An 18-year-old hacker is claiming responsibility for what is believed to be a huge breach of security controls at Uber.
The New York Times said Thursday the hacker claims to have been given initial access through one of the oldest tricks in a threat actor’s arsenal: Pretending to be a member of the company’s IT department and persuading the victim to tell them their corporate password.
British-based cybersecurity reporter Graham Cluley reports that the alleged hacker posted a message with more detail, claiming they spammed the employee for over an hour with push messages apparently asking for login confirmation. Then contacted the staffer via WhatsApp posing as the IT worker, who advised the Uber employee that if they wanted to stop the messages they should accept the access request.
The breach appeared to have compromised many of Uber’s internal systems, the Times said, because the person claiming responsibility for the hack sent images of email, cloud storage, and code repositories to cybersecurity researchers.
“They pretty much have full access to Uber,” the Times quoted Sam Curry, a security engineer at Yuga Labs, who corresponded with the alleged hacker. “This is a total compromise, from what it looks like.”
Uber hasn’t given details of the hack and whether the person who claims they made the intrusion did trick an employee. Nor is it known if the employee’s account was protected with mutlfactor authentication (MFA) that the attacker was able to bypass.
As often happens in the hack of a highly-visible organization, security vendors were quick to comment. If the claims of the 18-year old are accurate, and if the employee used MFA, the incident shows that just using multifactor authentication is not enough to protect against the kind of lateral movement the attacker says took place, Yaron Kassner, CTO and co-founder of Silverfort said in a statement.
“Organizations need to make sure they are using MFA capable of protecting against lateral movement. For example, the attacker says they accessed a shared folder containing credentials used for scripts. This is exactly the kind of resource that would benefit from multi-factor authentication.”
“According to the details being shared, these maliciously obtained service account credentials were then used to compromise a PAM (privileged access management) solution, giving the attacker the keys to the kingdom and access to many sensitive systems. This stresses the fact that service accounts must also be protected, and that protecting access to the PAM with MFA is insufficient. One must also protect access with the secrets extracted from PAM.”
Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, was more skeptical about the identity of the attacker.
“The allegedly immense scale and scope of the data breach may evidence a carefully planned and rigorously executed attack by a sophisticated threat actor,” he said in a statement. “The reported social engineering attack vector – in isolation from other activities – seems to be highly improbable here, as many different and critical systems have been simultaneously compromised. One may, of course, hypothesize a total lack of internal security controls (e.g. MFA) and massive password reuse at Uber, however, this version currently seems to be unpersuasive.
“We should wait for the official statement from Uber once the investigation is over: it is possible that Uber fell victim to a sophisticated cyber threat actor looking to get sensitive information about locations and trips of VIP persons, journalists, and politicians, whilst the disclosed version of the incident is just a smoke screen.”
Uber is renowned for having some of the best cybersecurity in the business, said Ian McShane, vice-president of strategy at Arctic Wolf, so the fact they have been compromised points to what everyone should all know: Nobody’s perfect and even the best managed security organizations can be compromised. “The key is how quickly you respond and mitigate the issue, which they appear to have done here.”
The intruder apparently was able to connect to a corporate VPN to gain access to the wider Uber network, McShane said, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share.
“Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort,” he added. “it looks like they did it ‘for the lulz’.”
Uber’s communications feed on Twitter issued this message Thursday evening: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”
Uber was the victim of a 2016 hack when two people tried to extort the company after stealing data on 57 million drivers and customers. Uber paid US$100,000 to the hackers to keep the incident quiet. Word of that compromise of security controls didn’t become known to the company’s board, and then to the public, until a year later. Uber paid a US$146 million fine to American authorities over the incident. and promised to tighten security.
Two months ago, Uber accepted responsibility for not reporting that breach to the U.S. Federal Trade Commission as part of a settlement with U.S. prosecutors to avoid criminal charges.
(This story has been updated from the original with the addition of the link to Graham Cluley’s story)