The IT Nerd

I woke up this morning to find that Uber has apparently been pwned by hackers:

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.

— Uber Comms (@Uber_Comms) September 16, 2022

There’s no additional info beyond what I posted above. At least not from Uber. The broader media however does have more details:

A hacker gained control over Uber’s internal systems after compromising the Slack account of an employee, according to the New York Times, which says it communicated with the attacker directly. Slack, a workplace messaging service, is used by many tech companies and startups for everyday communications.

Uber has now disabled its Slack, according to multiple reports. Shares of Uber declined nearly 4% in premarket trading Friday.

After compromising Uber’s internal Slack in a so-called social engineering attack, the hacker then went on to access other internal databases, the Times reported.

A separate report, from the Washington Post, said the alleged attacker told the newspaper they had breached Uber for fun and could leak the company’s source code in a matter of months.

Another report provides insight as to why they were hacked:

The hacker who claimed responsibility for the breach said he was 18 years old, according to the New York Times, and called for Uber drivers to receive higher pay. He claimed to have been able to access to the company’s email and cloud storage systems, and said the firm had weak security standards.

So on the surface, this seems like “hacktivism” where someone hacks a company for a political or social reason. I’m not quite ready to buy into that just yet as the details on this hack are still emerging. But I am going to guess that this hacker got in via some sort of social engineering attack based on what I have read. And Darren Williams, CEO and Founder of BlackFog has some commentary on that:

 “Social engineering is becoming a more popular tactic for cybercriminals as it really provides the keys to the castle, as we can see from the recent attack on Uber. Once in, the focus is always going to be data exfiltration, ultimately leading to extortion, data breaches and class action lawsuits. When it comes to cyber defence in the modern age, protecting the perimeter alone simply isn’t going to cut it. Organisations must make the assumption that the bad guys are going to find their way in so the focus must be on preventing them from leaving with the crown jewels – the data. IT leaders need to stay at least one step ahead of the bad guys by adding newer technologies like anti data exfiltration to their security stack. Leveraging newer technologies that focus on preventing exfiltration is critical as it puts an end to data theft and extortion.”

Watch this space as this is an evolving story that is sure to get updates.

UPDATE: Yaron Kassner, CTO and Cofounder of Silverfort has additional commentary:

  “As with any developing attack, while Uber has admitted compromise – the details are yet to be confirmed. However, the information shared by the alleged attacker underlines that just using MFA is not enough to protect against the kind of lateral movement the attacker says took place.

Organizations need to make sure they are using MFA capable of protecting against lateral movement. For example, the attacker says they accessed a shared folder containing credentials used for scripts. This is exactly the kind of resource that would benefit from multi-factor authentication. 

According to the details being shared, these maliciously obtained service account credentials were then used to compromise a PAM solution giving the attacker the keys to the kingdom and access to many sensitive systems. This stresses the fact that service accounts must also be protected, and that protecting access to the PAM with MFA is insufficient. One must also protect access with the secrets extracted from PAM.”

Toby Lewis, Global Head of Threat Analysis for Darktrace also had this to say:

“Details of the Uber breach are still emerging, but early reports suggests this may be a threat actor more likely seeking notoriety and fame than any kind of financial gain. Regardless, an attack like this can have long lasting effects in terms of restoring systems to trusted operational states as well as reputational damage.

It would be difficult to speculate too much at this early stage but an interesting component in the attack appears to be in the exploitation of their Multi-factor Authentication, by using Social Engineering to persuade employees to blindly approve the attacker’s actions.

This proves that the existence alone of MFA is not a silver bullet, and should form part of a wider strategy incorporating other technologies and mechanisms to identify and prevent malicious activity. This includes limiting the damage that can be done with a compromised account, which is a basic yet effective measure – for example not giving every member of staff administrator-level privileges, and granting even those that really need those permissions limited use for designated tasks.”

Christopher Prewitt, Chief Technology Officer of Inversion6 adds this:

Many view these large service providers and social media companies as being extra secure or having state of the art security programs, but often suffer from some of the same issues as other corporations. Social engineering is still the primary entry point for successful breaches, but the attackers are always looking to elevate privilege to increase impact and monetization.

Once again identity and privileged identity are the root cause for a breach. Once inside an organization with valid accounts, it can be difficult for defenders to differentiate an attacker from a standard employee or contractor.

System administrators and engineers are trusted to do the right thing for security but can be just as careless as anyone else. The alleged issue were credentials that were left cleartext in some scripts. At this point the attackers were already within the environment, and likely would have found a number of other ways to elevate privilege.

This entry was posted on September 16, 2022 at 8:00 am and is filed under Commentary with tags Uber. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.