Ride-hailing service Uber said Friday that all of its services were operational following what security professionals are calling a major data breach, claiming there was no evidence that the hacker had access to sensitive data. of users.
But the breach, ostensibly by a lone hacker, exposed an increasingly effective break-in routine involving social engineering: the hacker apparently gained access by posing as a colleague, tricking an Uber employee into relinquishing the assets. your credentials.
They were then able to locate passwords on the network which obtained the privileged access level reserved for system administrators.
The potential damage was severe: Screenshots shared by the hacker with security researchers indicate that they have gained full access to the cloud-based systems where Uber stores sensitive customer and financial data.
It is unknown how much data was stolen by the hacker or how long it remained within the Uber network. Two researchers who communicated directly with the person – who self-identified as an 18-year-old to one of them – said they appeared interested in advertising. There was no indication that they had destroyed the data.
But files shared with researchers and posted widely on Twitter and other social media indicated that the hacker was able to gain access to Uber’s most important internal systems.
“It was really bad the access he had. It’s terrible, ”said Corbin Leo, one of the researchers who chatted with the hacker online.
The online reaction from the cybersecurity community – even Uber suffered a major breach in 2016 – was harsh.
The hack “was not sophisticated or complicated and clearly hinged on multiple major failures of the systemic and engineering culture”, tweeted Lesley Carhart, director of incident response at Dragos Inc., which specializes in industrial control systems.
Leo said screenshots shared by the hacker showed the intruder had access to systems stored on Amazon and Google cloud-based servers where Uber stores source code, financial data, and customer data such as driver’s licenses. guide.
“If he had the keys to the kingdom he could start disrupting services. He could erase things. It could download customer data, change people’s passwords, ”said Leo, researcher and head of business development at security firm Zellic.
The screenshots shared by the hacker, many of which were found online, showed sensitive financial data and internal databases being accessed. Also widely circulating online: the hacker announcing the breach Thursday on Uber’s internal Slack collaboration system.
Leo, along with Sam Curry, a Yuga Labs engineer who also communicated with the hacker, said there was no indication that the hacker had caused harm or was interested in anything more than advertising.
“It’s pretty clear he’s a young hacker because he wants what 99% of what young hackers want, which is fame,” Leo said.
Curry said he spoke to several Uber employees on Thursday who said they were “working to block everything internally” to restrict the hacker’s access. That included the San Francisco-based company’s Slack network, he said.
In a statement posted online on Friday, Uber said “the internal software tools we removed as a precaution yesterday are coming back online.”
He said all of his services, including Uber Eats and Uber Freight, were operational and that he had notified law enforcement. The FBI said via email that it was “aware of the cyber incident involving Uber and our assistance to the company is ongoing.”
Uber said there is no evidence that the intruder had access to “sensitive user data” such as travel history, but did not answer questions from the Associated Press, including whether the data was stored encrypted.
Curry and Leo claimed that the hacker did not indicate the amount of data copied. Uber has not recommended any specific actions for its users, such as changing passwords.
The hacker alerted researchers of the intrusion Thursday using an internal Uber account on the company’s network used to post vulnerabilities identified through its bug rewards program, which pays ethical hackers to find network weaknesses.
After commenting on those posts, the hacker provided the address of a Telegram account. Curry and other researchers then engaged them in a separate conversation, in which the intruder provided the screenshots as evidence.
The AP attempted to contact the hacker via the Telegram account, but received no response.
The screenshots posted online appeared to confirm what the researchers claimed the hacker claimed: that they gained privileged access to Uber’s most critical systems through social engineering.
The apparent scenario:
The hacker first obtained an Uber employee’s password, probably via phishing. The hacker then bombarded the employee with push notifications asking him to confirm remote access to their account. When the employee did not respond, the hacker contacted via WhatsApp, posing as a colleague from the IT department and expressing urgency. Eventually, the employee relented and confirmed with a click of the mouse.
Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Teens used it in 2020 to hack Twitter, and more recently it was used in hacks by tech companies Twilio and Cloudflare, said Rachel Tobac, CEO of SocialProof Security, which specializes in training workers to avoid falling victim to social engineering.
“The hard truth is that most organizations around the world could be hacked the same way Uber was hacked,” Tobac tweeted. In an interview, he said that “even super tech-savvy people fall in love with social engineering methods every day.”
“Attackers are getting better at bypassing or hijacking MFA (multi-factor authentication),” said Ryan Sherstobitoff, senior threat analyst at SecurityScorecard.
This is why many security professionals advocate the use of so-called FIDO physical security keys for user authentication. However, the adoption of such hardware has been unpredictable among tech companies.
The hack also highlighted the need for real-time monitoring in cloud-based systems to better detect intruders, said Tom Kellermann of Contrast Security. “Much more attention needs to be paid to protecting the clouds from within” because a single master key can typically open all of their doors.
Some experts have wondered how much cybersecurity has improved at Uber since it was hacked in 2016.
His former security chief, Joseph Sullivan, is currently on trial on charges of arranging to pay hackers $ 100,000 to cover up that high-tech robbery, when the personal information of some 57 million customers and drivers was stolen.
This story has been updated to correct the spelling of the Contrast Security expert’s last name. He is Kellermann, not Kellerman.