Uber and Lyft at Odds Over Data Breach

This week, we hear about the ongoing battle between Uber and Lyft over Uber’s earlier data breach and the discovery of a new Remote Access Trojan called MOKER.

Breach

Uber and Lyft at odds over data breach  

In May 2015, the information of as many as 50,000 Uber drivers was leaked in a massive data breach. Last week, based on IP address tracing, Uber claimed that Chris Lambert, CTO of Lyft, their main competitor, is responsible for the breach.

The database of driver information was accessed through a security key that had been accidentally left exposed on Github, a web-hosting service, for three months, by an Uber engineer. After pursuing legal action, Uber pressured GitHub into revealing the IP addresses of anyone who had visited the page and one such IP address was traced back to Chris Lambert.

Reuters has reported that a Lyft spokesperson claimed the company performed its own investigation and found that “there is no evidence” that Lyft employees “had anything to do with Uber’s May data breach.” 

 

References: Uber and Lyft Clash Over Massive Data Breach | Uber checks connections between hacker and Lyft

Mitigation Strategies:

  • Access credentials—including security keys—should be managed, stored, and protected securely in accordance with best practice
  • Network traffic analysis to detect data exfiltration
  • 24x7 security monitoring to provide anomaly detection
  • Log management could detect external IP information from the attacker if logs are configured

Malware

New Remote Access Trojan MOKER skilled at not getting caught

A computer security company discovered a new Remote Access Trojan (RAT) they call MOKER; however, they are not sure how it accessed clients’ computers. MOKER is not listed on VirusTotal and is described as “especially skilled at not getting caught.” 

The MOKER RAT is capable of taking full control of the victims’ computer. It is designed to appear as an operating system process in order to gain system-wide privileges. There is speculation that its operators can access their victims’ computer RDP channel through a VPN, controlling the computer directly. Part of this speculation is that command and control processes found appear to be “false trails” designed to mislead security researchers. 

The researchers warn that MOKER’s designers “invested a lot of resources in order to keep the malware stealthy.” They note they do not yet know how the malware infected the victim. They do know the malware defends itself through self-encryption and using an evasion process for debugging.  

Evasion measures include:

  • Code Packing in order to evade signature based solutions.
  • Two-step installation to avoid sandboxing and virtual machines.
  • Bypass Users Access Control (UAC).

Research suggests “well-established security measures and Windows’ security mechanisms cannot stop the infiltration of MOKER.” They believe “infection is inevitable” so the only recourse is securing your data.

Recommendations include blocking real-time outbound malicious communications, preventing real-time file tampering and following up on malicious communications and or tampering attempts in order to perform attack forensics.

References: New Moker Rat Bypasses Detection | Moker: A new APT discovered within a sensitive network

 

Mitigation Strategies:

Top 20 IP Addresses

199.19.95.183 - NEW 222.186.31.181 - NEW
43.229.53.83 - NEW 85.214.67.228 - NEW
208.31.49.53 - NEW 43.229.53.42 - NEW
109.70.36.160 - NEW 43.229.53.82 - NEW
192.99.38.203 - NEW 43.229.53.43 - NEW
118.98.104.21 83.170.119.28 - NEW
104.250.137.4 - NEW 76.73.2.18 - NEW
113.204.53.134 - NEW 61.58.39.87 - NEW
66.23.230.35 - NEW 5.9.77.176 - NEW
117.21.173.36 185.82.203.19