How do You Prevent Another Uber-Style Breach

How do You Prevent Another Uber Style Breach Banner

How do You Prevent Another Uber-Style Breach

Uber blames contractors for the hack and links breach to Lapsus$ organization.


In the News

According to Uber, the hacker responsible for the breach last week is a member of the Lapsus$ extortion group, which has previously attacked Microsoft, Cisco, NVIDIA, Samsung, and Okta, among other well-known IT firms.

According to the company, the attacker conducted an MFA fatigue attack by flooding the contractor with two-factor authentication (2FA) login requests until one of them was approved using the stolen credentials of an Uber EXT contractor.

The usage of this social engineering technique has increased dramatically in recent attacks on well-known businesses worldwide, including Twitter, Robinhood, MailChimp, and Okta. Continue to read how do you prevent another uber-style breach?


What happened

The attacker gained privileged access to several tools, including G-Suite and Slack, by breaking into numerous other employee accounts, according to Uber’s updated statement.

“The attacker then modified Uber’s OpenDNS to display a graphic image to employees on some internal sites,” which was posted to a company-wide Slack channel many of you saw.

The business stated that it had not discovered proof that the threat actor could access production systems that hold sensitive user data, including financial and personal information (e.g., credit card numbers, user bank account info, personal health data, or trip history).

The FBI and the US Department of Justice assist the company’s investigation into the event.


Uber claims to have taken the following steps to stop similar approaches from being used in future breaches:

  • Any employee accounts that were affected or might have been compromised were found, and we either disabled their access to the Uber systems or ordered a password reset.
  • Many internal tools that were impacted or might have been impacted were disabled.
  • We changed the keys on many of our internal systems, effectively resetting access.
  • We restricted access to our source to stop further code additions.
  • We asked users to re-authenticate to regain access to internal tools. Additionally, we are enhancing our multi-factor authentication (MFA) guidelines.

We could keep all of our public-facing Uber, Uber Eats, and Uber Freight services operational and running smoothly. Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal. — Uber



Is there a solution?

MFA is not an antidote on its own, but security experts believe that any level of MFA is better than none. Uber is not the only business whose network has been penetrated despite using multi-factor authentication.

By luring an employee into submitting their credentials to a phishing page, they had set up, which the hackers then used to generate a push notification delivered to the employee’s smartphones, hackers hacked into Twitter’s network in 2020.

According to an inquiry by the state of New York, the employee acknowledged a prompt, allowing the hackers to enter. More recently, a social engineering attempt that conned a worker into giving up their log in information led to another hack of Mailchimp.


Instead of focusing on the highly inspected systems for security issues, all of these attacks use the limitations of multi-factor authentication, frequently by directly attacking the individuals using it.

Cloudflare is the only company targeted in a recent wave of cyberattacks that successfully prevented a network compromise because it employs hardware security keys, which cannot be phished.

Even though some employees “did fall for the phishing messages,” Cloudflare acknowledged in a blog post that its use of hardware security keys—which require employees to physically plug a USB device into their computers after entering their credentials—had prevented the attackers from accessing its network.

According to Cloudflare, the attack “targeted personnel and systems in a manner that we believe would make it probable that most firms would be compromised.


Experts Advice MFA

The gold standard of MFA security, security keys, are not without their limitations, not the least of which are the expense and maintenance of the keys. We spend much time debating the necessity of physical security keys for everyone.

However, Tobac noted that some firms still push for mandated SMS two-factor authentication or MFA prompts for internal access.

As Uber’s breach shows, MFA by randomly generated code or push notification is far from ideal. Still, according to Richard Luna, CEO of Protected Harbor, ” Putting the good before the perfect is not a good idea.” Minor adjustments over time have a significant impact.

One notable advance is MFA number matching, which makes social engineering attempts much more challenging by presenting a code on the user’s screen and requiring them to enter it into an app on their verified device. The notion is that, similar to a security key, the attacker would need both the target’s credentials and their confirmed device.

