Proactive Incident Handling For A Ride-Hailing Giant

Client Overview

Our client is a prominent super app headquartered in Dubai, operating extensively across the Middle East, Africa, and South Asia regions, covering numerous cities in 12 countries. Initially valued at a significant amount, the client became a wholly-owned subsidiary of a well-known global technology company after a substantial acquisition. Diversifying its services, it ventured into food delivery and later launched a digital payment platform. However, amidst the dynamic tech landscape, the client faced cybersecurity challenges, navigating potential vulnerabilities in its digital infrastructure. This prompted the quest for a robust cybersecurity strategy to strengthen its security posture and thwart potential cyber threats.

Why the Client Chose Us

The decision was driven by our proactive and tailored approach to security, coupled with a deep understanding of the evolving threat landscape. Our advanced threat intelligence, continuous monitoring, and rapid incident response capabilities set us apart, ensuring swift and effective resolution to security challenges.

The ride-hailing company recognized Ebryx as a trusted partner capable of addressing sophisticated cyber threats. Our comprehensive security strategy, demonstrated in previous successful engagements, showcased the ability to fortify their infrastructure seamlessly.

Project Overview

In the dynamic landscape of ride-hailing services, prioritizing the safety and security of both passengers and drivers stands as a critical imperative. Our client, a prominent participant in the ride-hailing industry, availed itself of the extensive Security Operations Center (SOC) services at Ebryx. This strategic engagement was established to tackle the distinctive security challenges inherent in the company’s operations.

How Ebryx Responded

Despite encountering multiple security incidents, the ride-hailing company’s operations have remained unscathed because of the vigilant efforts of our expert security team. Below, we outline several instances where the Ebryx team promptly responded, ensuring the ongoing safety of the company’s operations.

Security Breach Alert: Host Targeted in Header Spoofing Incident

On a specific occasion, our client faced numerous instances of malicious web attacks directed at one of its hosts from an internal IP address, occurring intermittently. The unclear motive behind this internal IP’s aggression resulted in significant downtime, rendering the affected service inaccessible to legitimate users.

In response, the Ebryx security team swiftly initiated action. Through meticulous investigation, they identified that the attacker had successfully manipulated the HTTP request headers, disguising the true origin of the malicious IP addresses as legitimate internal addresses.

Promptly, we implemented measures to thwart these attacks by blocking the identified top malicious IPs. Our security team collaborated with the client’s Engineering team to enforce robust header validation and authorization protocols, introducing thorough input sanitization to neutralize any further attempts at header manipulation. Additionally, we recommended the implementation of rate limits on critical endpoints to enhance overall security.

Critical Incident: AWS Access Key Compromise Mitigation

The Ebryx security team swiftly identified a critical security concern and promptly notified the client regarding the compromise of AWS access keys and sensitive information. Our investigation revealed the utilization of the ‘TruffleHog’ user agent, known for meticulously extracting sensitive data, including API keys and passwords, from source code repositories. In this breach, the ride-hailing app’s AWS access keys were compromised, allowing the attacker to upload and retrieve information in storage buckets. Immediate alerts were triggered as the attacker attempted to enumerate the storage bucket using the compromised access keys, prompting decisive action to secure exposed data and investigate the breach.

Our security team conducted a thorough investigation, collaborating with the client to mitigate the breach and applying a fix to remove the vulnerable feature from the application. We recommended the implementation of stringent permissions and the activation of access logs on storage buckets to minimize the risk of unauthorized data downloads. In our dedicated response, we reviewed all alerts related to this AWS account since the beginning of the year, ensuring a comprehensive understanding of the incident. Additionally, we advised the client’s team to conduct a thorough assessment to identify any Personally Identifiable Information (PII) within the affected storage buckets – a crucial step for compliance and ongoing data protection.

Security Breach Response: Successful SSH Intrusion and Privilege Escalation on Managed Server Node

Another security incident unfolded within the infrastructure of the ride-hailing company, involving a managed server node. An assailant, employing persistent brute-force tactics, successfully gained unauthorized access by establishing an SSH connection. Exploiting known Common Vulnerabilities and Exposures (CVE), the attacker escalated privileges from a standard “test” user to the highly privileged “root” user, triggering a chain reaction that included scans and connections to various malicious domains.

The Ebryx security team promptly responded to contain and address the breach, escalating the incident to the specialized Incident Response (IR) team for further investigation and action. Additionally, we offered comprehensive guidance and recommendations to the affected team, emphasizing the reinforcement of access controls, the implementation of robust intrusion detection systems, and the conduct of regular security audits to identify and address potential vulnerabilities. This swift response prevented further disruptions to services and mitigated the potential financial impact, ensuring the continuous operational availability of the ride-hailing platform without interruption for its customers.

The Results

The proactive and tailored cybersecurity measures at Ebryx proved instrumental in protecting the ride-hailing company’s security posture. By swiftly addressing the successful SSH intrusion and privilege escalation on the managed server node, our continuous monitoring, advanced threat intelligence, and rapid incident response played a pivotal role in mitigating the impact of the security breach. The implemented security enhancements, including strengthened access controls, robust intrusion detection systems, and regular security audits, resulted in a resilient security framework.

Share the article with your friends

Related Posts

Posted by Editorial Staff Cloud technology has revolutionized business. In the age of lightning fast connectivity and communication, productivity and innovation have soared. Unfortunately, cloud environments are vulnerable to attack
May 22, 2023
3 Min Read
Posted by Editorial Staff In mid 2021, an organization in the telecommunication sector suffered a breach in their cybersecurity. Hackers compromised the company’s online services to target their end-users– putting
May 22, 2023
3 Min Read
Posted by Editorial Staff In late 2018 cybercriminals conducted a multimillion-dollar raid on a mid-sized bank. In the chaotic aftermath of the breach, one of the country’s largest banking consortium
May 22, 2023
3 Min Read

Have questions?
Let's talk.

Ebryx experts are ready to answer
your questions.

Contact us