An Uber hacker who has gained access to a number of the company’s internal systems, including its Slack channels, claims to have full control of the company’s cloud-based servers and more. This includes the company’s servers on both Amazon Web Services and Google’s GSuite.
Incredibly, the attack appears to have mimicked the one back in 2016, which compromised the personal data of 57 million. This suggests that Uber failed to fix a massive security hole, enabling the same attack to be made six years later …
Uber has confirmed that the attack took place, but has not yet provided any details on the scope of it. It is not known at this time whether any customer data has been compromised.
Uber security breach
Uber’s two-sentence statement says:
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
The New York Times reports that Uber has taken multiple internal systems offline to prevent further compromises during its investigation.
The company has not revealed much more to employees.
In an internal email that was seen by The New York Times, an Uber executive told employees that the hack was under investigation. “We don’t have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us,” wrote Latha Maripuri, Uber’s chief information security officer.
The hacker made no secret of the attack, announcing the fact in poor English on one of the company’s Slack channels:
Hi @here
I announce i am a hacker and uber has suffered a data breach.
Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneakers.
#uberunderpaisdrivers [sic]
They also sent details to both the NYT and security researchers, stating that they are 18 years old, and revealing details of how they were able to carry out the attack.
How the Uber hacker got access
A screenshot shared by a security researcher seemingly shows the hacker explaining the worryingly simple way they gained full access.
- They social-engineered an employee to get their VPN and Slack login.
- Once on Slack, they found a link to a network share.
- The share contained Powershell scripts.
- One of these embedded the username and password of an Uber admin.
- Those credentials gave them access to everything else.
Here’s the tweet with the exchange:
The hacker also confirmed the social engineering element to the NYT.
The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering.
While this is unverified, another security researcher who chatted with the hacker says that it does appear convincing.
They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. “This is a total compromise, from what it looks like.
Scripts with embedded credentials, let alone admin credentials, are a truly massive security fail. So too would be failing to stress to employees the importance of never revealing their passwords.
This would be bad enough if it hadn’t happened before – but it has.
Same method used in 2016 hack
Uber previously suffered a massive data breach back in 2016, exposing personal data of some 57 million customers and drivers.
Of the 57 million affected users, 50 million were riders and the other 7 million drivers. The leaked information included names, email addresses, and phone numbers. Additionally, the license numbers of 600,000 drivers were exposed during the breach
The company broke the law in failing to disclose the breach, instead paying off the attackers in an attempt to keep it quiet.
As noted in a report from Bloomberg, the breach originally occurred in October of 2016, with Uber working to conceal it for a year […]
Travis Kalanick, Uber co-founder and former CEO, was made aware of the breach in November 2016. Around that same time, the company was in the midst of settling issues with both the New York attorney general and the FTC over the handling of the customer data. Thus, instead of properly disclosing the breach, which it was under legal obligation to do, Uber paid the hackers $100,000 to delete the data and stay quiet.
Unbelievably, this attack used the exact same key component to escalate access, so it seems astounding that it had still not removed embedded credentials from scripts some six years later!
Bloomberg explains that the hackers were able to access a private GitHub site used by software engineers at Uber, and used login credentials found there to access additional data stored on an Amazon Web Services account.
Unknown whether Uber hacker accessed user data
It appears that the access gained by the hacker would include the ability to view customer data, but there have been no reports as yet as to whether they did so.
Given that the attacker disclosed their access, and shared details with both the media and security researchers, it would seem that no harm was intended. The behavior does not strike me as consistent with a black-hat hacker who would access and sell customer data, but this is just speculation at this point.
Photo: Sam Moghadam Khamseh/Unsplash
FTC: We use income earning auto affiliate links. More.
Comments