This publish was up to date at 2:15 ET on Sept. 16, 2022 to mirror extra preliminary compromise data.
Journey-sharing large Uber took a few of its operations offline late Thursday after it found that its inside methods have been compromised. The attacker was in a position to social-engineer his means into an worker’s VPN account earlier than pivoting deeper into the community, the corporate mentioned.
Whereas the complete extent of the breach has but to come back to gentle, the particular person claiming accountability for the assault (reportedly an adolescent) claimed to have troves of emails, knowledge pilfered from Google Cloud storage, and Uber’s proprietary supply code, “proof” of which he despatched out to some cybersecurity researchers and media retailers, together with The New York Occasions.
“They beautiful a lot have full entry to Uber,” Sam Curry, safety engineer at Yuga Labs, advised the Occasions. “It is a whole compromise, from what it appears to be like like.”
Compromise Dominoes
The Slack collaboration platform was the primary system taken offline, however different inside methods rapidly adopted, in response to experiences. Simply earlier than the disablement, the attacker despatched off a Slack message to Uber workers (a few of whom shared it on Twitter): “I announce I’m a hacker and Uber has suffered a knowledge breach.”
The perp additionally advised researchers and media that the breach started with a textual content message to an Uber worker, purporting to be from company IT. Extra particularly, in response to impartial cybersecurity analyst Graham Cluley, the hacker mounted what’s referred to as an “MFA fatigue assault.”
To wit: The attacker had already decided a legitimate username and password for Uber’s VPN, however wanted a text-based multifactor authentication (MFA) one-time code to get into the account. So, he bombarded the employee with MFA push notifications for greater than an hour earlier than contacting the goal by way of WhatsApp, the place he once more posed as Uber IT workers. If the particular person needed the irritation to cease, he mentioned, they wanted to simply accept the MFA request. The goal complied.
“Whereas no official rationalization has been supplied but, [apparently] the intruder was in a position to connect with the company VPN to achieve entry to the broader Uber community, after which appears to have found gold within the type of admin credentials saved in plain textual content on a community share,” Ian McShane, vp of technique at Arctic Wolf, mentioned in an announcement. “It is a fairly low-bar-to-entry assault and is one thing akin to the consumer-focused attackers calling individuals claiming to be Microsoft and having the tip consumer set up keyloggers or distant entry instruments.”
The hacker additionally advised different researchers that when in, he scanned the corporate’s intranet, and was fortunate sufficient to discover a PowerShell script containing hardcoded credentials for a Thycotic privileged entry administration (PAM) admin account, which gave him bountiful instruments to unlock different inside methods, like Slack.
In a media assertion to the Occasions, an Uber spokesperson confirmed that social engineering was the purpose of entry, and easily mentioned that the corporate was working with legislation enforcement to research the breach. Publicly, by way of Twitter, the firm posted, “We’re at the moment responding to a cybersecurity incident. We’re in contact with legislation enforcement and can publish extra updates right here as they turn out to be obtainable.”
In accordance with experiences, the hacker mentioned he’s 18 years outdated and focused the corporate to reveal its weak safety; there may be a hacktivist aspect, as a result of he additionally declared within the Slack message to workers that Uber drivers needs to be paid extra.
“Given the entry they declare to have gained, I am shocked the attacker did not try and ransom or extort, it appears to be like like they did it ‘for the lulz,'” McShane added.
Not Uber’s First Information Breach Journey
Uber was the topic of one other huge breach, again in 2016. In that incident, cyberattackers made off with private data for 57 million clients and drivers, demanding $100,000 in alternate for not weaponizing the info (the corporate paid up). A subsequent legal investigation led to a non-prosecution settlement with the US Division of Justice this summer time, which included Uber admitting that it actively coated up the complete extent of the breach, which it did not even disclose for greater than a 12 months.
Additionally associated to that earlier hit, in 2018 Uber settled nationwide civil litigation by paying $148 million to all 50 states and the District of Columbia; and, mockingly given the brand new developments, it agreed to “implement a company integrity program, particular knowledge safety safeguards, and incident response and knowledge breach notification plans, together with biennial assessments.”
