The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an external contractor's credentials, as researchers parse the incident for takeaways.
| | | LATEST SECURITY NEWS & COMMENTARY | | Uber: Lapsus$ Targeted External Contractor With MFA Bombing Attack The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an external contractor's credentials, as researchers parse the incident for takeaways. Spell-Checking in Google Chrome, Microsoft Edge Browsers Leaks Passwords It's called "spell-jacking": Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services. 15-Year-Old Python Flaw Slithers into Software Worldwide An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559. ChromeLoader Malware Evolves into Prevalent, More Dangerous Cyber Threat Microsoft and VMware are warning that the malware, which first surfaced as a browser-hijacking credential stealer, is now being used to drop ransomware, steal data, and crash systems at enterprises. Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials The attacks showcase broader security concerns as phishing grows in volume and sophistication, especially given that Windows Defender's Safe Links feature for identifying malicious links in emails completely failed in the campaign. Hacker Pwns Uber Via Compromised VPN Account A teen hacker reportedly social-engineered an Uber employee to hand over an MFA code to unlock the corporate VPN, before burrowing deep into Uber's cloud and code repositories. Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber Alleged teen hacker claims he found an admin password in a network share inside Uber that allowed complete access to ride-sharing giant's AWS, Windows, Google Cloud, VMware, and other environments. Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards The tactic is just one in a constantly expanding bag of tricks that attackers are using to get users to click on links and open malicious documents. Microsoft Brings Zero Trust to Hardware in Windows 11 A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats. Token-Mining Weakness in Microsoft Teams Makes for Perfect Phish Access tokens for other Teams users can be recovered, allowing attackers to move from a single compromise to the ability to impersonate critical employees, but Microsoft isn't planning to patch. Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes. Don't Wait for a Mobile WannaCry Attacks against mobile phones and tablets are increasing, and a WannaCry-level attack could be on the horizon. Ransomware: The Latest Chapter As ransomware attacks continue to evolve, beyond using security best practices organizations can build resiliency with extended detection and response solutions and fast response times to shut down attacks. Cyberattack Costs for US Businesses up by 80% Cyberattacks keep inflicting more expensive damage, but firms are responding decisively to the challenge. Business Application Compromise & the Evolving Art of Social Engineering Be wary of being pestered into making a bad decision. As digital applications proliferate, educating users against social engineering attempts is a key part of a strong defense. MORE NEWS / MORE COMMENTARY | | |
|
Dark Reading Weekly
-- Published By Dark Reading
Informa Tech Holdings LLC | Registered in the United States
with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA
| | To opt-out of any future Dark Reading Weekly Newsletter emails, please respond here. | | Thoughts about this newsletter? Give us feedback. |
Keep This Newsletter Out Of Your SPAM Folder
Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list: | | If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation. | | We take your privacy very seriously. Please review our Privacy Statement. |
|
| |