Microsoft, Okta, and Duo offer MFA number matching. However, as security expert Kevin Beaumont pointed out, Okta’s number matching service is wrapped in an expensive licensing tier, while Microsoft’s solution is still in preview. Uber uses Duo for MFA, but it is said that at the time of the incident, number matching was not being used.

According to Tobac, network defenders can also set alerts and restrictions on the number of push messages a user can receive. They can also begin by distributing security keys to a test group of users before expanding it every three months.

In reaction to the hack, Uber stated on Monday that it is strengthening its MFA standards. Uber may still have many questions to answer regarding how the hacker gained access to high-privilege credentials for the remaining vital systems of the company using just a contractor’s stolen password.


Bottom Line

Stay up to date with patches, upgrade your software, and apply the latest security fixes. Install an antivirus program and keep it up to date. Use a VPN to protect your traffic from being monitored and encrypted communication to protect your data from prying eyes.

Stay vigilant and aware of any trends or changes in the threat landscape, and react accordingly. Stay informed by reading best practices and security blogs and keeping up with the news to stay on top of all the latest threats.

Protected Harbor security experts recommend enabling multi-factor authentication, using encryption, and activating Identity and Access Management. These tools will help to maintain data integrity, protect private and confidential information, and keep your customers safe from identity theft and data breaches.

Identity and Access Management solutions allow you to delegate the right level of access to the right people, thereby limiting the risk of data breaches. Encryption is essential to protect data in transit and at rest. It is recommended to use TLS protocol for secure data transfer and a FIPS-certified cryptographic module for data at rest.

Get a free security IT Audit and Penetration Testing today from Protected Harbor. Contact us now!

FBI: Russian hackers spy on, scour energy sector of the US; 5 companies targeted

FBI Russian hackers spy on, scour energy sector of the US 5 companies targeted

FBI: Russian hackers spy on, scour energy sector of the US; 5 companies targeted

According to a March 18 FBI advice to US businesses received by CNN, hackers affiliated with Russian internet addresses have been examining the networks of five US energy corporations as a possible preliminary to hacking operations.
As the Russian military suffers significant casualties in Ukraine and Western sanctions on the Kremlin begin to bite, the FBI alert only days before President Joe Biden openly warned that Russian-linked hackers could target US companies.

Key Highlights:

  • According to the Federal Bureau of Investigation, at least five U.S. energy businesses and 18 others in critical infrastructure sectors have seen “abnormal scanning” from Russian-linked IP addresses, according to a Friday bulletin first published by CBS News on March 22.
  • The behavior “certainly suggests early phases of reconnaissance, searching networks for vulnerabilities for use in potential future attacks.”
  • In a statement, Dennis Hackney, senior director of industrial cybersecurity services development at ABS Group, stated, “It is not surprising that Russia would activate its most effective war-fighting tools online.” “State-sponsored cyberattacks are difficult to attribute definitively,” he added.
  • On Monday, Biden warned business executives, “The enormity of Russia’s cyber capability is fairly consequential, and it’s coming.” Read more here.
  • Although no breaches have been established due to the scanning, the FBI advises the latest in a series of warnings from US officials to critical infrastructure operators about the possibility of Russian hacking. Biden’s public notice was broad and aimed to raise awareness of the problem, whereas the FBI advice was intended for a private, technical audience to help firms defend their networks.

An overview of the situation

In an address to the Detroit Economic Club, FBI Director Christopher Wray said Tuesday that federal law enforcement is “working closely” with cyber personnel in the private sector and abroad to assess potential threats.

“With the ongoing crisis in Ukraine, we’re focusing especially on the catastrophic cyber threat posed by Russian intelligence services and the cybercriminal groups they defend and promote,” Wray added. “We have cyber personnel collaborating closely with Ukrainians and other allies overseas, corporate sector, and local partners.”

Wray’s remarks come four days after the FBI warned that vital infrastructure providers were under attack, particularly the energy sector.

According to CBS News, the FBI warning instructed: “US Energy Sector companies to analyze current network traffic for these IP addresses and initiate follow-up investigations if discovered.”

