A Hacker Breached Uber's Internal Systems Forcing Company to Take Some Systems Offline
White House launches $1 billion cybersecurity grants program for local governments, EU proposes new law to bolster smart device security, FBI issues warning about healthcare systems, much more
Check out my latest CSO column that examines new security software requirements issued by OMB for federal agencies and their software suppliers.
Ride-hailing giant Uber suffered a severe breach forcing the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack.
The breach appeared to have compromised many of Uber’s internal systems. A person claiming responsibility for the hack sent images of email, cloud storage, and code repositories to cybersecurity researchers and media outlets. The hacker, who claimed to be eighteen years old, also boasted of having wide-ranging access inside Uber’s corporate networks and appeared to indicate they were motivated by the company’s treatment of its drivers.
Company employees were advised not to use their internal Slack channel after the hacker compromised an employee’s Slack account to post a message saying, “I announce I am a hacker and Uber has suffered a data breach.” The statement listed several internal databases that the hacker claimed had been compromised.
In an effective social engineering move, the hacker claims they had sent a phishing text message to an Uber worker pretending to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to access Uber’s systems.
The extent of the breach appears to be broad, with the hacker seemingly having access to Uber source code, email, and other internal systems. The hacker posted as Uber on a chat function at HackerOne, which runs interference between researchers reporting security vulnerabilities and the companies affected by them. Yuga Labs security engineer Sam Curry said the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets.
Uber issued a tweet acknowledging the breach but did not immediately respond to questions about how internal information may have been compromised. Uber previously suffered a breach in 2016 that exposed the personal data of 57 million people worldwide, including names, email addresses, and phone numbers. The company’s former head of security Joe Sullivan is currently on trial for obstructing justice and concealing a felony for not disclosing the breach or revealing it to the F.T.C (Kate Conger and Kevin Roose / New York Times and Faiz Siddiqui and Joseph Menn / Washington Post)
Related: CNN, The Verge, Gizmodo, Fox Business, The Washington Post, Engadget, Fortune, Forbes, Bleeping Computer, CSO Online, CNN.com, BBC News, Engadget, NDTV Gadgets360.com, Slashdot, Bloomberg, DataBreachToday.com, Reuters, Business Insider, The Tech Outlook, Finbold, Tech Monitor, Gadgets Now, The Register - Security, Silicon UK, Tech Xplore, Associated Press Technology, RTT - Technology, Euronews, Wall Street Journal, Cyber Kendra, ZDNet Security, Tech - Insider, iTech Post : Latest News, Teiss, Security Affairs, BetaNews, GizBot, Silicon Republic, The Guardian, Slashdot, PCMag.com, Daily Mail, reddit TECH NEWS, TechWorm, The Record
The Biden Administration launched $1 billion cybersecurity grants for state and local governments.
“The grants will significantly improve national resilience to cyberthreats by giving state, local, and territorial governments much-needed resources to address network security and take steps to protect against cybersecurity risks to help them strengthen our communities,” Alejandro Mayorkas told reporters. A tribal grant program will be released later in the fall, he said.
The four-year fund will release $185 million for the fiscal year 2022. Each state will be eligible for a minimum of $2 million to develop a cybersecurity plan and begin assorted projects (including, potentially, election security projects), and states must allocate at least 80 percent of the funding to local and rural communities and 3 percent to tribal governments. (Tim Starks and Aaron Schaffer / Washington Post)
European Union lawmakers have proposed new legislation, the EU Cyber Resilience Act, to bolster security for smart devices.
The proposed law would introduce mandatory cybersecurity requirements for products that have “digital elements” sold across the bloc, with requirements applying throughout their lifecycle, meaning gadget makers will need to provide ongoing security support and updates to patch emerging vulnerabilities.
