The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an external contractor's credentials, as researchers parse the incident for takeaways.
Follow Dark Reading:
 September 22, 2022
LATEST SECURITY NEWS & COMMENTARY
Uber: Lapsus$ Targeted External Contractor With MFA Bombing Attack
The ride-sharing giant says a member of the notorious Lapsus$ hacking group started the attack by compromising an external contractor's credentials, as researchers parse the incident for takeaways.
Spell-Checking in Google Chrome, Microsoft Edge Browsers Leaks Passwords
It's called "spell-jacking": Both browsers have spell-check features that send data to Microsoft and Google when users fill out forms for websites or Web services.
15-Year-Old Python Flaw Slithers into Software Worldwide
An unpatched flaw in more than 350,000 unique open source repositories leaves software applications vulnerable to exploit. The path traversal-related vulnerability is tracked as CVE-2007-4559.
ChromeLoader Malware Evolves into Prevalent, More Dangerous Cyber Threat
Microsoft and VMware are warning that the malware, which first surfaced as a browser-hijacking credential stealer, is now being used to drop ransomware, steal data, and crash systems at enterprises.
Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials
The attacks showcase broader security concerns as phishing grows in volume and sophistication, especially given that Windows Defender's Safe Links feature for identifying malicious links in emails completely failed in the campaign.
Hacker Pwns Uber Via Compromised VPN Account
A teen hacker reportedly social-engineered an Uber employee to hand over an MFA code to unlock the corporate VPN, before burrowing deep into Uber's cloud and code repositories.
Attacker Apparently Didn't Have to Breach a Single System to Pwn Uber
Alleged teen hacker claims he found an admin password in a network share inside Uber that allowed complete access to ride-sharing giant's AWS, Windows, Google Cloud, VMware, and other environments.
Threat Actor Abuses LinkedIn's Smart Links Feature to Harvest Credit Cards
The tactic is just one in a constantly expanding bag of tricks that attackers are using to get users to click on links and open malicious documents.
Microsoft Brings Zero Trust to Hardware in Windows 11
A stacked combination of hardware and software protects the next version of Windows against the latest generation of firmware threats.
Token-Mining Weakness in Microsoft Teams Makes for Perfect Phish
Access tokens for other Teams users can be recovered, allowing attackers to move from a single compromise to the ability to impersonate critical employees, but Microsoft isn't planning to patch.
Sophisticated Hermit Mobile Spyware Heralds Wave of Government Surveillance
At the SecTor 2022 conference in Toronto next month, researchers from Lookout will take a deep dive into Hermit and the shadowy world of mobile surveillance tools used by repressive regimes.
Don't Wait for a Mobile WannaCry
Attacks against mobile phones and tablets are increasing, and a WannaCry-level attack could be on the horizon.
Ransomware: The Latest Chapter
As ransomware attacks continue to evolve, beyond using security best practices organizations can build resiliency with extended detection and response solutions and fast response times to shut down attacks.
Cyberattack Costs for US Businesses up by 80%
Cyberattacks keep inflicting more expensive damage, but firms are responding decisively to the challenge.
Business Application Compromise & the Evolving Art of Social Engineering
Be wary of being pestered into making a bad decision. As digital applications proliferate, educating users against social engineering attempts is a key part of a strong defense.
MORE NEWS / MORE COMMENTARY
HOT TOPICS
How to Dodge New Ransomware Tactics
The evolving tactics increase the threat of ransomware operators, but there are steps organizations can take to protect themselves.

5 Best Practices for Building Your Data Loss Prevention Strategy
The entire security team should share in the responsibility to secure sensitive data.

MORE
EDITORS' CHOICE
Highlights of the 2022 Pwnie Awards
Since 2007, the Pwnies have celebrated the good, the bad, and the wacky in cybersecurity. Enjoy some of the best moments of this year's ceremony.
LATEST FROM THE EDGE

Tackling Financial Fraud With Machine Learning
Financial services firms need to learn how — and when — to put machine learning to use.
LATEST FROM DR TECHNOLOGY

Note to Security Vendors: Companies Are Picking Favorites
A stunning three-quarters of companies are looking to consolidate their security products this year, up from 29% in 2020, suggesting fiercer competition among cybersecurity vendors.
WEBINARS
  • Strategies for DDoS Resilience and Response

    There are few things more disruptive than a distributed denial-of-service (DDoS) attack. The criminals behind these attacks have one objective: to bring everything to a stop so you can't conduct business as usual. How can you ensure business continuity during ...

  • Emerging Cyber Vulnerabilities That Every Enterprise Should Know About

    Every day, black hat attackers and white hat researchers are discovering new security vulnerabilities in widely-used systems and applications that might be exploited to compromise your data. Are you aware of the newest-and potentially most impactful-vulnerabilities that have been discovered/...

View More Dark Reading Webinars >>
WHITE PAPERS
FEATURED REPORTS
View More Dark Reading Reports >>
PRODUCTS & RELEASES
CURRENT ISSUE
DOWNLOAD THIS ISSUE
VIEW BACK ISSUES
Dark Reading Weekly
-- Published By Dark Reading
Informa Tech Holdings LLC | Registered in the United States
with number 7418737 | 605 Third Ave., 22nd Floor, New York, New York 10158, USA
To opt-out of any future Dark Reading Weekly Newsletter emails, please respond here.
Thoughts about this newsletter? Give us feedback.
Keep This Newsletter Out Of Your SPAM Folder
Don't let future editions go missing. Take a moment to add the newsletter's address to your anti-spam white list:
If you're not sure how to do that, ask your administrator or ISP. Or check your anti-spam utility's documentation.
We take your privacy very seriously. Please review our Privacy Statement.