentials, the threat actor subsequently got access to the company’s internal systems through the VPN and scanned the intranet.
Sam Curry, a security engineer at Yuga Labs, claims that the hacker also had access to the company’s HackerOne bug bounty program, where they left comments on all of the bug bounty tickets.
‘Someone hacked an Uber employee’s HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.’
This could be one of the most valuable resources from the attacker’s point of view as it has been claimed that Uber’s vulnerability reports were obtained. This poses a serious security risk to Uber.
Uber’s bug bounty program (known as HackerOne) allows security experts to discreetly expose vulnerabilities in their systems and apps in exchange for a monetary compensation. These vulnerability reports are intended to be kept private until a fix is available to prevent attackers from exploiting them in attacks.
Since then, HackerOne has stopped the Uber bug bounty program, preventing users from using publicly known vulnerabilities. According to HackerOne CEO Marten Mickos, the company is collaborating with Uber to help with the investigation.
It is unknown whether or not any consumer data was accessed. Although it would not be unexpected if the threat actor had previously acquired the vulnerability reports, they would probably sell them to other threat actors in order to swiftly profit from the attack.
In the message shared over Slack, the hacker who identified himself as 18 years old, also added Uber had weak security and that drivers should be paid more.
The company has experienced security breaches in the past as well. The discovery of another data breach that occurred in 2016 made headlines in 2017.
Impact
- Confidential Information Theft
- Internal Systems Compromise
- Credential Theft
Remediation
- Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- 2FA – Enable two-factor authentication.
- Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
- Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
- Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
- WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.