This put up was up to date at 2:15 ET on Sept. 16, 2022 to replicate further preliminary compromise data.
Trip-sharing big Uber took a few of its operations offline late Thursday after it found that its inside programs have been compromised. The attacker was capable of social-engineer his manner into an worker’s VPN account earlier than pivoting deeper into the community, the corporate stated.
Whereas the total extent of the breach has but to come back to mild, the individual claiming accountability for the assault (reportedly an adolescent) claimed to have troves of emails, knowledge pilfered from Google Cloud storage, and Uber’s proprietary supply code, “proof” of which he despatched out to some cybersecurity researchers and media shops, together with The New York Occasions.
“They stunning a lot have full entry to Uber,” Sam Curry, safety engineer at Yuga Labs, informed the Occasions. “It is a whole compromise, from what it appears to be like like.”
Compromise Dominoes
The Slack collaboration platform was the primary system taken offline, however different inside programs rapidly adopted, in response to studies. Simply earlier than the disablement, the attacker despatched off a Slack message to Uber workers (a few of whom shared it on Twitter): “I announce I’m a hacker and Uber has suffered an information breach.”
The perp additionally informed researchers and media that the breach started with a textual content message to an Uber worker, purporting to be from company IT. Extra particularly, in response to impartial cybersecurity analyst Graham Cluley, the hacker mounted what’s often known as an “MFA fatigue assault.”
To wit: The attacker had already decided a legitimate username and password for Uber’s VPN, however wanted a text-based multifactor authentication (MFA) one-time code to get into the account. So, he bombarded the employee with MFA push notifications for greater than an hour earlier than contacting the goal by way of WhatsApp, the place he once more posed as Uber IT workers. If the individual wished the irritation to cease, he stated, they wanted to simply accept the MFA request. The goal complied.
“Whereas no official clarification has been offered but, [apparently] the intruder was in a position to connect with the company VPN to realize entry to the broader Uber community, after which appears to have came upon gold within the type of admin credentials saved in plain textual content on a community share,” Ian McShane, vp of technique at Arctic Wolf, stated in a press release. “It is a fairly low-bar-to-entry assault and is one thing akin to the consumer-focused attackers calling folks claiming to be Microsoft and having the top person set up keyloggers or distant entry instruments.”
The hacker additionally informed different researchers that after in, he scanned the corporate’s intranet, and was fortunate sufficient to discover a PowerShell script containing hardcoded credentials for a Thycotic privileged entry administration (PAM) admin account, which gave him bountiful instruments to unlock different inside programs, like Slack.
In a media assertion to the Occasions, an Uber spokesperson confirmed that social engineering was the purpose of entry, and easily stated that the corporate was working with legislation enforcement to analyze the breach. Publicly, by way of Twitter, the firm posted, “We’re presently responding to a cybersecurity incident. We’re in contact with legislation enforcement and can put up further updates right here as they change into accessible.”
In line with studies, the hacker stated he’s 18 years previous and focused the corporate to show its weak safety; there may additionally be a hacktivist ingredient, as a result of he additionally declared within the Slack message to workers that Uber drivers must be paid extra.
“Given the entry they declare to have gained, I am shocked the attacker did not try and ransom or extort, it appears to be like like they did it ‘for the lulz,'” McShane added.
Not Uber’s First Information Breach Trip
Uber was the topic of one other huge breach, again in 2016. In that incident, cyberattackers made off with private data for 57 million clients and drivers, demanding $100,000 in trade for not weaponizing the information (the corporate paid up). A subsequent legal investigation led to a non-prosecution settlement with the US Division of Justice this summer season, which included Uber admitting that it actively coated up the total extent of the breach, which it did not even disclose for greater than a yr.
Additionally associated to that earlier hit, in 2018 Uber settled nationwide civil litigation by paying $148 million to all 50 states and the District of Columbia; and, satirically given the brand new developments, it agreed to “implement a company integrity program, particular knowledge safety safeguards, and incident response and knowledge breach notification plans, together with biennial assessments.”