The recent Uber hack highlights, the devastation caused, and the lessons cybersecurity professionals can learn — find the updates on how and why Uber was hacked below.
Thursday, September 15th 2022 marks the day an alleged teenager gained complex access to Uber’s company systems. After confirming the ride-share titan was “responding to a cybersecurity incident,” it became clear that all was not well.
However, Uber didn’t release much about the incident until the following Monday when they revealed the hacker stole internal information and Slack messages.
Having gained access to Slack, internal dashboards, and Uber’s HackerOne accounts, the attacker wasted no time in letting the company know they’d experienced a data breach.
How the Hacker Succeeded
Social engineering was the initial way in. The cyber attacker took over an Uber employee’s account via the aforementioned workplace messenger by tricking them into approving the multi-factor authentication step.
Upon successfully socially engineering the unsuspecting employee, the fraudster had unbridled access to the VPN, allowing complete access to the company’s internal network.
According to the hacker, they found a network share filled with high-privilege credentials that provided unlimited access to the remaining systems.
During Uber’s Monday update, they confirmed that they shut down a few internal tools; otherwise, customer support was only “minimally impacted.”
Suspect Arrested by City of London Police
Arriving into custody on the evening of September 22nd , cybersecurity specialists are already near-certain they’ve honed in on the leader of the crime group, Lapsus$ — the crew suspected to have conducted the Uber hack.
As of Friday, September 23rd, 2022, just over a week since the data breach, the City of London Police arrested a 17-year-old on suspicion of hacking offenses.
The Devastation the Data Breach
The worst part about the MFA attack was that it exposed admin credentials, allowing access to Uber’s Privileged Access Management platform. PAM is the tools and tech used to protect, control, and monitor permissions to critical information and resources.
So, the breach led to the attacker having all the company’s internal systems information made available to them.
Based on the information provided by cybersecurity professionals, there are a few critical points of access the hacker was able to gain, including:
- Thycotic — As Uber’s PAM system, it’s a single tool comprising numerous features controlling access to various services. Plus, it hosts a secrets manager holding credentials and passwords.
- AWS instance — It controls Uber’s apps’ cloud infrastructure. Using this, the attacker may be able to:
- shut down services.
- exploit computing resources.
- delete data.
- ransom data.
- change user permissions.
- acquire sensitive user information.
- VMWare vSphere — This crucial cloud computing virtualization platform deals with on-premises servers and the cloud. The hacker could use the admin functions found here to move deeper through the system.
While not quite critical, they managed to reach SentinelOne, an extended detection and response platform used by the company. It connects all systems on the network, notifying users when security problems arise. Accessing such a crucial system could allow hackers to prolong their attacks.
The Security Lessons Learned
Experts are calling this a social engineering hack that overrode security measures, particularly MFA. Thus, presenting a couple of learning opportunities so companies and individuals can protect themselves in the future.
Resilient Forms of 2FA Are Key
The main takeaway from the Uber breach is the importance of having resilient rather than convenient forms of 2FA. The simpler it is, the easier somebody can hack it.
With so many methods available, professionals should endeavor to use hack-resistant MFA techniques, such as:
- Apps — These apps require opening by the user to see the 2FA code. They’re a huge step in the right direction. However, the level of security is available only on local devices.
- Hardware tokens — These are independent physical items that generate codes or handle authorization using a Bluetooth, NFC, or USB connections. They are highly secure. The only problem? Employees may lose them.
Understanding Who to Trust
Account access should be allowed on a need-to-know basis. Employees should be trained to understand the surefire signs of a phishing or social engineering request.
As a general rule, any requests for two-factor information or passwords should be discarded.
This Uber Hack Might Not Be the First, But Hopefully, It’s The Last
Unfortunately, this isn’t the first time Uber has suffered a major data breach. But by strengthening MFA and learning from these security pitfalls, it may just be last.