Ride-hailing giant Uber took some of its
operations offline late Thursday after it discovered that its internal systems
have been compromised. The attacker was able to social-engineer his way into an
employee’s Slack account before pivoting deeper into the network, the company
said.
While the full extent of the breach has yet
to come to light, the person claiming responsibility for the attack (reportedly a teenager) claimed to have troves of emails,
data pilfered from Google Cloud storage, and Uber’s proprietary source code,
“proof” of which he sent out to some cybersecurity researchers and
media outlets, including The New York Times.
“They pretty much have full access to
Uber,” Sam Curry, security engineer at Yuga Labs, told the Times. “This is a total compromise, from what
it looks like.”
Compromise Dominoes
The Slack collaboration platform was the
first system taken offline, but other internal systems quickly followed,
according to reports. Just before the disablement, the attacker sent off a
Slack message to Uber employees (some of whom shared
it on Twitter): “I announce I am a hacker and Uber has suffered a data
breach.”
The perp also told researchers and media that
the breach began with a text message to an Uber employee, purporting to be from
corporate IT. The “tech support” message simply asked for a password,
which the worker handed over.
“While no official explanation has been
provided yet, [apparently] the intruder was
able to connect to the corporate VPN to gain access to the wider Uber network,
and then seems to have stumbled on gold in the form of admin credentials stored
in plain text on a network share,” Ian McShane, vice president of strategy
at Arctic Wolf, said in a statement. “This is a pretty low-bar-to-entry
attack and is something akin to the consumer-focused attackers calling people
claiming to be Microsoft and having the end user install keyloggers or remote
access tools.”
In a media statement to the Times, an Uber
spokesperson confirmed that social engineering was the point of entry, and
simply said that the company was working with law enforcement to investigate
the breach. Publicly, via Twitter, the company
posted, “We are currently responding to a cybersecurity incident. We
are in touch with law enforcement and will post additional updates here as they
become available.”
According to reports, the hacker said he is
18 years old and targeted the company to demonstrate its weak security; there
may also be a hacktivist element, because he also declared in the Slack message
to employees that Uber drivers should be paid more.
“Given the access they claim to have
gained, I’m surprised the attacker didn’t attempt to ransom or extort, it looks
like they did it ‘for the lulz,'” McShane added.
Not Uber’s First Data Breach Ride
Uber was the subject of another massive
breach, back in 2016. In that incident, cyberattackers made off with personal
information for 57 million customers and drivers, demanding $100,000 in
exchange for not weaponizing the data (the company paid up). A subsequent criminal investigation
led to a non-prosecution settlement with the US Department of
Justice this summer, which included Uber admitting that it actively covered up
the full extent of the breach, which it didn’t even disclose for more than a year.
Also related to that earlier hit, in 2018
Uber settled nationwide civil litigation by paying $148 million to all
50 states and the District of Columbia; and, ironically given the new
developments, it agreed to “implement a corporate integrity program,
specific data security safeguards, and incident response and data breach
notification plans, along with biennial assessments.”
