Reported Uber and Rockstar incidents are the same attackers

Reported Uber and Rockstar incidents are the same attackers

Two are very influential cyber attack Ride-sharing service Uber and video game developer Rockstar Games have been exposed three days apart as being tentatively linked after a threat actor going by the handle TiptoeTuberhacker claimed to be behind both incidents.

Uber incident details The first appeared on Thursday 15 and Friday 16 SeptemberWhen Rockstar – developer of one of the most high-profile and influential franchises in contemporary gaming – invades on September 18 and 19.

Rockstar is still racing to contain the leak, which has seen nearly 50 minutes of early video footage from the upcoming Grand Theft Auto 6 Share the game GTAForums fan site, and has since spread widely.

The leaker also claims to have stolen additional data, including a test build Grand Theft Auto 6 And the source code for it Grand Theft Auto 6 And Grand Theft Auto 5. They appear to be demanding an unspecified pay-off from the company, saying, “I want to negotiate a contract.”

A spokesperson for Rockstar said: “We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the latter. Grand Theft Auto.

“At this time, we do not anticipate any disruption to our live game services or any long-term impact on the development of our ongoing projects.

“We are extremely disappointed to be able to share the details of our next game with all of you in this way. Next is our work Grand Theft Auto The game will continue as planned and we remain committed as always to providing you, our players, with an experience that truly exceeds your expectations,” they said.

“We will update everyone again soon and of course, introduce you properly when this next game is ready. We would like to thank everyone for their ongoing support during this situation.”

Rockstar’s attackers also claimed they accessed the firm’s systems after gaining access to its Slack channel. Through social engineering, although this is not guaranteed. However, if correct, it provides further evidence of a link between the two events.

Erfan Shadabi, cyber security expert Consolation AGComment: “Given that it’s 2013 GTA 5 It’s considered one of the most successful video games of all time, and with fan demand for new installments increasing, it’s no wonder it’s become a target for hackers.

“When we think of a security breach what usually comes to mind is the theft and sale of individual user or employee data, but this attack is a little different. Hackers, via the Slack messaging platform, stole many new gameplay-related assets that could be highly valuable on the dark web and/or highly sought after by fans on social media. When such stolen data is published on social media, it can be almost impossible to limit the loss and reach of the data.”

“Hackers, via the Slack messaging platform, have stolen many new gameplay-related assets… When such stolen data is released on social media, it can be nearly impossible to limit data loss and reach”

Erfan Shadabi, Santhana AG

Sophos Lead research scientist Chester Wisniewski said the attacks appeared to be “resurgent”. Lapsus $ cyber attack In late 2021 and early 2022, and over the weekend, Uber did indeed Blame Lapsus$ for the breach – A gang that is Specializes in exploiting multifactor authentication failures (MFA) to trick employees into giving up their credentials.

An Uber spokesperson said: “We believe this attacker or attackers are affiliated with a hacking group. Lapsus dollar, which has been increasingly active over the last year or so. The group typically uses similar tactics to target tech companies, and breached Microsoft, Cisco, Samsung, Nvidia, and Okta in 2022 alone.

“We are in close coordination with the FBI and the US Department of Justice on this matter and will continue to support their efforts.”

Sophos’ Wisniewski said social engineering is an “incredibly effective strategy for early compromise and leveraging the trust of privileged insiders”.

“Security is a system, and it’s no different than an airplane or a spacecraft. You must design it to be fault tolerant. In all of these cases, it appears that gaining access as a trusted insider was enough for a savvy criminal to work their way through numerous systems. to enable

“Networks must be designed to challenge an individual’s identity and credentials whenever a new or privileged resource is accessed,” he added.

Uber additionally gathered more information from its ongoing investigation, saying the incident was with an external contractor whose account was compromised after an attacker purchased their corporate password, which was stolen in a malware attack, on the dark web.

They then repeatedly attempted to log into the contractor’s Uber account, prompting multiple MFA challenges, one of which was unfortunately accepted, giving the attacker access to other employee accounts and, from there, tools including G-Suite, Slack and more.

“Our existing security monitoring processes allow our teams to quickly identify issues and move forward to respond,” Uber said

“The attacker accessed several internal systems and our investigation is focused on determining whether there was any material impact. Although the investigation is still ongoing, we have some details of our current findings that we can share.

“First and foremost, we did not see that the attacker accessed the production (ie public-facing) systems that power our applications; any user account; or databases we use to store sensitive user information, such as credit card numbers, user bank account information, or travel history. We encrypt credit card information and personal health data, offering another layer of security.

“We reviewed our codebase and did not find that the attacker made any changes. We also did not find that the attacker accessed any customer or user data stored by our cloud providers,” the company said.

It also revealed that all bug reports seen by the attacker through the HackerOne bug bounty program have already been remedied, and therefore pose no further threat.

Uber said it had already identified all compromised or potentially compromised accounts and either blocked them or forced a credential reset; Disabled affected and potentially affected internal equipment; rotating keys to internal services; lock down its codebase; the tools and services that authenticated employees are accessing; Strengthened its MFA policy; And added more insider threat monitoring.

be careful

Although no customer data appears to have been compromised, Kaspersky Lead security researcher David Im said users of the service may want to exercise caution because the attack could lead to Uber being co-opted into more malicious campaigns, such as phishing lures.

“Our recommendation…delete your Uber account and create a new account immediately. It may sound harsh, but if you take care of your personal information, it’s a small price to pay and can be done quickly.”

David M, Kaspersky

“Our recommendation is, first and foremost, to delete your Uber account and create a new account immediately. It may sound harsh, but if you care about your personal information, it’s a small price to pay and it can be done quickly,” says Emm.

“Then, as always, we recommend setting passwords that are unique and difficult for anyone to guess When it comes to Uber accounts, we advise people to change passwords used elsewhere to avoid a domino effect. Also, use this as an opportunity to set up two-factor authentication, something that’s mandatory on some sites but optional on others.

“And finally, when setting up an online account, consider using fake security questions – these providers don’t need to know your mother’s real name or your real favorite car, and the same applies to personal information like your date of birth. Unless it’s for an official purpose like renewing your driver’s license, it’s perfectly reasonable to prevent data leakage.”

Source link

Leave a Comment