Severe breach at Uber spotlights hacker social deception

The ride-hailing service Uber stated Friday that each one its companies had been operational following what safety professionals are calling a significant knowledge breach, claiming there was no proof the hacker acquired entry to delicate person knowledge.

However the breach, apparently by a lone hacker, put the highlight on an more and more efficient break-in routine involving social engineering: The hacker apparently gained entry posing as a colleague, tricking an Uber worker into surrendering their credentials.

They had been then capable of find passwords on the community that acquired them the extent of privileged entry reserved for system directors.

The potential harm was critical: Screenshots the hacker shared with safety researchers point out they obtained full entry to the cloud-based programs the place Uber shops delicate buyer and monetary knowledge.

It’s not identified how a lot knowledge the hacker stole or how lengthy they had been inside Uber’s community. Two researchers who communicated instantly with the individual — who self-identified as an 18-year-old to certainly one of them — stated they appeared all in favour of publicity. There was no indication they destroyed knowledge.

However recordsdata shared with the researchers and posted extensively on Twitter and different social media indicated the hacker was capable of entry Uber’s most important inner programs.

“It was actually unhealthy the entry he had. It is terrible,” stated Corbin Leo, one of many researchers who chatted with the hacker on-line.

The cybersecurity neighborhood’s on-line response — Uber additionally suffered a critical 2016 breach — was harsh.

The hack “wasn’t subtle or sophisticated and clearly hinged on a number of massive systemic safety tradition and engineering failures,” tweeted Lesley Carhart, incident response director of Dragos Inc., which focuses on an industrial-control programs.

Leo stated screenshots the hacker shared confirmed the intruder acquired entry to programs saved on Amazon and Google cloud-based servers the place Uber retains supply code, monetary knowledge and buyer knowledge akin to driver’s licenses.

“If he had keys to the dominion he might begin stopping companies. He might delete stuff. He might obtain buyer knowledge, change folks’s passwords,” stated Leo, a researcher and head of enterprise growth on the safety firm Zellic.

Screenshots the hacker shared — lots of which discovered their manner on-line — confirmed delicate monetary knowledge and inner databases accessed. Additionally extensively circulating on-line: The hacker asserting the breach Thursday on Uber’s inner Slack collaboration system.

Leo, together with Sam Curry, an engineer with Yuga Labs who additionally communicated with the hacker, stated there was no indication that the hacker had carried out any harm or was all in favour of something greater than publicity.

“It is fairly clear he is a younger hacker as a result of he desires what 99% of what younger hackers need, which is fame,” Leo stated.

Curry stated he spoke to a number of Uber workers Thursday who stated they had been “working to lock down all the things internally” to limit the hacker’s entry. That included the San Francisco firm’s Slack community, he stated.

In a press release posted on-line Friday, Uber stated “inner software program instruments that we took down as a precaution yesterday are coming again on-line.”

It stated all its companies — together with Uber Eats and Uber Freight — had been operational and that it had notified legislation enforcement. The FBI stated by way of electronic mail that it’s “conscious of the cyber incident involving Uber, and our help to the corporate is ongoing.”

Uber stated there was no proof that the intruder accessed “delicate person knowledge” akin to journey historical past however didn’t reply to questions from The Related Press together with about whether or not knowledge was saved encrypted.

Curry and Leo stated the hacker didn’t point out how a lot knowledge was copied. Uber didn’t advocate any particular actions for its customers, akin to altering passwords.

The hacker alerted the researchers to the intrusion Thursday through the use of an inner Uber account on the corporate’s community used to submit vulnerabilities recognized by means of its bug-bounty program, which pays moral hackers to ferret out community weaknesses.

After commenting on these posts, the hacker offered a Telegram account tackle. Curry and different researchers then engaged them in a separate dialog, the place the intruder offered the screenshots as proof.

The AP tried to contact the hacker on the Telegram account, however obtained no response.

Screenshots posted on-line appeared to substantiate what the researchers stated the hacker claimed: That they obtained privileged entry to Uber’s most important programs by means of social engineering.

The obvious state of affairs:

The hacker first obtained the password of an Uber worker, doubtless by means of phishing. The hacker then bombarded the worker with push notifications asking they verify a distant log-in to their account. When the worker didn’t reply, the hacker reached out by way of WhatsApp, posing as a fellow employee from the IT division and expressing urgency. Finally, the worker caved and confirmed with a mouse click on.

Social engineering is a well-liked hacking technique, as people are typically the weakest hyperlink in any community. Youngsters used it in 2020 to hack Twitter and it has extra just lately been utilized in hacks of the tech corporations Twilio and Cloudflare, stated Rachel Tobac, CEO of SocialProof Safety, which focuses on coaching staff to not fall sufferer to social engineering.

“The arduous reality is that the majority orgs on the planet could possibly be hacked within the precise manner Uber was simply hacked,” Tobac tweeted. In an interview, she stated “even tremendous tech savvy folks fall for social engineering strategies daily.”

“Attackers are getting higher at by-passing or hi-jacking MFA (multi-factor authentication),” stated Ryan Sherstobitoff, a senior risk analyst at SecurityScorecard.

That is why many safety professionals advocate using so-called FIDO bodily safety keys for person authentication. Adoption of such {hardware} has been spotty amongst tech corporations, nevertheless.

The hack additionally highlighted the necessity for real-time monitoring in cloud-based programs to higher detect intruders, stated Tom Kellermann of Distinction Safety. “Far more consideration have to be paid to defending clouds from inside” as a result of a single grasp key can usually unlock all their doorways.

Some specialists questioned how a lot cybersecurity has improved at Uber because it was hacked in 2016.

Its former chief safety officer, Joseph Sullivan, is at the moment on trial for allegedly arranging to pay hackers US$100,000 to cowl up that high-tech heist, when the private info of about 57 million clients and drivers was stolen.

Related Posts

This will close in 0 seconds