Catch Of The Week: Uber Breach

By BECKY RUTHERFORD
Los Alamos

Uber announced on Thursday that their internal systems had been breached by an attacker. The attacker made himself known to Uber by announcing his presence on their internal Slack (a commonly used corporate chat tool) – “I announce I am a hacker and Uber has suffered a data breach.” Employees at first thought this was a joke, responding with emojis and memes.

The attacker contacted the New York Times to let them know of the breach. Per conversations with them, he claims he is only 18 years old and has been “working on his cybersecurity skills for several years”.

The attacker sent screenshots of internal uber systems to the NYT and security researchers, and was quite chatty and eager to describe how he did it.

How did this breach of Uber’s internal systems happen, and what did the attacker gain? The breach started with a social engineering attack on an Uber employee. The attacker contacted an employee via their WhatsApp number, claiming to be Uber’s internal tech support. They were able to gain login credentials from the employee, but then had to deal with MFA (Multi Factor Authentication) protecting the account. They were able to get around this by spamming the employee with hundreds of push notifications for an MFA code, and told the employee they would only stop after they gave over the code. This attack is known as “MFA Fatigue” which refers to the overload of notifications or prompts via MFA applications, for the multiple actions any user might take on a given day. In this case it is suspected the employee was simply confused or fatigued, and gave over the MFA codes.

The attacker used these credentials and MFA codes to gain access to the Uber VPN, and from there was able to access Uber internal systems. After scanning the systems the attacker discovered a network share containing powershell scripts. These PowerShell scripts contained hardcoded credentials for a Thycotic PAM (Privileged Access Management) admin account, which allowed the attacker to access many of Uber’s internal systems. What is a PAM? PAM tools allow organizations to provide secure privileged access to critical assets and meet compliance requirements by managing and monitoring privileged accounts and access. 

So essentially, this powershell script handed him the keys to the kingdom, and from there he was able to gain admin access to their internal systems and documents. The attacker is believed to have used these admin credentials to gain access to most of Uber’s cloud services, such as AWS and Google, where Uber is believed to store data, including customer data. Uber is saying there is “no evidence” that any customer data has been stolen, and all Uber services are running normally. 

How is Uber responding to this breach of their internal systems? Per a statement from Uber, “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

This breach is a good reminder that the best way into any organization is via a social engineering attack. One employee’s mistake led to a huge breach for Uber. The investigation is ongoing and it remains to be seen how much damage was actually done – definitely one to watch!

Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.

Search
LOS ALAMOS

ladailypost.com website support locally by OviNuppi Systems