The LAPSUS$ link to Uber hack
An arrest may have been made in connection with the breach
Uber said there was no evidence any sensitive user data was compromised after a breach enabled a teen hacker to access its critical internal systems, but blamed the incident on attackers associated with the notorious LAPSUS$ hacker group, which rose to prominence earlier this year for hacking a number of prominent tech companies, including Microsoft, Cisco, Samsung, Okta, Nvidia, and Ubisoft, among others. An arrest has been made likely in connection to the incident.
It's not the first time the company has dealt with a security breach and been a victim of a hack. A 2016 security incident that saw hackers nab data linked to 57 million users, including 7 million drivers. Uber in 2018 agreed to a $148 million settlement. The ridesharing company was heavily criticized for how it handled the incident after it emerged that it had kept the hack secret for more than a year, and paid the hackers $100,000 to delete the information and had them sign a nondisclosure agreement in an attempt to pass-off the breach as bug bounty reward.
What’s trending in security?
⬆️ A Chinese nation-state actor dubbed Webworm has been revamping ageing malware like Trochilus, Gh0st RAT, and 9002 RAT in espionage attacks against entities located in Asia. The constant tweaking is also an indication that attackers are not only looking to have a fallback option for remote access, but are also having a harder time getting their malware onto targeted networks without being detected. [The Hacker News]
🚩 An update to the Ares banking trojan in August 2022 introduced a domain generation algorithm (DGA), which mirrors the Qakbot DGA, likely in an effort to “maximize the lifetime of an infection, which provides more opportunities for monetizing compromised systems through attacks such as wire fraud, and ransomware.” [Zscaler]
🐝 A new modular backdoor called BumbleeBee (not to be confused with the malware loader also known as Bumblebee that typically acts as a precursor for ransomware) has been found to steal keystrokes and clipboard content, although it could significantly expand on its capabilities through its server application by loading additional components. [Trend Micro]
🔗 Speaking of the other Bumblebee, an initial access broker with ties to the Conti ransomware group – Exotic Lily aka Projector Libra – was recently observed distributing the malware to deploy Cobalt Strike. Bumblebee is also seen as a replacement for BazarBackdoor, and has since been co-opted by several threat actors in their campaigns. [Unit 42]
💵 As part of a crackdown on Iranian state-sponsored actors, the U.S. government sanctioned Iran’s Ministry of Intelligence and Security (MOIS) as well as 10 Iranian nationals and two entities that are alleged to have acted as a front for conducting ransomware attacks globally since October 2020 by exploiting well-known software vulnerabilities. [The Hacker News / Dark Reading / The Register]
⚠️ Gamaredon, a prominent Russian government-linked hacking group, has been found using a previously unseen information stealer to exfiltrate files of interest from Ukrainian victims, adding to its already diversity of the malicious artifacts used by the group. What’s also notable is that the campaign is supported by stealth mechanisms such as geo-fencing infrastructure to target only Ukrainian users by means of an IP address check to reduce digital footprint and evade detection. [The Hacker News]
ℹ️ Google shared more information on recently introduced technology called MiraclePtr that's meant to reduce the exploitability of use-after-free vulnerabilities in the Chrome web browser. Half of the known exploitable bugs in Chrome are use-after-frees, the company said, adding it “already helped us find and fix a number of bugs that were previously undetected.” [Google]
💭 Microsoft's Teams client stores users' authentication tokens in an unprotected text format, potentially allowing attackers with local access to post messages and move laterally through an organization, even with two-factor authentication enabled. The company has opted not to patch the bug, citing reasons that the attacker needs to have already compromised a system on the target network. Users can alternatively use the web-based Teams client to secure against the threat. [Vectra]
↘️ The Linux kernel maintainers fix for the Retbleed speculative execution bug is estimated to impact compute performance by a whopping 70 percent. [The Register]
