CyberMorans,
Uber Technologies, Inc. is an American mobility as a service provider, allowing users to book a car and driver to transport them in a way similar to a taxi. It is based in San Francisco with operations in approximately 72 countries and 10,500 cities in 2021.
Uber suffered a cyberattack Thursday afternoon with an allegedly 18-year-old hacker downloading HackerOne vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server.
The screenshots shared by the hacker đ show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.
Other systems accessed by the hacker đ include the Uber's Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts.
The Hackerđ also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. However, screenshots from Uber's slack indicate that these announcements were first met with memes and jokes as employees had not realized an actual cyberattack was taking place.
Uber has since confirmed the attack, tweeting that they are in touch with law enforcement and will post additional information as it becomes available.
"We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available," tweeted the Uber Communications account.
The New York Times, which first reported on the breach, said they spoke to the threat actorđ, who said they breached Uber after performing a social engineering attack on an employee and stealing their password.
The Hackerđ then gained access to the company's internal systems using the stolen credentials. On Friday afternoon, Uber posted an additional update stating that the investigation is still ongoing.
More details đ§
After the attackerđ announced that they breached Uber's systems on the company's Slack server and in comments to submission on the HackerOne bug bounty program, security researchers reached out to the hacker to learn more about the attack.
In a conversation between the hackerđ and security researcher Corben Leođ§ (screenshots on twitter) the hacker said they were able to gain access to Uber's Intranet after conducting a social engineering attack on an employee.
According to the hackerđ, they attempted to log in as an Uber employee but did not provide details on how they gained access to the credentials. As the Uber account was protected with multi-factor authentication, the attacker allegedly used an MFA Fatigue attack and pretended to be Uber IT support to convince the employee to accept the MFA request â
Hackerđ used an MFA Fatigue attack Source: BleepingComputer
MFA Fatigue attacks are when a hackerđ has access to corporate login credentials but is blocked from access to the account by multi-factor authentication. They then issue repeated MFA requests to the target until the victims become tired of seeing them and finally accept the notification đ¨
This social engineering tactic has become very popular in recent attacks against well-known companies, including Twitter, MailChimp, Robinhood, and Okta.
After gaining access to the credentials, the actorđ said that they logged into the Internal network through the corporate VPN and began scanning the company's Intranet for sensitive information.
As part of these scans, the hackerđ says they found a PowerShell script containing admin credentials for the company's Thycotic privileged access management (PAM) platform, which was used to access the login secrets for the company's other internal services.
"ok so basically uber had a network share \\[redacted]pts. the share contained some powershell scripts. one of the powershell scripts contained the username and password for an admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, Gsuite" đ§
The New York Times reports that the attackerđ claimed to have accessed Uber databases and source code as part of the attack. To be clear, this information is from the hackerđ and has NOT been verified by Uber.
Uber's vulnerability reports exposed
While it's possible that the actorđ stole data and source code from Uber during this attack, they also had access to what could be an even more valuable.
According to Yuga Labs security engineer Sam Curryđ§, the hackerđ also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets.
Comments by the hacker on HackerOne (bugbounty) submissions Source: BleepingComputer
Uber runs a HackerOne bug bounty program that allows security researchersđ§ to privately disclose vulnerabilities in their systems and apps in exchange for a monetary bug bounty reward. These vulnerability reports are meant to be kept confidential until a fix can be released to prevent attackers from exploiting them in attacks đ§
An Uber employee said the hackerđ had access to all of the company's private vulnerability submissions on HackerOne. The attackerđ downloaded all vulnerability reports before they lost access to Uber's bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber.
HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities.
However, the hacker had probably already downloaded the vulnerability reports and would likely sell them to other hackers to cash out on the attack quickly đ
Conclusion
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware and the technical aspect of vulnerabilities as well as how an attacker may use this vulnerability as an attack vector and other Infosec stuff...đ
Morans,
Thank you for your time, Like and leave a comment/review and as always, stay awesome! đđ đŞ