As reported by govinfosecurity, an actor going by the handle “UberLeak” on Saturday posted online a number of files available for free download purporting to originate from Uber. Bleeping Computer and Restore Privacy each reported the news.
Although UberLeak references Lapsus$, the files “are unrelated to our security incident in September,” an Uber spokesperson told Information Security Media Group.
The spokesperson pointed to a breach notification statement from Teqtivity, a firm that develops software for managing and tracking IT assets such as smartphones and computers.
Teqtivity acknowledges that a malicious third party gained unauthorized access to its systems, stating the threat actor “was able to gain access to our Teqtivity AWS backup server that housed Teqtivity code and data files related to Teqtivity customers.”
The exposed data includes device information such as make, model and serial number, as well as user information including names and work email address. The company says it does not collect personal information such as home address or financial data.
Security experts who examined the data posted to the hacking forum told Bleeping Computer it contains source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses. The public posting of work email addresses places Uber employees at increased risk of phishing.
ESET’s cybersecurity expert Jake Moore commented:
Third party access can often be the weakest link in an inevitable attack as threat actors look at all links to a company in search of a weakness to exploit. The particular data taken in this attack includes sensitive information such as email addresses which increases the risk of targeted phishing on employees. Staff should now be on heightened alert to any subsequent targeted attempts to phish for more information by threat actors.
Unauthorized access on this level is not uncommon and these supply chain attacks can cause serious damage to a company and its employees. The best way to keep on top of hidden vulnerabilities is to use professional penetration teams in search of these back door entry points and to check their partners too. Social engineering also recently caused Uber to hand over almost total administrative control to the company’s computer systems, including software source code and internal messaging systems which highlights the prevalence and persistence of hacking groups targeting big firms.
ESET Ireland 