Uber Data Breach: Hacker Used Social Engineering to Break Into Multiple Internal Systems
The internal Uber systems that have been compromised include Slack, Google Workspace email dashboard, vSphere, and more.
On Thursday afternoon, Uber suffered a cyberattack that led the attacker to obtain full access to several of its critical IT systems. Going by what’s known so far, the latest attack seems to be more severe than the attack the company suffered in 2016.
Security experts, including senior staff engineer at Yuga Labs, Sam Curry, and Marcus Hutchins of the MalwareTechBlog, said someone posted screenshots of Uber’s admin accounts on AWS and Google Cloud Platform (GCP).
Uber confirmed the incident at 9:25 ET over Twitter but didn’t mention exactly what was impacted. The internal Uber systems that have been compromised include Slack, Google Workspace email dashboard, vSphere, and more.
According to the BleepingComputer, who saw the screenshots, Uber’s Windows domain, security software, and VMware ESXi virtual machines have also been compromised.
The ride-sharing app service provider had to suspend engineering operations and communication. On Slack, the unknown hacker sent a message to Uber employees announcing the breach. “I announce I am a hacker and Uber has suffered a data breach,” the attacker wrote.
It is unclear if the hacker is from a non-English speaking country because while their Slack message indicates they aren’t, their message on a redirected website calls Uber employees “wankers,” a pejorative term in Britain used to refer to a contemptible person.
An Uber employee told Curry, “At Uber, we got an ‘URGENT’ email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message ‘F*** you wankers’.” Reportedly, the hacker is 18 years old.
The hacker told The New York Times that they socially engineered their way into Uber’s systems through an employee by pretending to be a corporate information technology person.
According to a screenshot circulated on the internet, the hackers leveraged social engineering to get past the initial barrier and into the organization’s VPN. Once they got into the Uber intranet/corporate network, they obtained a powershell script that contained an employee’s credentials that led them to services such as Duo, OneLogin, etc.
See More: Iranian Hackers Target Albania’s Border Control System in a Tit-for-Tat Operation
Apparently there was an internal network share that contained powershell scripts…
"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite" pic.twitter.com/FhszpxxUEW
— Corben Leo (@hacker_) September 16, 2022
“If these claims are true, it sounds like the attacker was very easily able to compromise Uber’s systems using social engineering to guess an employee’s login and password,” Julia O’Toole, CEO of MyCena Security Solutions told Spiceworks. “This once again highlights that when users know and make up their own passwords, these can easily be guessed or phished from them, and this gives attackers access to the digital kingdom.”
They disclosed Uber's financial data
— vx-underground (@vxunderground) September 16, 2022
The 18-year-old added that they hacked Uber because it had weak security. “This latest breach against Uber comes at a time when the company is already facing increased security scrutiny over its handling, and alleged coverup, of a previous incident,” O’Toole added.
The company was fined $148 million in 2018 for failing to disclose a 2016 data breach of the PIIs of 57 million of its users and drivers. The then Uber security head Joe Sullivan paid off the hackers with $100,000 as a “bug bounty” to delete the data they had on Uber, a move seen as sweeping the incident under the rug.
Threat actors consistently rely on social engineering to trick unwitting users into revealing something they are not supposed to. “One of the best ways to counter this threat is to remove single access and privileged access solutions, and instead implement access encryption and segmentation,” O’Toole suggested.
“If organizations encrypt their access, their credentials cannot be stolen or phished because employees do not know them. If they segment their access, criminals cannot bring their whole network down with one set of credentials,” she added. This closes important doors on attackers, while also giving organizations back control of their data.”
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON CYBERATTACKS
