Uber suffered a cyber-attack on Thur. afternoon with an allegedly 18-year-old hacker downloading Hacker One vulnerability reports & sharing screenshots of the company’s internal systems, email dashboard, & Slack server.
The screenshots shared by the hacker show what seems to be full access to many critical Uber IT systems, including the company’s security software & Windows domain.
Google Workspace
Other systems accessed by the hacker include the company’s Amazon Web Services console, VMware vSphere/ESXi virtual machines, & the Google Workspace admin dashboard for managing the Uber email accounts.
The threat player also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. However, screenshots from Uber’s slack show that these announcements were 1st met with memes & jokes as employees had not realised an actual cyber-attack was happening.
Uber has confirmed the attack, tweeting that they are speaking with law enforcement & will post additional information as it becomes available.
Responding
“We are currently responding to a cyber-security incident. We are in touch with law enforcement & will post additional updates here as they become available,” tweeted the Uber Communications account.
The New York Times, which 1st reported the breach, commented that they spoke to the threat player, who stated they breached Uber after performing a social engineering attack on an employee & stealing their password.
The threat player then gained access to the company’s internal systems using the stolen credentials.
Update
On Fri. afternoon, Uber posted an additional update stating that the investigation is still ongoing but could sharing these additional details:
- We have no evidence that the incident involved access to sensitive user data (like trip history).
- All of our services including Uber, Uber Eats, Uber Freight, & the Uber Driver app are operational.
- As we shared yesterday, we have notified law enforcement.
- Internal software tools that we took down as a precaution yesterday are coming back online this morning.
Details Emerge
After the attacker announced that they breached Uber’s systems on the company’s Slack server & in comments to submission on the Hacker One bug bounty program, security researchers reached out to the threat player to learn more about the attack.
In a conversation between the threat player & security researcher Corben Leo, the hacker explained that they were able to access Uber’s Intranet after conducting a ‘social engineering attack’ on an employee.
States the threat player, they attempted to log in as an Uber employee but did not give details on how they gained access to the credentials.
MFA Fatigue Attack
As the Uber account was protected with multi-factor authentication, the attacker allegedly used an MFA Fatigue attack & pretended to be Uber IT support to convince the employee to accept the MFA request.
MFA Fatigue attacks are when a threat actor has access to corporate login credentials but is blocked from access to the account by multi-factor authentication. They then issue repeated MFA requests to the target until the victims become tired of seeing them & finally accept the notification.
This social engineering technique has become very popular in recent attacks against well-known companies, including Twitter, MailChimp, Robinhood, & Okta.
Corporate VPN
After gaining access to the credentials, the threat player told Leo that they logged into the Internal network through the corporate VPN & began scanning the company’s Intranet for sensitive information.
The hacker says they found a PowerShell script containing admin credentials for the company’s Thycotic privileged access management (PAM) platform, which was used to access the login secrets for the company’s other internal services.
Network Share
“ok so basically uber had a network share \\[redacted]pts. the share contained some powershell scripts.
one of the powershell scripts contained the username and password for an admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, Gsuite”
The New York Times reports that the attacker claimed to have accessed Uber databases & source code as part of the attack.
This information is from the threat players & has not been verified by Uber, which has not responded to further requests about this.
Vulnerability Reports
Whilst possible that the threat player stole data & source code from Uber during this attack, they also had access to what could be an even more valuable asset.
Says Yuga Labs Security Engineer Sam Curry, the hacker also had access to the company’s Hacker One bug bounty program, where they commented on all of the company’s bug bounty tickets.
Curry explained that he 1st learned of the breach after the attacker left a comment on a vulnerability report he submitted to Uber 2 years ago.
Bounty Program
Uber runs a Hacker One bug bounty program that lets security researchers privately disclose vulnerabilities in their systems & apps in exchange for a monetary bug bounty reward.
These vulnerability reports should be kept confidential until a fix can be released to stop attackers from exploiting them in attacks.
Curry further shared that an Uber employee said the threat player had access to all of the company’s private vulnerability submissions on Hacker One.
A source commented that the attacker downloaded all vulnerability reports before they lost access to Uber’s bug bounty program. This likely includes vulnerability reports that are unfixed, creating a severe security risk for Uber.
Since Disabled
Hacker One has since disabled the Uber bug bounty program, stemming access to the disclosed vulnerabilities.
However, it would be unsurprising if the threat player had not already downloaded the vulnerability reports & would likely sell them to other threat players to cash out on the attack quickly.