More than five years after news broke of Uber suffering a major breach and theft of personal data, the company is in the news for another troubling cybersecurity incident. This time, an 18-year-old hacker has disrupted the company’s operations by getting in via social engineering and obtaining full access to the company’s systems. The network breach has revealed some poor security practices at the ridesharing company, including admin credentials peppered throughout its internal systems in PowerShell scripts and even sitting out in the open in plaintext.
Cybersecurity incident grants teenage hacker “full access” to uber systems
The Uber network breach was discovered by the company on Thursday September 15, and some of its systems were pulled offline as it investigated. There does not appear to be any mystery as to who the perpetrator is, however; a teenager first contacted the company (via its internal Slack channel) to claim responsibility and list the confidential company information he had accessed, and when laughed off by employees sent the New York Times and several other media outlets some screenshots of the network breach.
One of the researchers that the teenage hacker interacted with, Sam Curry of security firm Yuga Labs, said that the network breach was a “total compromise” and that the attacker had “full access” to Uber’s systems. The cybersecurity incident reportedly began with a fake message sent to an Uber employee, claiming to be from the company’s IT department. That compromised account granted access to the company VPN, which the hacker then leveraged to rifle through its intranet. Privilege escalation appears to have been fairly easy at this point, as the attacker found admin account credentials literally just laying around in the open.
The hacker’s motivations are not entirely clear, but it appears to be more of a demonstration (either of their skills or Uber’s security failings) than an attempt at theft or at damaging the company. The hacker mentioned on the internal company Slack that he felt Uber drivers should be paid more, but did not display any other indicators of activism. Curry said that he felt the hacker did not really plan ahead, was not sure exactly what to do with this level of access and was simply “having fun with it.” There were no demands of any sort in the hacker’s communications, but they did tell one security researcher that they were considering a public leak of the company’s source code.
Among the items that the hacker sent out screenshots of were the company’s Google Cloud and Amazon Web Services storage, proprietary Uber source code, OneLogin and internal emails. Though internal components of the company were taken offline during the investigation, Uber says that the network breach did not impact passenger use of its service. The company also said that it has contacted law enforcement about the cybersecurity incident.
As Oliver Pinson-Roxburgh (CEO of Defense.com), this is part of an emerging trend of attackers leading with social engineering attempts: “As social engineering attacks grow increasingly common, human users are swiftly becoming the most likely target of cybercrime. Without the right education, these users are susceptible to deception tactics, often handing over crucial details without realising they have done so. However, with proper training, these same users can solidify an organisation’s cyber defence rather than weaken it.”
Network breach involved chain of remedial security mistakes
The social engineering attack that kicked off the cybersecurity incident is one that hackers all over the world attempt on a broad range of organizations every single day, and one that employees should be educated on and aware of. The attacker peppered an employee with multi-factor authentication (MFA) push notifications, attempting to irritate them into making a mistake. After about an hour of this, the attacker reached out to the employee via WhatsApp and posed as a member of Uber’s IT department, successfully convincing them to accept the MFA request.
While the first step of the network breach was entirely preventable, the real failures were uncovered once the attacker began prowling through the company intranet. They reportedly found Thycotic admin account credentials stashed in a PowerShell script, which opened up access to a number of other internal systems. The hacker also claimed to have come across security vulnerability assessment reports conducted for Uber by HackerOne, something that could be used for future network breaches.
Chris Vaughan, AVP of Technical Account Management & EMEA with Tanium, provided more detail on the credentials the hacker was able to stumble into: “This raises some red flags. One is that a single hard coded password has been used to access their privileged access management (PAM) system, giving access to any area of the IT environment that links to it. Another issue is that multi-factor authentication (MFA) was bypassed by the attacker simply spamming users with push notifications until one was eventually approved. This method has been successful in other security incidents recently, so organizations should consider alternative ways to operate MFA such as only using PINs. Attackers entering a network in this seemingly legitimate way can be particularly dangerous because it’s difficult to distinguish their movements from regular user activity. This should serve as a reminder that having high levels of cyber hygiene can help prevent the more straightforward attack methods from being successful.”
Though the hacker didn’t deploy ransomware or malware, or make demands of the company, remediation of the network breach could nevertheless be a long and expensive process for Uber. The fact that the hacker had access to essentially everything, including source code, could necessitate a rebuild of internal systems to ensure that they do not retain some sort of access. If the hacker exfiltrated customer or driver information, the issue becomes much more complicated. The issue has become even more cloudy as the hacker has disappeared from the Telegram channel they used to speak with the media and there is presently no known way to contact them.
Andrew Bud, CEO of iProov, notes that this is a good prompt for organizations to review their MFA procedures to avoid a similar cybersecurity incident: “When even companies that provide multifactor authentication (MFA) services experience data incidents, organizations must recognize the only secure way to verify online identity is to use online biometrics. A robustly assured online biometric is an unshareable credential, unlike a password or a One Time Passcode (OTP) whose weaknesses are being exposed time and time again. Organizations that utilize online biometrics are properly protecting themselves and their users – especially as attackers use more sophisticated and complex schemes to bypass traditional security methods. Online biometric authentication is the most secure technology available that doesn’t compromise the user experience.”
Customer payment and trip history, as well as financial and profile information for both drivers and passengers, is safe (for the moment) according to statements from Uber. But the company’s stock fell 4% on news of the cybersecurity incident.