Uber has suffered yet another high-profile data leak that exposed sensitive employee and company data. This time, attackers breached the company by compromising an Amazon Web Services (AWS) cloud server used by a third party that provides Uber with asset management and tracking services.
The incident happened over the weekend, when a threat actor named “UberLeaks” began posting data they claimed was stolen from Uber and Uber Eats. The data turned up on the BreachForums hacking forum, the successor of now-defunct RaidForums, media outlets reported, and included employee email addresses, corporate reports, and IT asset information stolen.
Hackers posted a number of archives that they said are source-code associated with various mobile device management (MDM) platforms used by Uber, as well as by Uber Eats and third-party vendor services, according to reports. While no user information appears to have been compromised in the breach — which appears to entirely have affected corporate assets — the personal information of 77,000 Uber employees was leaked.
Hacker Breaches Tequivity AWS Server
Uber acknowledged the incident and pointed the media to a breach notification by a company called Tequivity, which it uses for asset management and tracking services.
Tequivity explained that “customer data was compromised” due to “unauthorized access” to the company’s systems by “a malicious third party,” according Tequivity’s release. Specifically, attackers gained access to the company’s AWS backup server, which houses code and data files related to Teqtivity customers, the company said.
It’s unclear if that access was due to a misconfiguration of the cloud bucket, or if there was an actual compromise to blame.
Information exposed by the attack included information housed on various Uber employees’ IT devices, including serial number, make, models, and technical specifications, as well as employee information, including first and last names, work email addresses, and work location details, according to Teqtivity.
Teqtivity has notified affected customers and is currently investigating as well as working to contain the incident, according to the notification. It’s unclear if the breach affects other companies beyond Uber.
Ongoing Security Issues
This latest incident is indeed not Uber’s first rodeo when it comes to data breaches, as the company has experienced several highly publicized incidents over the past several years that have had significant ramifications for the company.
In fact, a previous third-party breach that occurred in 2016 and exposed the data of some 57 million customers and drivers turned into an absolute public-relations nightmare for Uber, the effects of which are still being felt.
That incident — in which attackers also gained access to Uber data stored in third-party cloud storage — resulted in the firing of its now-former CISO Joe Sullivan after it was discovered that the company engaged in a cover-up of the incident. Sullivan was even found guilty in federal court on charges related to the incident in October.
Uber also experienced a significant breach in September and was forced to take some of its operations offline due to the compromise of its own internal systems, when an attacker socially engineered his way into an employee’s VPN account before pivoting deeper into the network.
Is the Lapsus$ Gang Responsible for the Uber Breach?
While no particular threat group has claimed responsibility or has yet been found to be the guilty party behind the latest breach, there are some initial clues that tie the incident to the well-known cybercriminal extortion group Lapsus$.
The post on BreachForums about the Uber leak reportedly mentions the threat group, while Lapsus$ is believed to be responsible for the Uber September breach as well, Robert Ames, threat researcher from SecurityScorecard, tells Dark Reading.
Ames also notes the responsibility of Lapsus$ for a January incident at Okta, another “major third-party service for many firms,” as a potential clue that the threat group also is at play here. That incident was determined to have affected about 366 Okta customers, the company acknowledged.
Lapsus$ went quiet around July after a spate of incidents earlier in the year including not only the one against Okta, but also attacks on Microsoft and Nvidia. Its responsibility for the September attack on Uber could be a sign of another flurry of activity from the threat group, experts say.
Time to Manage Third-Party and Cloud Cybersecurity Risk
No matter who’s responsible, the latest Uber incident, like the one in 2016, once again highlights the third-party risk that all enterprises face when partner companies are responsible for or have access to corporate data and assets, security experts say.
A core issue is that many organizations don’t secure third-party access to internal data in the same way they secure it within organization IT assets, which leaves that data unnecessarily exposed to outside threats, Ames says.
“Vendors and other third-parties are often granted the same access as employees but with fewer security measures, making them a weak link and therefore a popular target for threat actors,” he says. “When hackers access a third party’s systems, they can access whatever data that system stores, even if it belongs to other organizations.”
Indeed, this is an issue not unique to Uber, but one that demonstrates that “companies everywhere must better prioritize their cybersecurity measures,” especially when it comes to third parties, Stephan Chenette, co-founder and CTO at AttackIQ, says.
Some ways companies can do this include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent, and respond to these threats, he says.
“They should also continuously evaluate their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses,” Chenette says.
Enterprises also should be continuously monitoring their specific third-party cybersecurity posture to reduce the likelihood of attacks, Ames says. This will help give them a more complete picture of their entire attack surface as they seek ways to gain visibility into potential and existing vulnerabilities.
Ames adds that participating in tabletop exercises and threat emulation to ensure that security administrators and employees alike are familiar with countering and responding to threat actors also can help organizations better respond to third-party threats.