The proposed rules focus on smart device makers communicating to consumers “sufficient and accurate information” to ensure buyers can grasp security considerations at the point of purchase and set up devices securely after purchase. Penalties proposed by the Commission for non-compliance with “essential” cybersecurity requirements scale up to €15M (around $15 million) or 2.5% of worldwide annual turnover, whichever is greater, with other regulation obligation breaches having a maximum sanction of €10M (around $10 million) or 2% of turnover. (Natasha Lomas / TechCrunch)
Related: Wall Street Journal, The Record, Associated Press, The Independent, Reuters.com, EURACTIV.com, Mobile Europe, Telecompaper Headlines, The Independent, NDTV Gadgets360.com, 9to5Mac, Security Week, European Commission, ZDNet, Gadgets Now
In a move bound to heighten tensions with Beijing, President Biden signed an executive order to sharpen the federal government’s powers to block Chinese investment in technology in the United States and limit the country’s access to private data on citizens.
The order focuses on the actions of the secretive and little-known Committee on Foreign Investments in the United States (CFIUS), created by Congress nearly half a century ago. It directs the committee to consider whether a pending deal involves the purchase of a business with access to Americans’ sensitive data and whether a foreign company or government could exploit that information, reflecting the growing unease about China’s ability to access the personal information that Americans hand over to mobile apps and other services.
CFIUS is believed to be already scrutinizing TikTok, the popular Chinese-owned video app that critics worry could expose its users’ data to the Chinese government. (David Sanger / New York Times)
The Justice Department has tapped over 150 federal prosecutors across the country to bolster law enforcement’s efforts to combat the rise in crime linked to using cryptocurrencies such as bitcoin.
The Digital Asset Coordinators Network is intended to designate subject-matter experts in U.S. attorneys’ offices on the complex technical and legal complications posed by cryptocurrency cases. The creation of the network was motivated partly due to the high degree of technical expertise that can go into prosecuting cryptocurrency cases and digital currencies’ increasing popularity across several different crime areas, said Eun Young Choi, the first director of the Justice Department’s national cryptocurrency enforcement team. (Dustin Volz / Wall Street Journal)
Related: Justice Department
Leaders of Customs and Border Protection told congressional staff in a briefing this summer that U.S. government officials are adding data as many as 10,000 electronic devices each year to a massive database, called Automated Targeting System.
The database is compiled from cellphones, iPads, and computers seized from travelers at the country’s airports, seaports, and border crossings, most of whom have not been charged with any crime. The database details were revealed in a letter to CBP Commissioner Chris Magnus from Sen. Ron Wyden (D-OR), who criticized the agency for “allowing indiscriminate rifling through Americans’ private records” and called for stronger privacy protections.
A Wyden aide said their office was told 2,700 DHS officials had access to the data. But Aaron Bowker, CBP’s director of the office of field operations, said that number is incorrect and that 5 percent of CBP’s 60,000-employee operational workforce, or 3,000 officials, is given access. The Wyden aide also noted that the CBP database does not require officers to record the purpose of their search, a common technical safeguard against data-access misuse. CBP officials said all searches are tracked for later audit. (Drew Harwell / Washington Post)
Researchers at Cisco Talos say that an ongoing espionage campaign operated by the Russia-linked Gamaredon group targets employees of Ukrainian government, defense, and law enforcement agencies with a piece of custom-made information-stealing malware using phishing documents containing lures related to the Russian invasion of Ukraine.
The researchers say that the infostealer is a dual-purpose malware capable of exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint. (Ravie Lakshmanan / The Hacker News)
The Federal Bureau of Investigation (FBI) issued an alert about hackers targeting healthcare payment processors to route payments to bank accounts controlled by the attacker.
The Bureau said it received multiple reports where hackers use publicly available personal details and social engineering to impersonate victims with access to healthcare portals, websites, and payment information. In just three such incidents in February and April this year, hackers diverted more than $4.6 million to their accounts from the victims. The FBI has compiled a short list of indicators of compromise that could help healthcare organizations spot cybercriminal attempts to gain access to user accounts. (Ionut Ilascu / Bleeping Computer)
India’s federal cybersecurity agency said that a new mobile banking 'Trojan' virus called SOVA, which can stealthily encrypt an Android phone for ransom and is hard to uninstall is targeting Indian customers.
The agency said SOVA was earlier focusing on countries like the US, Russia, and Spain, but in July 2022, it added several other countries, including India, to its list of targets. According to the advisory, the latest version of this malware hides itself within fake Android applications that show up with the logo of a few famous legitimate apps like Chrome, Amazon, and NFT (non-fungible tokens linked to cryptocurrency) to deceive users into installing them. (The Tribune)