Uber said it had all its services up and running after cyber security professionals suffered what they called a serious breach in its data security. The app-based taxi service said on Friday there was no evidence the hackers had access to sensitive user data.
However, the intrusion, apparently carried out by a lone hacker, uncovered an increasingly dominant practice involving so-called “social engineering”: the hacker gained access by posing as an accomplice, spoofing an Uber employee. received.
He was then able to locate the password on the network, which allowed him to access the privileged level reserved for system administrators.
The potential damage was serious: Screenshots of the hacker shared with security researchers indicated he gained full access to the cloud-hosted system where Uber stores financial and sensitive customer data.
It is unknown how much data the hacker stole or how long he was inside Uber’s network. Two investigators who contacted the person directly – who identified one of them as an 18-year-old – said the hacker was only interested in propaganda. There was no indication that the data in it was corrupt.
However, the files shared with investigators and posted widely on Twitter and other social media indicate that the hacker was able to gain access to Uber’s most critical internal systems.
“Their access was very severe. It was terrifying,” said Corbin Leo, one of the researchers who chatted with the hacker online.
Reactions from the Internet cyber security community were harsh, given that Uber had already suffered serious intrusions into its computer systems in 2016.
The hack was “not sophisticated or complicated and was clearly based on several major systemic failures in safety culture and engineering,” tweeted Leslie Carhart, director of incident response at Dragos Inc., which specializes in industrial control systems. ,
Leo said screenshots shared by the intruder showed he gained access to Uber’s servers in Amazon and Google Cloud. In them, Uber stores its source code, financial data and customer data, including driver’s license numbers.
“If he had the ‘key to the kingdom,’ he could start disrupting services. I could erase things. He could download customer data, change people’s passwords,” says Leo, a researcher and security said the head of business development at the company Zelic.
Some screenshots shared by the hacker – many of which were circulated online – showed they had access to sensitive financial data and internal databases.
Something that was also widely circulated online: Hackers on Thursday announced an intrusion into the Slack app, Uber’s own communications service.
Leo contacted the hacker, along with Yug Labs engineer Sam Curry, who said there was no indication that the hacker had done any damage or was interested in anything other than being noticed.
“It is very clear that he is a young hacker because he wants what 99% of young hackers want, which is fame,” Leo said.
Curry said on Thursday he spoke with several Uber employees who said they were “working to shut everything down internally” to restrict the hacker’s access. This includes the San Francisco company’s network on Slack, he said.
The hacker himself had given an address in the Telegram app. Curry and other investigators then included him in a separate conversation, where the intruder provided screenshots as evidence.
The Associated Press attempted to contact the hacker on the Telegram account, but did not receive a response.
Screenshots posted online appeared to confirm what investigators claimed the hacker claimed: that he gained privileges through “social engineering” to access Uber’s most critical systems.
The obvious scenario would have been:
The hackers first obtained the Uber employee’s password, possibly through a practice known as “phishing”—the act of tricking a user of electronic media into revealing passwords and other sensitive data. The hacker then bombarded the employee with push notifications, asking them to confirm a remote login to their account. When the employee did not respond, the hacker contacted himself via WhatsApp, posing as a co-worker in the technology department, expressing urgency. Finally, the employee relented and confirmed the remote login with a click of his mouse.
“Social engineering” is a popular tactic for cybercriminals: humans are the weakest link in any network. Teenagers used “social engineering” in 2020 to hack Twitter, and more recently it has been used in hacks by tech companies Twilio and Cloudflare, said Rachel Toback, executive director of SocialProof Security, a victim of this tactic. specializes in training workers not to be.
“The hard truth is that most organizations in the world can be hacked just like Uber,” Toback tweeted. In an interview, he said that “even super tech-savvy people fall for social engineering methods every day.”
“Attackers are becoming more proficient at circumventing or hacking MFA (Multi-Factor Authentication),” said Ryan Sherstobitoff, principal threat analyst at Security Scorecard.
This is why many security professionals advocate the use of so-called FIDO-type physical security keys for user authentication. However, technology companies have unevenly adopted such hardware.
Contrast Security’s Tom Kellerman said the cyberattack also highlighted the need for real-time monitoring by cloud-based systems to better detect intruders. “Cloud security from the inside needs a lot of attention” because a single skeleton key can usually open all your doors.
Some experts questioned how much cyber security has improved since Uber was hacked in 2016.
Its former chief security officer, Joseph Sullivan, is currently on trial for arranging a $100,000 payment to hackers to cover up a high-tech intrusion when the personal information of nearly 57 million customers and drivers was stolen. Was.
In a statement released on Friday, Uber said, “The internal software tools we disabled yesterday as a precaution have been restored.”
He said all his services, including Uber Eats and Uber Freight, were operating and he had informed the police. The FBI said in an email that it is “aware of the cyber incident involving Uber and continues to provide our assistance to the company.”
Uber said there was no evidence that the attacker accessed “sensitive user data” such as travel history, but did not respond to questions from the Associated Press about whether the data was stored encrypted.
