Fortuitously, Uber reported this breach and acted on it shortly.
Final week, an 18-year outdated hacker used social engineering strategies to compromise Uber’s community. He compromised an worker’s Slack login after which used it to ship a message to Uber workers saying that it had suffered an information breach. Uber confirmed the assault on Twitter inside hours, issuing extra particulars on this web page. The corporate claims no consumer knowledge was in danger, they’ve notified regulation enforcement, and all of their providers have been restored to operational standing. (There have been some transient interruptions of varied software program instruments however they’re again on-line too). Uber now thinks the hacker is a part of a hacking group known as Lapsus$.
What’s attention-grabbing about this incident was the velocity at which varied publications and safety analysts supplied protection, how shortly Uber notified the world, and the way a lot element we have already got about what occurred. Distinction this with one other Uber hack again in 2016, when the private data of about 57 million clients and drivers was stolen. That breach wasn’t made public for greater than a yr and resulted in Uber firing its Chief Safety Officer, Joseph Sullivan. He’s presently on trial for allegedly arranging to pay hackers $100,000 to cowl issues up and for the delay in disclosing the breach. The hackers have been supposedly pressured to signal non-disclosure agreements, an odd strategy to take care of the breach, to make certain.
How did the breach occur?
Final week’s breach is defined on this Twitter thread, which is uncommon due to this degree of element shared by the attacker, who supposedly shared the display screen pictures proven within the thread. They embody consoles controlling Uber’s Amazon Net Companies and Google Workspace accounts, together with different essential programs. One safety analyst, who reacted to the breach in his personal Twitter thread, stated that the hacker has nearly complete administrative management over the corporate’s pc programs, together with software program supply code and inside messaging programs.
The hacker — who Uber now believes is a member of the Lapsus$ hacking group which has been behind quite a few different high-profile breaches — subsequently spoke to numerous reporters, and admitted that they gained entry through the use of social engineering strategies on a contractor for the corporate. They arrange a man-in-the-middle MFA portal that tricked this individual into revealing his authentication credentials, claiming to be from Uber’s IT division.
The hacker then logged into the company VPN and roamed across the community, searching for targets, together with a PowerShell script that contained admin entry to a privileged entry administration platform. One vacation spot was Uber’s HackerOne bug bounty stories, which might be very damaging since they’d know vulnerabilities that haven’t but been remediated and will fetch a premium payout if shared on the darkish net.
Classes discovered
Listed below are some key takeaways to bear in mind following this breach:
1. Not all MFA strategies are created equally
Uber wasn’t utilizing FIDO2 passkeys and {hardware} tokens to safe its most crucial inside accounts. These are extra immune to phishing assaults similar to what occurred right here. Attackers can simply create phony login pages that may gather a consumer’s data to unsuspecting workers.
2. Social engineering continues to be very a lot a risk
You’ll be able to have all types of safety programs, however combating fundamental human nature continues to be laborious. It was straightforward to see how the hacker gained the belief and compromised the Uber worker. Ars Technica factors out, “Many organizations and cultures proceed to imagine that their members are too sensible to fall for phishing assaults. They just like the comfort of authenticator apps as in comparison with FIDO2 types of MFA, which require the possession of a cellphone or bodily key. Some of these breaches will stay a reality of life till this mindset modifications.”
3. Admin login credentials should not be hardcoded wherever
…Particularly not in scripts. This basically means you’ve got zero-factor authentication, since anybody studying the script can work out the credentials.
4. Having a fallback communication channel is essential
This channel needs to be out of band of your community to speak amongst your breach response staff. After the hacker compromised Slack, they despatched varied messages claiming the feat which weren’t taken critically by Uber safety staffers, who thought this was a prank (it wasn’t).
Fortuitously, Uber reported this breach and acted on it shortly. The corporate took varied steps to lock down its code repository, change credentials, and recognized different compromised accounts. They proceed so as to add content material to their webpage.