However, the FBI advisory does not specify if the “scanning” is a new threat.
“I’m not sure what this announcement is supposed to mean,” independent security consultant Tom Alrich said in an email. “Probably every large utility in the country is scanned thousands of times an hour, 24 hours a day, by bad actors, so I’m not sure what this announcement means.”

An attack on crucial infrastructure, according to experts, might be interpreted as a war crime, giving a nation-state actor pause. The most adept attackers, on the other hand, maybe able to conceal their origins, according to Hackney.

“He explained that the higher the sum of money, the better the cybercriminals’ capacity to hide who they are and how they are funded. “Because state-sponsored threat actors might have large funds, they are usually adept at concealing their true ties. As a result, assigning blame is impossible.”

President Joe Biden has warned Russia that “we are prepared to retaliate” if it “pursues cyberattacks against our industries, our key infrastructure.” For months, the federal government has been striving to improve the protection of 16 critical industries, including energy, communications, finance, and agriculture. On Monday, President Trump released a statement reinforcing previous warnings that Russia could use harmful cyber activity to retaliate for economic penalties imposed by the US and other countries.

Utilities in the United States have stated that they are “closely monitoring” the situation in Ukraine and that they are collaborating with their peers and the federal government.

“Russia has the capability to launch cyberattacks in the United States that have localized, temporary disruptive effects on critical infrastructures, such as temporarily shutting down an electrical distribution network.,” according to the assessment by Senate Select Committee on Intelligence.

Safety Tips from Protected Harbor

Protected Harbor’s security team has been following the matter for a long time and continues to emphasize cybersecurity. Some tips from our experts on how you can protect your business from cyberattacks:

  • Install firewalls and other advanced protections at workstations and network equipment such as routers and switches to detect unauthorized activity by hackers who might try compromising your system remotely through internet connections.
  • Backup & Disaster Recovery Plan- Always back up data before it is lost in case of an attack. Ensure that all devices are constantly updated with the latest antivirus software available. Password protection should be enabled not just on computers but also on any mobile device or tablet someone may have access to.
  • Know your organization’s pain points and consider how to protect them. Understand that cybersecurity is not just about protecting data but also ensuring resiliency so services can continue when attacked or compromised
  • Consider security from end-to-end; it’s essential to have a sound strategy for both physical and digital assets on-site and remote access via mobile devices.
  • Be aware of what you share online: make sure all social media posts are set appropriately (e.g., don’t post sensitive information like passwords); be cautious with attachments in emails; choose strong passwords that are different than those used elsewhere because they may get stolen by cybercriminals.
  • Logging tools such as Palo Alto Network’s next-generation firewalls should be used to monitor for odd activities (NGFW) continuously. The records should subsequently be examined daily to detect any irregularities.
  • Enable multi-factor authentication (MFA) for all websites, accounts, systems, and network logins, particularly emails. A user’s mobile device is loaded with an application that generates a series of random codes during the login procedure. The code, as well as the password, must be entered by the user.
  • Patch any vulnerabilities and software, including older versions. If you merely patch against known attacks, you risk being caught due to an unknown exposure. Patch your computers, networks, webpages, mobile apps, and anything else connected to the Internet.

The Cybersecurity and Infrastructure Security Agency recently issued a notice listing 13 known vulnerabilities that Russian state-sponsored hackers have used to attack networks. Criminals use gaps to penetrate systems. Therefore network cybersecurity and network protection are critical for a company’s safety.

Recent cyber-attacks on government websites were carried out with simple tools. The website crashed due to multiple users accessing it at the same time. As shown in this piece, cyberwar threatens Western governments and agencies. To increase their security, businesses must take proactive actions.

Protected Harbor assists businesses in defending themselves and their IT operations against known and unknown threats, such as malware, ransomware, viruses, and phishing. We help organizations back up their data and prevent data loss due to ransomware attacks or other security issues. Learn more about Protected Harbor and request a free IT audit to learn how we can assist you in defending against the Russian Cyber Invasion.