During the attack, the hacker gained access to the company’s internal systems such as Slack server, Amazon Web Services console, VMware ESXi virtual machines, and Google Workspace email admin dashboard.
“The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain”, according to BleepingComputer
But the possibility of stolen data and source code is not the most serious consequence of this attack.
Sam Curry, Yuga Labs security engineer, warned on a Tweet that the cybercriminal seems to have access to the Uber bug bounty program on the HackerOne platform where he posted comments on all previous tickets.
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports. pic.twitter.com/00j8V3kcoE
The bug bounty program is the place where cybersecurity specialists can share the bugs that they find in the company’s systems and apps in exchange for monetary recompense. These vulnerabilities are kept private until they are fixed to avert attacks that can exploit such weak spots.
BleepingComputer was also told by a source that the attacker downloaded all vulnerability reports before they lost access to Uber’s bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber.
Meantime HackerOne blocked the Uber program, but there is a real possibility that the hacker had managed to download the vulnerability reports with unfixed bugs and will try to sell them on the Dark Web to obtain money from his deed.
How the Attack Happened and Who Is Responsible
The Uber data breach began when a hacker purchased stolen credentials from a dark web marketplace belonging to an Uber employee. An initial attempt to connect to Uber’s network using these credentials failed due to MFA protection on the account.
To circumvent this security barrier, the hacker contacted an Uber employee via What’sApp and, posing as a member of Uber’s security, asked the employee to allow the MFA notifications being delivered to their phone. The hacker then bombarded the employee’s phone with MFA notifications, a strategy that we know as MFA Fatigue, pressuring them to comply with the request.
The hacker then accessed the internal systems using the credentials and send a message on Slack to all employees saying: “I announce I am a hacker and Uber has suffered a data breach.”, according to The New York Times.
The hacker, who provided screenshots of internal Uber systems to demonstrate his access, said that he was 18 years old and had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay.
Social engineering is a tactic more and more used by threat actors and was chosen for a few well-known attacks like the ones on Twitter, MailChimp, Robinhood, and Okta.
Not the First Attack on Uber
This is not the first data breach suffered by Uber. In 2016 data was stolen containing private information of 57 million driver and client accounts. The cybercriminal then demanded $100,000 so they will delete the stolen data, which the company did to prevent data leakage.
But the 2016 incident has been kept a secret by Uber for more than a year. Directly linked to that, now its former top security executive is on trial charged with obstructing justice for failing to announce the breach to the authorities.
Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.