Uber has sustained a third-party breach. Its scope and effects are still to be fully determined. It’s the second breach at Uber since September.
Uber’s data breach.
BleepingComputer reports that Uber has sustained a breach. Over the weekend a group styling itself “UberLeaks” began dumping data it claimed to have stolen from Uber and Uber Eats. The data dumped online include what the attackers say is source code for mobile device management platforms and for third-party vendor services the company uses. BleepingComputer says, “The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the third-party Teqtivity MDM.” Update, 3:00 PM, December 13th, 2022: TripActions emailed us the following note, which corrects earlier reports that TripActions had been affected by the incident: "Following investigations by both TripActions and Teqtivity, it has been determined that no TripActions data was exposed as part of this security incident nor were TripActions customers impacted as part of this security incident. TripActions does not maintain an MDM. We will continue to monitor the situation." SecurityWeek has also published some additional, more recent coverage.
No signs, so far, that customer data have leaked.
The data compromised include, Uber believes, corporate and employee data, but not customer information. Chris Hauk, consumer privacy champion with Pixel Privacy wrote that, “Happily, there doesn't appear to be any customer information exposed in this breach. However, the internal corporate information that has been exposed in the breach could be used by bad actors to extract additional information via social engineering, meaning customer data could be exposed in late breaches.”
That customer data may not have been exposed in this attack is, of course, no cause for complacency. Neil Jones, director of cybersecurity evangelism at Egnyte, outlined the potential scope of the problem. "The rideshare industry collects a veritable treasure trove of data that can be exploited by potential cyberattackers, including personally identifiable information (PII), credit card data, employee records and users’ behavioral patterns like ride history," he said. "So, frankly, I am surprised to see that Uber hasn’t prioritized its own cybersecurity—and analyzed the cybersecurity processes of its third-party vendors—more effectively. I am especially concerned that the new attack may involve source code data associated with its mobile device management (MDM) platforms and Microsoft Windows login information, which are extremely valuable for future attacks. The new cyberattack on Uber is a stark reminder that organizations' cybersecurity programs are only as strong as their weakest links. Uber employees should be on the lookout for potential phishing emails and report the communications to their IT support contacts straightaway. In addition to closely reviewing third-party vendors’ IT security practices, general cybersecurity awareness training and anti-phishing education are powerful deterrents to future attacks.”
Exposure to third-party vendor risk.
This incident apparently originated in the compromise of a third-party vendor, and that there’s some evidence of Lapsu$ gang activity. Uber told BleepingComputer, “We believe these files are related to an incident at a third-party vendor and are unrelated to our security incident in September. Based on our initial review of the information available, the code is not owned by Uber; however, we are continuing to look into this matter.”
The third-party vendor appears to have been Teqtivity, which says in its own statement, “We are aware of customer data that was compromised due to unauthorized access to our systems by a malicious third party. The third party was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers.
Teqtivity is still investigating the incident, but it believes that the information exposed in the attack includes:
- “Device information: Serial Number, Make, Models, Technical Specs.”
- “User Information: First Name, Last Name, Work Email Address, Work Location details.”
Stephan Chenette, Co-Founder and CTO at AttackIQ, puts the incident in the context of a recent trend toward damaging third-party effects:
“The most recent Uber incident is yet another example of a third-party vendor breach that has exposed personally identifiable information (PII). As a result of third-party vulnerabilities, employee emails, source code, corporate reports and IT asset information can be bought and sold for top dollar on the dark web.
"It is important that organizations trusted with sensitive data as well as their third-party vendors take proactive approaches to assessing and validating their security controls. This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats. They should also continuously evaluate their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses.”
Robert Ames, Threat Researcher at SecurityScorecard, draws a distinction between the third-party origin of this breach and the social engineering behind the September incident. “While the September Uber breach was the result of MFA fatigue, a form of social engineering, in which the hacker obtains login credentials and then bypasses an additional authentication factor,” he wrote, “the latest breach, the apparent result of a third-party compromise, highlights the importance of the role vendors play in protecting organizations.”