📍 Law enforcement agencies in the U.S. are using a mass surveillance tool called Fog Reveal developed by a data broker named Fog Data Science to track people's movements by generating map plots known as “patterns of life.” This location information is said to gathered through “unstructured geo-spatial data emanating from open apps (Starbucks, Waze, etc.),” according to the Electronic Frontier Foundation (EFF). The findings shows that the market for app-derived location data is massive. [EFF]
🔤 Advanced spell-checking features present Google Chrome and Microsoft Edge browsers are leaking sensitive user information — including username, email, and Social Security numbers — to Google and Microsoft, respectively, when people fill in forms on popular websites and cloud-based enterprise apps. What's more, passwords are also sent to Google and Microsoft's servers for spellcheck if the “show password” feature is clicked when entering a password into a site or service. An even bigger question that arises is what happens to the information once it's sent to Google or Microsoft, although the former told Bleeping Computer the data is only stored temporarily and that it will work to exclude passwords going forward. The privacy-defeating information leak has been dubbed Spell-Jacking. [otto-js / Bleeping Computer]
💲 Morgan Stanley was fined $35 million by the U.S. Securities and Exchange Commission (SEC) for an “astonishing” failure that exposed 15 million customers' data over five years by auctioning off machines containing the data. [Ars Technica]
🌐 A tactic called domain shadowing, where attackers stealthily create malicious subdomains under compromised domain names to evade detection for extended periods of time, has been found to be more prevalent than previously thought, emphasizing the “difficulty of discovering shadowed domains.” Between April 25 and June 27, 2022, 12,197 shadowed domains have been discovered. One campaign leverage the benign reputation of these domains to spread fake login pages harvesting credentials. [Unit 42]
🚨 U.S. cybersecurity and intelligence and agencies said Iranian threat actors behind the destructive attack on the Albanian government's network in July lurked inside its systems for roughly 14 months. “The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content,” CISA and FBI noted, corroborating an earlier report from Microsoft. The initial access is believed to have been acquired in May 2021. [CISA / The Hacker News]
🛡️ In the face of surging online attacks across the globe, European Union lawmakers proposed the Cyber Resilience Act, a set of cybersecurity rules for IoT and smart device makers to provide ongoing support and patches or else risk facing fines of up to 2.5% of the company's worldwide annual turnover. In a related development, the U.S. Government announced new measures to strengthen its software supply chain through secure software development practices. Supply chain security has become a grave threat for both private enterprise and government agencies in recent years as threat actors have focused their efforts on compromising vendors and products that are widely used and/or incorporated into other software packages. [The European Commission / The White House]
✖️ Twitter disclosed that it took steps to log out some users out of their active sessions in response to a bug that allowed those affected accounts to “stay logged in on multiple mobile devices after a voluntary password reset.” [Twitter]
🔄 Microsoft released updates to Windows 11 operating with a new feature called Smart App Control that's designed to “block untrusted or unsigned applications, script files and malicious macros from running.” Also available is a new Microsoft Defender SmartScreen that “identifies when people are entering their Microsoft credentials into a malicious application or hacked website and alerts them.” The latest update also enables Windows Defender Credential Guard by default to prevent unauthorized access to secret keys. [Microsoft]
💳 Bad actors are continuing to abuse Google’s Tag Manager (GTM) containers to install malicious e-skimmers that steal payment card data and personally identifiable information of shoppers on e-commerce sites. A total of 314 shopping domains have been infected by leveraging this method. [Recorded Future]
📧 CircleCI sent out an advisory to its customers that a phishing email scam is targeting their users, along with GitHub’s, in an attempt to harvest credentials. GitHub said the campaign impacted many victim organizations. [CircleCI / The Hacker News]
🗄️ The past few weeks in data breaches, leaks, and ransomware: 2K Games, American Airlines, Kiwi Farms, Legislatura CABA, OakBend, Optus, Revolut, Rockstar Games, Seesaw, Starbucks Singapore, and U-Haul International.