This nameless actor has reached out to a number of publications and cybersecurity researchers, claiming accountability for the incident and providing details about himself and the hack. In a dialog with reporters at The New York Instances, the actor recognized himself as being 18 years outdated. He claimed to achieve preliminary entry to Uber’s inside community by conducting an MFA (multi-factor authentication) Fatigue assault towards one of many firm’s workers, based on tweets from by Kevin Beaumont.
The hacker spammed an Uber worker with MFA authentication requests for over an hour, then messaged the worker on WhatsApp. Claiming to be a member of Uber’s IT division, the hacker instructed the worker to just accept the authentication request to be able to cease the fixed notifications. Sadly, the worker was fooled by this social engineering scheme and complied with the request, giving the attacker entry to the worker’s firm VPN.
In keeping with Telegram messages shared by Corben Leo, the attacker linked to the VPN and scanned Uber’s inside community, revealing some powershell scripts inside a community share. The powershell scripts contained login credentials for the corporate’s Thycotic admin account, Thycotic being a Privileged Entry Administration (PAM) platform. The hacker used these credentials to login to Thycotic and extract the key keys for all linked Uber companies.
Uber’s HackerOne bug bounty tracker has been disabled, presumably in response to the hack, however this motion was probably taken too late. The hacker seems to have accessed all the firm’s bug bounty tickets, evidenced by “UBER HAS BEEN HACKED” feedback left on each ticket. He additionally left a message within the firm’s Slack workspace saying the hack, however Uber workers apparently didn’t take this message critically at first. In keeping with unnamed Uber workers who spoke with Sam Curry, the corporate’s employees took the message as a joke and mocked the hacker, even after Uber despatched an pressing discover to its workers telling them to cease utilizing Slack.
Whereas Uber continues to be investigating and responding to the incident, its preliminary investigation has revealed no proof that “delicate consumer knowledge” was accessed by the hacker. The corporate additionally stories that each one of its companies are at present operational and its inside software program instruments are coming again on-line.