Ames explained that part of the risk arises from the privileges companies routinely grant their vendors. “Vendors and other third-parties are often granted the same access as employees but with fewer security measures, making them a weak link and therefore a popular target for threat actors,” he wrote. “When hackers access a third party’s systems,, they can access whatever data that system stores, even if it belongs to other organizations. In this particular case, attackers appear to have found Uber data stored on a vendor’s AWS server. . While this latest breach has not yet been attributed to a particular threat actor group, it may bear noting that the Lapsus$ threat actor group believed to be responsible for the September Uber breach also breached Okta, a major third-party service for many firms, in January of this year.”
Thus in Ames’s view, “It is crucial for companies to continuously monitor third-party cybersecurity posture to reduce the likelihood of attacks. Additionally, companies should evaluate their cybersecurity strategy, have a complete picture of their attack surface, seek ways to gain visibility into vulnerabilities and participate in tabletop exercises and threat emulation to ensure they are familiar with countering and responding to threat actors.”
Third-party compromise is one of many ways an organization can be reached. Oz Alashe MBE, CEO of CybSafe, said:
“This particular breach highlights there are various ways malicious actors can gain access to sensitive information. In this case, Uber was not targeted; instead, it was a third-party vendor. However, with the information accessed, including employee names and email addresses, Uber workers will be a line of defense in preventing more breaches. They will need to be on the lookout for phishing emails aimed at gaining further access to sensitive information.”
Ilia Kolochenko, Chief Architect & CEO of ImmuniWeb, called third parties the weakest link. “Vulnerable third parties are usually the weakest link of tech giants like Uber. After the recent criminal conviction of ex-executive of Uber in relation to the 2016 data breach, Uber has likely boosted its investments into cybersecurity,” he said, adding:
“Despite all the efforts, controlling your external vendors is an arduous and costly task, which is often underfunded and underprioritized compared to other security processes. Unsurprisingly, pragmatic cybercriminals hit the most vulnerable party to extract valuable data from Uber, which can be now exploited to further sophisticated attacks. For instance, cybercriminals will likely exploit the stolen information about Uber’s network architecture and personal data of employees for advanced spear-phishing or password-spraying attacks, trying to break into Uber’s internal networks and get access to customer databases. Their chances to succeed are unfortunately quite high in view of the confidential information allegedly in their possession. From a legal viewpoint, this third-party data breach is disastrous news for Uber that may be now accused of systematic failures to implement necessary security controls, as well as of a flawed information security management system. Given the size and impact of the breach, both federal and state US agencies may go after the breached supplier and Uber.”
A recent record of data breaches at Uber.
AttackIQ’s Chenette notes with regret that this breach isn’t the first Uber has sustained. "Unfortunately, Uber has suffered numerous breaches in recent years,” he wrote. “Besides the high-profile breach that occurred three months ago that caused the company's internal databases to be hacked, Uber also faced other significant attacks in the past, such as a massive data breach in 2016 that exposed the data of about 57 million customers and drivers. The failed protection of a third-party vendor in the most recent attack reveals that companies everywhere must better prioritize their cybersecurity measures.”
How attackers may have gained initial access.
Lior Yaari, CEO and co-founder of Grip Security, sees the risk to identities across the SaaS layer:
“The threat actor, with connections to LAPSU$, starts with technographic profiling. Unlike traditional demographic profiling (targeting data types and industries who have it), technographic profiling is not based on industry, company size, tax status, geolocation, or other business-defining attributes. No, companies are now being targeted based on their technology and technology users. In the case of Uber, this included some of those identity-technology relationships such as source code and Windows domain login names and email addresses — giving way to unauthorized access to the digital enterprise’s operation (source code, IT assets, data security reports, and directory services) ….not financial records or customer personal information.
"Security leaders and teams must identify risks most relevant based on accessibility and impact to pinpoint dangerous combinations of weak access controls and SaaS with critical capabilities to control business functions and other technologies — and mitigate attack paths by foreclosing the opportunity to obtain credentials or gain unauthorized access from global identity sprawl.”
