Contents:
Uber’s computer systems have been breached on Thursday afternoon, September 15, 2022, with major consequences in data loss.
The company announced the cyberattack on Twitter, saying that they collaborate with the authorities regarding this incident and they will keep the public updated once they have more news.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
What Data Was Stolen
During the attack, the hacker gained access to the company’s internal systems such as Slack server, Amazon Web Services console, VMware ESXi virtual machines, and Google Workspace email admin dashboard.
“The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain”, according to BleepingComputer
But the possibility of stolen data and source code is not the most serious consequence of this attack.
Sam Curry, Yuga Labs security engineer, warned on a Tweet that the cybercriminal seems to have access to the Uber bug bounty program on the HackerOne platform where he posted comments on all previous tickets.
Someone hacked an Uber employees HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports. pic.twitter.com/00j8V3kcoE
— Sam Curry (@samwcyo) September 16, 2022
The bug bounty program is the place where cybersecurity specialists can share the bugs that they find in the company’s systems and apps in exchange for monetary recompense. These vulnerabilities are kept private until they are fixed to avert attacks that can exploit such weak spots.
BleepingComputer was also told by a source that the attacker downloaded all vulnerability reports before they lost access to Uber’s bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber.
Meantime HackerOne blocked the Uber program, but there is a real possibility that the hacker had managed to download the vulnerability reports with unfixed bugs and will try to sell them on the Dark Web to obtain money from his deed.
How the Attack Happened and Who Is Responsible
The Uber data breach began when a hacker purchased stolen credentials from a dark web marketplace belonging to an Uber employee. An initial attempt to connect to Uber’s network using these credentials failed due to MFA protection on the account.
To circumvent this security barrier, the hacker contacted an Uber employee via What’sApp and, posing as a member of Uber’s security, asked the employee to allow the MFA notifications being delivered to their phone. The hacker then bombarded the employee’s phone with MFA notifications, a strategy that we know as MFA Fatigue, pressuring them to comply with the request.
Honestly kind of a classy way to hack someone 😂😂😂@Uber pic.twitter.com/fFUA5xb3wv
— Colton (@ColtonSeal) September 16, 2022
The hacker then accessed the internal systems using the credentials and send a message on Slack to all employees saying: “I announce I am a hacker and Uber has suffered a data breach.”, according to The New York Times.
The hacker, who provided screenshots of internal Uber systems to demonstrate his access, said that he was 18 years old and had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the person also said Uber drivers should receive higher pay.
Social engineering is a tactic more and more used by threat actors and was chosen for a few well-known attacks like the ones on Twitter, MailChimp, Robinhood, and Okta.
Not the First Attack on Uber
This is not the first data breach suffered by Uber. In 2016 data was stolen containing private information of 57 million driver and client accounts. The cybercriminal then demanded $100,000 so they will delete the stolen data, which the company did to prevent data leakage.
But the 2016 incident has been kept a secret by Uber for more than a year. Directly linked to that, now its former top security executive is on trial charged with obstructing justice for failing to announce the breach to the authorities.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
