Account Takeover Fraud , Cybercrime , Endpoint Security
Uber Probes Breach After Hacker Boasts About IntrusionHacker Announced in Internal Slack Messaging App: 'Uber Has Suffered a Data Breach'
Ride-hailing service Uber is probing a hack attack after an intruder appeared to breach multiple internal systems. Uber has taken its internal communications system and some tools offline while it investigates.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
News of the attack was first reported by The New York Times, which says a hacker has claimed responsibility for the intrusion and shared with it emails confirming the attack, as well as screenshots of Uber's cloud storage and code repositories.
What the attacker might have accessed remains unclear. Information shared by the hacker suggests they compromised, bypassed or accessed Uber's Duo Security, OneLogin, Amazon Web Services and Google Workspace environments, as well as sales metrics tools, VMware server management software and an anti-malware administrator portal.
The attacker also accessed Uber's HackerOne account, giving them access to vulnerability reports, says Sam Curry, a staff security engineer at blockchain technology company Yuga Labs. HackerOne says it has been working with Uber to block the attacker's access.
Reached for comment, Uber declined to detail the full scope of the attack or investigation.
"We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates as they become available," an Uber spokesperson tells Information Security Media Group.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.— Uber Comms (@Uber_Comms) September 16, 2022
News of the Uber breach comes just a few months after the ride-hailing service reached an agreement with the U.S. Department of Justice to resolve a criminal investigation into a massive data breach it suffered in 2016 (see: Uber Admits Covering Up 2016 Data Breach, Avoids Prosecution).
Uber employees Thursday afternoon reportedly received a message via the company's Slack messaging app that read: "I announce I am a hacker and Uber has suffered a data breach."
Many employees initially suspected it was a joke, the Times reports, until Uber CISO Latha Maripuri announced that multiple systems had been taken offline as a precaution, warning them that the hack was under investigation and the company didn't have "an estimate right now as to when full access to tools will be restored."
When the individual breached Uber, they sent a slack notification to everyone informing them the company had been breached.
Employees thought it was a joke.
Photo via @ColtonSeal pic.twitter.com/tTTdPCTdV4— vx-underground (@vxunderground) September 16, 2022
The hacker told the Times they had compromised an employee's Slack account and used social engineering - pretending to be an IT employee - to obtain credentials allowing them to access other internal systems.
The hacker also criticized Uber, saying it doesn't pay drivers enough.
Per the screenshots provided to the Times, the attacker could "absolutely" have accessed employee and customer information, Yuga Labs' Curry tells ISMG. But he adds that "whether or not they actually went and retrieved that data is the question."
The attack, and attempts to mitigate it, appear to be continuing to disrupt operations. "At Uber, we got an 'URGENT' email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message 'F*** you wankers,'" an employee told Curry.
How the Breach Unfolded
The impact of the hack attack on Uber appears to be "severe and wide-ranging," says Bill Demirkapi, a security researcher at Microsoft, who notes that Uber's incident response team is probably now hunting in particular for any backdoors the attacker may have left inside its infrastructure.
Based on details shared by the attacker, Demirkapi says they appeared to set up a fake domain, backed by tools such as Evilginx, which allowed them to reroute traffic and trick an employee into sharing their Cisco Duo Security multifactor authentication one-time code. "Once the attacker compromised an employee, they appear to have used that victim's existing VPN access to pivot to the internal network," he says.
If so, that would make Uber the most recent in a long line of companies to have been breached by attackers fooling employees into sharing their one-time MFA codes, including Cisco, DoorDash, Mailchimp, Twilio and more (see: Okta Customer Data Exposed via Phishing Attack on Twilio).
"How does an organization even protect themselves against such an attack? For starters, using 'phishing-resistant' forms of MFA, such as FIDO2, is an extremely effective measure against these social engineering attacks," Demirkapi says (see: Hardware MFA Stops Attack on Cloudflare).