The earlier breach in September seems to have been accomplished by wearing employees down with mufti-factor authentication (MFA) fatigue. A.N. Ananth, chief strategy officer at Netsurion, referred back to that breach as an object lesson in the insufficiency of MFA alone to protect a network. It’s a valuable tool and sound practice, but in itself it doesn’t guarantee security:
"From the previous Uber breach, it was suggested that the hacker gained initial access by bombing an internal user with repeated MFA requests till he accepted one just to make it stop. The lesson learned is that MFA is not a silver bullet, and that MFA fatigue is a thing now. After all, who can ignore 300 MFA messages at 3 AM ostensibly from the IT Dept? Another lesson here is that just as we set up limits on password retry and disable accounts to prevent brute force password guessing, so also, we must set up MFA exhaust limits.
"Once this initial access was gained, the attacker uncovered PowerShell scripts which had hardcoded passwords for admin accounts. This allowed lateral movement. The lesson is here obvious – convenience is the enemy of security.
"Lastly, we can all bemoan that 'users are the weakest link' but given an 'assume breach' mentality, the takeaway is perform social engineering assessments, in addition to usual vulnerability scans."
Public accessibility of stolen data exposes Uber to heightened risk of phishing.
Anand Revashetti, CTO and co-founder of Lineaje, offered a direct assessment of the near-term consequences of the breach. “What's clear is that Uber's internal corporate information is now available to all, which is gold dust for attackers to conduct further targeted phishing attempts and infiltrate Uber's systems. Uber and its vendors must now enforce a heightened level of security and alertness to guard themselves from becoming another supply chain threat vector," Revashetti said. "To prevent this, organizations need to know what’s in their software. This knowledge helps them not only discover risks but be more proactive in mediating the threats they impose. That is why it’s critical to have solutions that help companies analyze the software supply chain and avoid deployment of unknown and malicious components hidden in legitimate software.”
In any case, one safe bet is that Uber employees should prepare themselves to withstand a wave of phishing and other social-engineering approaches that can be expected to make use of the data the attackers have dumped online. Paul Bischoff, privacy advocate at Comparitech, says, “The leaked data included email addresses and active directory info for thousands of Uber employees. Given that the data is now publicly accessible, as opposed to being sold to a single party, anyone could use it to launch targeted phishing attacks against Uber employees. These attacks could trick Uber staff into giving up login credentials, leading to further, more consequential attacks. Even if only a handful of employees out of the 77,000 affected were to fall victim to a phishing scam, it could be detrimental to Uber and its customers.”
And Tonia Dudley, Chief Information Security Officer at Cofense, will have the last word on what to expect next:
"Just a few months after Uber’s internal IT systems were breached by a social engineering attack, Uber employees’ personal information has been leaked via a third-party cybersecurity incident. With the newly-leaked Uber employee accounts, it's critical for Uber to ensure that they have two-factor or two-step authentication enabled.
"If threat actors are able to map password leaks to current employees, they may be able to identify employees who re-used the same password. With the leak of Windows Active Directory information, this could give threat actors an extra advantage if they were to try and compromise Uber's internal infrastructure.
"It is especially important for all employees to be on the lookout for phishing emails impersonating IT support. Indicators that an email may be a phishing attempt include an improper tone or greeting, grammar or spelling errors and inconsistencies in email addresses, links and domain names. Employees should also confirm all information directly with IT admins before responding to such emails.
Third-party risk and supply-chain security.
Added, 9:00 PM, December 13th, 2022.
Lorri Janssen-Anessi, BlueVoyant's Director of External Cyber Assessments, advises organizations to take the incident that affected Uber as a cautionary tale in assessing risk, and in particular by reviewing the techniques the attackers used, and by arriving at a realistic understanding of the risks their vendors expose them to:
“It is imperative that companies take note of the common techniques that threat actors are employing to compromise networks. There is clear evidence that third parties or third-party vendors continue to be the favored vector to exploit in order to gain access to a larger target. This reported Uber breach is yet another unfortunate example. Not only did the threat actor exploit a third party to gain access to the company, this was not the first incident the company suffered recently. This tactic is highly successful, and until companies extend their security programs and practices systematically throughout the entire ecosystem, they will continue to be at risk. This also highlights the dangers of sharing information with third parties or third-party vendors, that you are at the mercy of the third-party security program, if one exists, and its implementation. This holds your data undeniably at risk via that third-party vendor.
