The popular share-ride and food delivery company Uber suffered a significant cybersecurity incident which reportedly exposed private data, source code and vulnerability reports.
Uber confirmed they were the victims of a severe hack that compromised key internal systems. The hack caused Uber to shut down several of their internal communication and engineering systems, but customer-facing operations were not impacted.
Uber realized they were under attack this past Thursday when Uber employees reported seeing a message on Slack stating “I announce I am a hacker and Uber has suffered a data breach”. While some thought this was initially a joke, they quickly realized the severity of the situation when additional messages with screenshots listing the databases and systems the hacker claimed to have compromised appeared on the thread.
Who Hacked Uber?
The person who claimed responsibility for the hack stated they are 18 years old and targeted Uber because the company had weak security and underpaid their drivers.
The person also reached out to the New York Times and other cybersecurity researchers with proof of his exploits, including images of emails, cloud storage and code repositories, which is a considerable given the fact that somebody who may still be in high school was behind this hack.
Uber now believes he is affiliated with the Lapsus$ extortion group due to the hack focusing on attention rather than ransom demands.
How Did Uber Get Hacked?
According to Dark Reading, the attacker obtained the VPN credentials of an external contractor, likely by purchasing them on the Dark Web. The attacker then repeatedly tried to log in to the Uber account using the illegally obtained credentials, prompting a two-factor login approval request each time.
After the contractor initially blocked those requests, the attacker contacted the target on WhatsApp posing as tech support (a popular social engineering tactic), telling the person to accept the MFA prompt — thus allowing the attacker to log in.
Over the past few years, MFA themed attacks like this have grown in popularity due to increased remote work settings and with many phishing campaigns incorporating some sort of MFA feature to try and catch a target off guard.
What Did the Uber Hack Expose?
Following the hack, the threat actor had complete access to Uber’s Amazon and Google cloud environments that stores their source code and customer data. Additionally, the hacker retrieved large amounts of sensitive data including internal systems, email dashboards, Slack server, security software and VMware ESXi virtual machines.
Perhaps the biggest concern is what many cybersecurity professionals view as the most valuable asset, Uber’s vulnerability reports.
Uber participates in the HackerOne bug bounty program which allows security researchers to privately disclose vulnerabilities in their systems and applications in exchange for a monetary bug bounty reward. These reports are highly confidential, and are necessary to allow Uber the time and opportunity to develop a fix to prevent vulnerabilities from being exploited.
According to BleepingComputer, the attacker quickly downloaded every single vulnerability report in Uber’s bug bounty program before losing access. These reports carry considerable value to a hacker as they can dramatically reduce the amount of time it takes to compromise an environment and exploit their vulnerabilities.
In this instance, the threat actor may have chosen to use these reports themselves or they may have chosen to sell these reports to other threat actors on the dark web.
HackerOne has disabled the Uber bug bounty program to prevent additional access to the Uber vulnerability report. The fact that Uber’s are out in the wild is extremely concerning and a prime example of how tools used to protect an organization can be quickly used against them.
Repeat Target
This is not the first time Uber has experienced a cyber-attack. In 2016, Uber suffered a breach that exposed information from 57 million drivers and riders.
Unlike the 2016 breach that resulted in their security executive Joe Sullivan being fired and charged with obstructing justice due to supposedly covering up the ransom payment, Uber released a public statement immediately via Twitter and continues to provide updates on their newsroom website at www.uber.com/newsroom/security-update.
While hacks on large companies, like Uber, make for great headlines, the truth is that social engineering is a threat to companies of all sizes and industries. Google, Facebook, the Department of Labor and Toyota, are some of the other big names on the social engineering victim list over the past few years.
How to Spot Social Engineering Attacks
Social engineering is one of the most popular tactics used in cyber-attacks that targets the human element to coerce people into providing private data and/or system credentials. By targeting the human element of security, attackers can bypass strong password requirements, data security and other security measures – remember, as long as one person has credentials, threat actors may be able to obtain them as well.
These attacks share many of the same red flags as other scams, which include unprompted communications, a sense of urgency and asking for credentials or private information.
Remember, if you receive an unprompted communication requesting private information or one that is asking you to take an action that seems suspicious, you should verify the request by contacting a trusted contact, wherever possible.
In this case, the employee could have contacted the IT department directly to see if the repeated MFA notifications were legitimate.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected].
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.