A Hacker Breached Uber's Internal Systems Forcing Company to Take Some Systems Offline

White House launches $1 billion cybersecurity grants program for local governments, EU proposes new law to bolster smart device security, FBI issues warning about healthcare systems, much more

Check out my latest CSO column that examines new security software requirements issued by OMB for federal agencies and their software suppliers.

Photo by Paul Hanaoka on Unsplash

Ride-hailing giant Uber suffered a severe breach forcing the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack.

The breach appeared to have compromised many of Uber’s internal systems. A person claiming responsibility for the hack sent images of email, cloud storage, and code repositories to cybersecurity researchers and media outlets. The hacker, who claimed to be eighteen years old, also boasted of having wide-ranging access inside Uber’s corporate networks and appeared to indicate they were motivated by the company’s treatment of its drivers.

Company employees were advised not to use their internal Slack channel after the hacker compromised an employee’s Slack account to post a message saying, “I announce I am a hacker and Uber has suffered a data breach.” The statement listed several internal databases that the hacker claimed had been compromised.

In an effective social engineering move, the hacker claims they had sent a phishing text message to an Uber worker pretending to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to access Uber’s systems.

The extent of the breach appears to be broad, with the hacker seemingly having access to Uber source code, email, and other internal systems. The hacker posted as Uber on a chat function at HackerOne, which runs interference between researchers reporting security vulnerabilities and the companies affected by them. Yuga Labs security engineer Sam Curry said the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets.

Uber issued a tweet acknowledging the breach but did not immediately respond to questions about how internal information may have been compromised. Uber previously suffered a breach in 2016 that exposed the personal data of 57 million people worldwide, including names, email addresses, and phone numbers. The company’s former head of security Joe Sullivan is currently on trial for obstructing justice and concealing a felony for not disclosing the breach or revealing it to the F.T.C (Kate Conger and Kevin Roose / New York Times and Faiz Siddiqui and Joseph Menn / Washington Post)

Related: CNN, The Verge, Gizmodo, Fox Business, The Washington Post, Engadget, Fortune, Forbes, Bleeping Computer, CSO Online, CNN.com, BBC News, Engadget, NDTV Gadgets360.com, Slashdot, Bloomberg, DataBreachToday.com, Reuters, Business Insider, The Tech Outlook, Finbold, Tech Monitor, Gadgets Now, The Register - Security, Silicon UK, Tech Xplore, Associated Press Technology, RTT - Technology, Euronews, Wall Street Journal, Cyber Kendra, ZDNet Security, Tech - Insider, iTech Post : Latest News, Teiss, Security Affairs, BetaNews, GizBot, Silicon Republic, The Guardian, Slashdot, PCMag.com, Daily Mail, reddit TECH NEWS, TechWorm, The Record

Uber Comms @Uber_Comms

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.

September 16th 2022

1,061 Retweets2,397 Likes

Bill Demirkapi @BillDemirkapi

The Uber hack is quite severe and wide ranging. Wishing their blue teams the best of luck and love during this understandably difficult period. Some thoughts & observations based on what we've seen so far 👉 1/N

September 16th 2022

1,814 Retweets5,701 Likes

Kevin Beaumont @GossiTheDog

Uber, what you need to know, the thread. 1)

September 16th 2022

135 Retweets442 Likes

Sam Curry @samwcyo

Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.

September 16th 2022

891 Retweets3,005 Likes

The Biden Administration launched $1 billion cybersecurity grants for state and local governments.

“The grants will significantly improve national resilience to cyberthreats by giving state, local, and territorial governments much-needed resources to address network security and take steps to protect against cybersecurity risks to help them strengthen our communities,” Alejandro Mayorkas told reporters. A tribal grant program will be released later in the fall, he said.