"BlueVoyant recently surveyed more than 2,000 C-level executives on supply chain cybersecurity. The survey showed that organizations are still struggling to monitor and prevent negative impacts from vendors and suppliers. Ninety-eight% of firms surveyed say they have been negatively impacted by a cybersecurity breach that occurred in their supply chain, slightly up from 97% of respondents last year. One reason for this may be that 40% of respondents rely on the third-party vendor or supplier to ensure adequate security, which can leave them vulnerable to breaches.
"In order for companies to better protect themselves from attacks like this, they should make sure they know the vendors, suppliers and other third-parties that have network access and are needed for business continuity. They should then continuously monitor these third-parties to find issues, like unpatched systems or IT hygiene issues. Then companies should work with their third parties to remediate these issues.”
Added, 11:30 PM, December 13th, 2022.
We also heard from Keiron Holyome BlackBerry's VP UKI, Eastern Europe, Middle East, Africa, who notes a tendency to complacency about vendor security: :
“Too many businesses trust their vendors have security covered, so don’t protect against potential tech supply chain attacks like the one Uber has suffered. It would make sense if companies weren’t being attacked. But new BlackBerry research has found that 4 in 5 IT decision makers have been notified of an attack or vulnerability in their supply chain in the last 12 months. Of those attacked, nine out of ten organisations (90%) took up to a month to recover.
“Incidents like this prove companies can’t afford to be so relaxed. Businesses need a complete, granular view of all potential network and endpoint vulnerabilities in order to predict, prevent, discover, and respond to attacks - whether direct attacks upon a business, or those coming through the software supply chain. Solutions based on AI technology, backed by professional support on call 24x7, can re-establish confidence in a secure software supply chain.”
“An Extended Detection and Response (XDR) tool is a wise option to enable this. By collecting and analysing data from multiple sources, XDR gives the visibility and proactive action to prevent attacks that organisations need. However, new BlackBerry data shows that more than three-in-four IT and cyber decision-makers currently report a lack of holistic visibility into their security posture.”
Added, 8:45 PM, December 13th, 2022.
Will LaSala, Field CTO at OneSpan, describes some of the implications of third-party risk, and how an organization can work to mitigate it:
“The recent Uber data breach actually appears to have been an attack on Teqtivity, a third-party technology provider to Uber and a Mobile Device Management (MDM) platform that helps Enterprise IT track and secure mobile devices. To be clear, the data breach occurred on Teqtivity’s AWS backup server that stores data for customers, such as Uber.
"This appears to be a misconfigured AWS instance in a third-party that was holding customer data — data that had very specific information on internal users at corporations. From an attack standpoint, the customer should be reviewing their AWS configurations and checking to make sure they are secure and compliant. Administrators should be protecting their access with strong two-factor authentication. Additionally, the third-party technology vendor should have leveraged proper encryption in order to prevent the data from being used outside the platform.
"Instances like this are concerning as it allows for attackers to further penetrate networks. With that level of information, the attackers can gain access to corporate networks and then perform social engineering attacks against other employees, who could grant further access to privileged information and networks. Uber and other customers should be on high alert for suspicious users and employees asking for access that they normally would not look for.”
Added,9:30 PM, December 15th, 2022.
Bentsi Ben-Atar, Co-founder and CMO of Sepio, also cautions that most organizations are similarly exposed to third-party risk: “The latest data breach at Uber demonstrates just how vulnerable organizations are to third-party risks. Sharing and storing information with partner companies exposes organizations to outside threats. Hackers can infiltrate third-party systems and gain access to other organizations' data, as in this incident. This should serve as a reminder to all organizations that they are only as secure as their weakest link.”
Added, 8:00 PM, December 17th, 2022.
Bryan Murphy, Senior Director, Consulting Services and Incident Response at CyberArk, noting that Uber isn't the only recent victim of a third-party breach, urges systematic consideration exposure to this category of risk:
"The Uber and Gemini breaches this week highlight the pervasive risks that third-party vendors can create. It serves as a reminder that organizations need to understand where they could be exposed to vendor-related risk and put in place consistent policies for re-evaluating those relationships. Think of regularly validating external vendors’ own internal security controls like car maintenance. Security controls require regular tuning to make sure they can withstand new threats, or bumps in the road. Ultimately, your third-party partners are an extension of your business, and there needs to be accountability for upholding high security standards that don’t create unnecessary cybersecurity risk."