Uber hacked, attacker tears through the company’s systems

Uber has been hacked, again – this time by an 18-year-old (allegedly).

According to The New York Times, the breach happened on Thursday. The hacker claims to have gotten in by social-engineering an Uber employee:

Apparently there was an internal network share that contained powershell scripts…

"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite" pic.twitter.com/FhszpxxUEW

— Corben Leo (@hacker_) September 16, 2022

And, apparently, the attacker managed to get access to many Uber IT assets (including the company’s HackerOne account):

⚠️ Uber apparently got grandly hacked.

Attacker basically got access to almost everything (allegedly)

– Slack
– Google Workspace Admin
– AWS Accounts
– HackerOne Admin
– SentinelOne EDR
– vSphere
– Financial Dashboards

Thread on what we know so far 🧵👇#Hacking

— payloadartist (@payloadartist) September 16, 2022

Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports. pic.twitter.com/00j8V3kcoE

— Sam Curry (@samwcyo) September 16, 2022

The investigation is ongoing

Nothing of this has yet been officially confirmed by Uber – the company continues to point to a terse statement on Twitter: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

According to various internal sources the attacker has been taunting the company and its employees with messages on the internal Slack workspaces and by posting replies to bug hunters who flagged vulnerabilities via the Uber’s HackerOne account.

“According to reports, the attacker used social engineering to gain access to a single employee’s credentials. Social engineering attacks of this nature can often remain undetected until significant damage is caused. However, in this case, the hacker revealed themselves to Uber through a Slack message, indicating they might be more interested in attention rather than large-scale damage,” noted Oliver Pinson-Roxburgh, CEO of Defense.com.

“As social engineering attacks grow increasingly common, human users are swiftly becoming the most likely target of cybercrime. Without the right education, these users are susceptible to deception tactics, often handing over crucial details without realising they have done so. However, with proper training, these same users can solidify an organisation’s cyber defence rather than weaken it.”

Samantha Humphries, Head of Security Strategy EMEA at Exabeam, says that almost all of the high-profile breaches we see in the news involve attackers leveraging stolen user credentials to gain access to sensitive data.

“Insiders with access to privileged information represent the greatest risk to a company’s security. This kind of threat can be much harder to detect. After all, an attacker with valid credentials looks just like a regular user. This presents one of the most significant challenges for security teams. Failure to adapt security operations to detect and mitigate credential-based attacks will continue to have serious consequences,” she added.

“Whilst there are already many details being shared by the purported attacker, the wider implications of this breach are still unknown. However, for Uber’s incident responders, it is certain that they have had better days in the office, and my heart absolutely goes out to them.”

Omer Yaron, Head of Research at Enso Security, noted that regardless of the attacker’s entry point, it’s absolutely key to have different controls over applications to reduce the overall risk.

“Uber’s case shows how bad things can be, at least from what we know. Events escalate quickly and critical assets can be accessed without proper controls in place. Also, Uber is not out of the ongoing event. There are still mitigations they need to perform in real time. And it all comes down to the controls and measures they’ve put in place that will determine the outcome of this attack.”

Uber has been hacked in the past

This in not the first time that Uber has been hacked and breached. Famously, the company suffered a massive data breach in October 2016, and paid hackers off to stop them from making the breach public (the company’s chief of security at the time is currently on trial for it).

Before that, in May 2014, one of the company’s databases containing Uber drivers’ names and their license numbers was accessed by a third party.

UPDATE (September 20, 2022, 05:20 a.m. ET):

Uber has confirmed that the breach started with a compromised account belonging to a contractor and says that the Lapsus$ gang is behind it.