The four-year fund will release $185 million for the fiscal year 2022. Each state will be eligible for a minimum of $2 million to develop a cybersecurity plan and begin assorted projects (including, potentially, election security projects), and states must allocate at least 80 percent of the funding to local and rural communities and 3 percent to tribal governments. (Tim Starks and Aaron Schaffer / Washington Post)

Related: CISA.gov, The Record

European Union lawmakers have proposed new legislation, the EU Cyber Resilience Act, to bolster security for smart devices.

The proposed law would introduce mandatory cybersecurity requirements for products that have “digital elements” sold across the bloc, with requirements applying throughout their lifecycle, meaning gadget makers will need to provide ongoing security support and updates to patch emerging vulnerabilities.

The proposed rules focus on smart device makers communicating to consumers “sufficient and accurate information” to ensure buyers can grasp security considerations at the point of purchase and set up devices securely after purchase. Penalties proposed by the Commission for non-compliance with “essential” cybersecurity requirements scale up to €15M (around $15 million) or 2.5% of worldwide annual turnover, whichever is greater, with other regulation obligation breaches having a maximum sanction of €10M (around $10 million) or 2% of turnover. (Natasha Lomas / TechCrunch)

Related: Wall Street Journal, The Record, Associated Press, The Independent, Reuters.com, EURACTIV.com, Mobile Europe, Telecompaper Headlines, The Independent, NDTV Gadgets360.com, 9to5Mac, Security Week, European Commission, ZDNet, Gadgets Now

Hamed Haddadi @realhamed

Years of research in [lack of] IoT privacy and security standards has paved the way to good steps forward in regulation: “State of the Union: New EU cybersecurity rules ensure more secure hardware and software products”. Cc ⁦@iotrim⁩ Press cornerHighlights, press releases and speechesec.europa.eu

September 15th 2022

6 Retweets31 Likes

In a move bound to heighten tensions with Beijing, President Biden signed an executive order to sharpen the federal government’s powers to block Chinese investment in technology in the United States and limit the country’s access to private data on citizens.

The order focuses on the actions of the secretive and little-known Committee on Foreign Investments in the United States (CFIUS), created by Congress nearly half a century ago. It directs the committee to consider whether a pending deal involves the purchase of a business with access to Americans’ sensitive data and whether a foreign company or government could exploit that information, reflecting the growing unease about China’s ability to access the personal information that Americans hand over to mobile apps and other services.

CFIUS is believed to be already scrutinizing TikTok, the popular Chinese-owned video app that critics worry could expose its users’ data to the Chinese government. (David Sanger / New York Times)

Related: Financial Times, Briefing Room | The White House, WSJ.com: WSJD, WSJ.com: WSJD, Reuters, Washington Examiner, The White House

Emily Kilcrease @EmilyKilcrease1

1/ New Executive Order on CFIUS and inbound investment screening is out. Great step to provide clarity and transparency around how USG conducts its risk assessments, which is often a black box. FACT SHEET: President Biden Signs Executive Order to Ensure Robust Reviews of Evolving National Security Risks by the Committee on Foreign …First-Ever Presidential Directive Defining Additional National Security Factors for CFIUS to Consider in Evaluating Transactions The United States’whitehouse.gov

September 15th 2022

5 Retweets9 Likes

The Justice Department has tapped over 150 federal prosecutors across the country to bolster law enforcement’s efforts to combat the rise in crime linked to using cryptocurrencies such as bitcoin.

The Digital Asset Coordinators Network is intended to designate subject-matter experts in U.S. attorneys’ offices on the complex technical and legal complications posed by cryptocurrency cases. The creation of the network was motivated partly due to the high degree of technical expertise that can go into prosecuting cryptocurrency cases and digital currencies’ increasing popularity across several different crime areas, said Eun Young Choi, the first director of the Justice Department’s national cryptocurrency enforcement team. (Dustin Volz / Wall Street Journal)

Related: Justice Department

Nicholas Brown @News_By_Nick

(WSJ) - The Justice Department has tapped more than 150 federal prosecutors across the country to bolster law enforcement’s efforts to combat the rise in crime linked to the use of cryptocurrencies such as bitcoin, officials said. @WSJ WSJ News Exclusive | Justice Department Forms National Network of Prosecutors Focused on Crypto CrimeThe new effort is part of a trend toward putting more resources to target illegal activities involving digital currencies.wsj.com

September 16th 2022

1 Retweet

Leaders of Customs and Border Protection told congressional staff in a briefing this summer that U.S. government officials are adding data as many as 10,000 electronic devices each year to a massive database, called Automated Targeting System.

