Uber is Taken for a Ride by a Hacker – Again

RISKS

What happened

Uber suffered a cyberattack on September 15, 2022 with a hacker alleging to be 18-years-old sharing screenshots of the company’s AWS instance, HackerOne administration panel, email dashboard, Slack server and more. The screenshots shared by the hacker showed what appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain.

The compromise was identified when Uber employees got a Slack message that read, “I announce I am a hacker and Uber has suffered a data breach,” The New York Times reported. However, the announcement was initially met with memes and jokes as employees had not realized an actual cyberattack was taking place, as evidenced by screenshots from Uber’s Slack channels.

The hacker claiming responsibility for the breach told The New York Times he was 18 years old and decided to compromise Uber because the company had weak security. The attacker said he texted an Uber employee under the guise of being from corporate IT.

The hacker stated he then persuaded the employee to reveal a password that allowed the hacker to gain access to Uber’s systems, per reports, an increasingly common cyberattack maneuver known as social engineering.

But, on Monday, September 19, 2022, Uber said in a security update that the attacker likely purchased an Uber contractor’s corporate password on the dark web after the contractor’s personal device had been infected with malware, exposing those credentials:

“The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.”

In that same security update, Uber stated its belief that a hacker associated with the Lapsus$ hacking group was to blame for a breach of its internal systems:

“We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.”

In the referenced attack on Rockstar Games, 90 videos of the company’s unreleased Grand Theft Auto VI were reportedly leaked online and also claimed to have source code, which they were seeking to sell for a minimum of $10,000.

Uber also reiterated that no customer or user data was compromised during the attack:

“We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3).”

The hack forced Uber to take several of its internal systems offline, including Slack, Amazon Web Services, and Google Cloud Platform.

Uber was also compromised in 2016 when hackers stole the data of 57 million driver and rider accounts and then approached Uber and demanded $100,000 to delete their copy of the information and keep the breach quiet. Uber arranged the payment but kept the breach a secret for more than a year until it was announced in November 2017.

Eventually, in response to the incident, Uber fired security chief Joe Sullivan, who allegedly arranged the payment. Sullivan went on trial the U.S. District Court in San Francisco, facing criminal obstruction charges for his role in paying the hackers.

Why is this important?

As was the case with the Cisco data breach we previously reported on, Multi-Factor Authentication (MFA) fatigue appears to have played a part in Uber’s data breach as well. MFA is an important and necessary component to protecting your systems and data and reducing risk, but it’s not a “Staples easy button” to security.

What does this mean to me?

Implementing MFA without also conducting cyber security awareness training for your employees – and contractors – on the importance of treating each authentication attempt seriously. Training third parties using your systems on cyber security best practices is just as important as training employees. It’s also important to note that the hacker was able to obtain access to several critical systems via a contractor’s credentials.

Another consideration here is that the lack of end-to-end encryption in Slack, where so many business communications (including sensitive communications) are being conducted today. Several companies have been hacked through their Slack implementations, including Twitter in 2020 and EA Games in 2021. To understand the risks within your organization’s platforms in terms of security mechanisms and limiting access to critical systems, consider conducting a risk assessment.

APPROACHES

Helpful Controls

• Security Risk Assessments
• Managed Detection and Response (MDR), XDR
• Third-Party Risk Management Services
• Cyber Security Awareness Training

Commonality of attack

High

Article on story

Uber blames Lapsus$ hacking group for security breachFBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program.