Serious breach at Uber spotlights hacker social deception

Uber On Friday, the ride-hailing company Uber stated that all its services are operational following what security professionals called a major data breach. They claim there is no evidence that the hacker had access to sensitive user information.

But the hacker’s attack, which was apparently carried out by one hacker, brought to light a more sophisticated social engineering-based hacking technique. The hacker posed as a colleague and tricked an Uber employee into giving their credentials.

They were then able locate passwords on the network, which gave them the privilege access reserved for system administrators.

The potential damage was severe: Security researchers received screen shots from the hacker indicating that they had full access to Uber’s cloud-based systems. These systems are where sensitive financial and customer data is stored. It is unknown how much data was stolen or how long they were in Uber’s network. Two researchers who communicated directly with the person — who self-identified as an 18-year-old to one of them — said they appeared interested in publicity. There was no evidence that they had deleted data.

But files shared by the researchers and widely shared on Twitter indicated that the hacker had access to Uber’s most important internal systems.

” It was terrible that he had access to these systems. Corbin Leo, one the hackers’ online chatters, said that it was “awful”.

The cybersecurity community’s online response — Uber also suffered a serious 2016 hack — was harsh. The hack “wasn’t complicated or sophisticated and clearly hinged upon multiple big systemic security cultures and engineering failures,” tweeted Lesley Carhart of Dragos Inc. which specializes in industrial-control systems.

Leo shared screenshots that showed how the hacker gained access to Uber’s cloud-based systems on Amazon and Google. These servers are where Uber keeps financial data, source code, and customer data like driver’s licenses.

” If he had the keys to the kingdom, he could stop services. He could delete things. Leo, a researcher at security company Zellic and head of business development, said that he could access customer data and change passwords.

Screenshots the hacker shared — many of which found their way online — showed sensitive financial data and internal databases accessed. Also widely circulated online: Thursday’s announcement by the hacker about the breach of Uber’s internal Slack collaboration platform.

Leo and Sam Curry, an engineer from Yuga Labs, spoke with the hacker. They said there was no evidence that the hacker was attempting to cause damage or is interested in publicity.

“It is clear that he is a young hacker, because he wants fame 99%.

Curry stated that he spoke with several Uber employees on Thursday, who said that they were working to “lock down everything internally” in order to limit the hacker’s access. He said that the hacker could access the company’s Slack network in San Francisco.

In a statement posted online Friday, Uber said “internal software tools that we took down as a precaution yesterday are coming back online.”

It said all its services — including Uber Eats and Uber Freight — were operational and that it had notified law enforcement. The FBI sent an email stating that it was aware of the cyber incident involving Uber and that it had notified law enforcement.

Curry said that the hacker didn’t specify how much data was copied. Leo also stated that the hacker did so without revealing how much. Uber did not recommend specific actions for its customers, such as changing passwords.

The hacker alerted researchers to the intrusion by using an Uber account inside the company. This account was used to post vulnerabilities through the bug-bounty program. This program pays ethical hackers to find network weaknesses.

After commenting upon those posts, the hacker provided a Telegram address. Curry and other researchers engaged the hacker in a separate conversation. The intruder then provided screenshots as proof.

The AP tried to contact the hacker via Telegram, but was unsuccessful.

Screenshots posted online appeared to confirm what the researchers said the hacker claimed: That they obtained privileged access to Uber’s most critical systems through social engineering.

The apparent scenario:

The hacker obtained the password of an Uber employee through phishing. The hacker then sent push notifications to the employee asking them to confirm remote login. The hacker then reached out to the employee via WhatsApp pretending to be a colleague from the IT department, and expressing urgency when he did not respond. The employee finally gave in and confirmed the request with a mouse click.

Social Engineering is a popular hacking technique, since humans are the weakest link in any network. It was used by teens to hack Twitter in 2020. Recently, it was used in hacks of tech companies Twilio, Cloudflare and Twilio, according to Rachel Tobac, CEO at SocialProof Security. This company specializes in training workers to avoid social engineering.

” The hard truth is that many orgs around the world could be hacked the same way Uber was hacked,” Tobac tweeted. In an interview, she said “even super tech savvy people fall for social engineering methods every day.”

“Attackers are getting better at by-passing or hi-jacking MFA (multi-factor authentication),” said Ryan Sherstobitoff, a senior threat analyst at SecurityScorecard. This is why security professionals recommend the use of physical security keys called FIDO for user authentication. However, tech companies have not adopted such hardware in large numbers.

The hack also highlighted the need to have real-time monitoring of cloud-based systems in order to detect intruders better, according Tom Kellerman from Contrast Security. “Much more attention must go to protecting clouds from within” as a single master key can often unlock all their doors.

Experts questioned how Uber’s cybersecurity has improved since the hack in 2016..

Its former chief security officer, Joseph Sullivan, is currently on trial for allegedly arranging to pay hackers $100,000 to cover up that high-tech heist, when the personal information of about 57 million customers and drivers was stolen.

Read More