The database is compiled from cellphones, iPads, and computers seized from travelers at the country’s airports, seaports, and border crossings, most of whom have not been charged with any crime. The database details were revealed in a letter to CBP Commissioner Chris Magnus from Sen. Ron Wyden (D-OR), who criticized the agency for “allowing indiscriminate rifling through Americans’ private records” and called for stronger privacy protections.

A Wyden aide said their office was told 2,700 DHS officials had access to the data. But Aaron Bowker, CBP’s director of the office of field operations, said that number is incorrect and that 5 percent of CBP’s 60,000-employee operational workforce, or 3,000 officials, is given access. The Wyden aide also noted that the CBP database does not require officers to record the purpose of their search, a common technical safeguard against data-access misuse. CBP officials said all searches are tracked for later audit. (Drew Harwell / Washington Post)

Related: Cyberscoop

Shannon Vavra @shanvav

The USG has a database of info taken from travelers' phones at checkpoints, with the default to download contacts, call logs & messages—and they're adding up to 10K travelers' info annually. CBP officers can search without a warrant. @drewharwell reports Customs officials have copied Americans’ phone data at massive scaleU.S. government officials are adding data from as many as 10,000 electronic devices each year to a massive database they’ve compiled from travelers’ devices.washingtonpost.com

September 15th 2022

2 Retweets5 Likes

Researchers at Cisco Talos say that an ongoing espionage campaign operated by the Russia-linked Gamaredon group targets employees of Ukrainian government, defense, and law enforcement agencies with a piece of custom-made information-stealing malware using phishing documents containing lures related to the Russian invasion of Ukraine.

The researchers say that the infostealer is a dual-purpose malware capable of exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint. (Ravie Lakshmanan / The Hacker News)

Related: Talos Intel, The Record by Recorded Future, KnowTechie, Security Affairs, Bleeping Computer

The Federal Bureau of Investigation (FBI) issued an alert about hackers targeting healthcare payment processors to route payments to bank accounts controlled by the attacker.

The Bureau said it received multiple reports where hackers use publicly available personal details and social engineering to impersonate victims with access to healthcare portals, websites, and payment information. In just three such incidents in February and April this year, hackers diverted more than $4.6 million to their accounts from the victims. The FBI has compiled a short list of indicators of compromise that could help healthcare organizations spot cybercriminal attempts to gain access to user accounts. (Ionut Ilascu / Bleeping Computer)

Related: Security Affairs, Tripwire, FBI, SC Magazine, Hot Hardware, Databreaches.net

FBI @FBI

The #FBI warns that cybercriminals are stealing user login credentials from healthcare payment processor websites and redirecting payments. Learn more about this #cyber threat—which has cost victims millions of dollars in losses—at ic3.gov/Media/News/202…. #ReportTheCompromise

September 15th 2022

115 Retweets220 Likes

India’s federal cybersecurity agency said that a new mobile banking 'Trojan' virus called SOVA, which can stealthily encrypt an Android phone for ransom and is hard to uninstall is targeting Indian customers.

The agency said SOVA was earlier focusing on countries like the US, Russia, and Spain, but in July 2022, it added several other countries, including India, to its list of targets. According to the advisory, the latest version of this malware hides itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, and NFT (non-fungible tokens linked to cryptocurrency) to deceive users into installing them. (The Tribune)

Related: Business Standard, The Tribune India, India.com