This publish was up to date at 2:15 ET on Sept. 16, 2022 to replicate further preliminary compromise info.
Experience-sharing big Uber took a few of its operations offline late Thursday after it found that its inside methods have been compromised. The attacker was capable of social-engineer his means into an worker’s VPN account earlier than pivoting deeper into the community, the corporate stated.
Whereas the total extent of the breach has but to return to mild, the particular person claiming duty for the assault (reportedly a young person) claimed to have troves of emails, information pilfered from Google Cloud storage, and Uber’s proprietary supply code, “proof” of which he despatched out to some cybersecurity researchers and media shops, together with The New York Occasions.
“They stunning a lot have full entry to Uber,” Sam Curry, safety engineer at Yuga Labs, advised the Occasions. “It is a whole compromise, from what it appears like.”
The Slack collaboration platform was the primary system taken offline, however different inside methods rapidly adopted, in accordance with studies. Simply earlier than the disablement, the attacker despatched off a Slack message to Uber workers (a few of whom shared it on Twitter): “I announce I’m a hacker and Uber has suffered an information breach.”
The perp additionally advised researchers and media that the breach started with a textual content message to an Uber worker, purporting to be from company IT. Extra particularly, in accordance with unbiased cybersecurity analyst Graham Cluley, the hacker mounted what’s often called an “MFA fatigue assault.”
To wit: The attacker had already decided a legitimate username and password for Uber’s VPN, however wanted a text-based multifactor authentication (MFA) one-time code to get into the account. So, he bombarded the employee with MFA push notifications for greater than an hour earlier than contacting the goal through WhatsApp, the place he once more posed as Uber IT workers. If the particular person wished the irritation to cease, he stated, they wanted to just accept the MFA request. The goal complied.
“Whereas no official rationalization has been offered but, [apparently] the intruder was in a position to hook up with the company VPN to realize entry to the broader Uber community, after which appears to have came across gold within the type of admin credentials saved in plain textual content on a community share,” Ian McShane, vice chairman of technique at Arctic Wolf, stated in an announcement. “It is a fairly low-bar-to-entry assault and is one thing akin to the consumer-focused attackers calling folks claiming to be Microsoft and having the tip consumer set up keyloggers or distant entry instruments.”
The hacker additionally advised different researchers that when in, he scanned the corporate’s intranet, and was fortunate sufficient to discover a PowerShell script containing hardcoded credentials for a Thycotic privileged entry administration (PAM) admin account, which gave him bountiful instruments to unlock different inside methods, like Slack.
In a media assertion to the Occasions, an Uber spokesperson confirmed that social engineering was the purpose of entry, and easily stated that the corporate was working with regulation enforcement to research the breach. Publicly, through Twitter, the firm posted, “We’re at present responding to a cybersecurity incident. We’re in contact with regulation enforcement and can publish further updates right here as they change into obtainable.”
In line with studies, the hacker stated he’s 18 years outdated and focused the corporate to show its weak safety; there may additionally be a hacktivist ingredient, as a result of he additionally declared within the Slack message to workers that Uber drivers must be paid extra.
“Given the entry they declare to have gained, I am shocked the attacker did not try and ransom or extort, it appears like they did it ‘for the lulz,'” McShane added.
Not Uber’s First Information Breach Experience
Uber was the topic of one other large breach, again in 2016. In that incident, cyberattackers made off with private info for 57 million prospects and drivers, demanding $100,000 in alternate for not weaponizing the info (the corporate paid up). A subsequent prison investigation led to a non-prosecution settlement with the US Division of Justice this summer season, which included Uber admitting that it actively lined up the total extent of the breach, which it did not even disclose for greater than a 12 months.
Additionally associated to that earlier hit, in 2018 Uber settled nationwide civil litigation by paying $148 million to all 50 states and the District of Columbia; and, satirically given the brand new developments, it agreed to “implement a company integrity program, particular information safety safeguards, and incident response and information breach notification plans, together with biennial assessments.”