Written by Mikel Pearce
On September 15, Uber revealed that it was responding to a “cybersecurity incident”. Over the past weekend, various details have emerged about the incident. Wired Magazine’s early article on the breach contains a wealth of information.
Uber announced on Friday that there was “no evidence that the incident involved access to sensitive user data”. However, online analysts quickly used screenshots posted by the alleged 18 year old hacker to cast doubt on that assertion.
The hacker apparently gained initial access through an attack that flooded a user account with 2FA login requests, one of which the user eventually allowed. This attack vector is sometimes referred to as “MFA Fatigue”. It relies upon MFA systems that allow users to authenticate from another (pre-registered) device with a simple “yes” rather than with a six-digit code or other means of authentication.
Bleeping Computer reported that this same technique has been used in attacks against other organisations such as Twitter, Robinhood and Okta.
In a more recent development, Uber has alleged that the hacker gained access through a contractor, that the hacker may have bought the contractor’s password on the dark web, and that the hacker is associated with the threat actor group known as Lapsus$. Uber’s security update noted that Lapsus$ is alleged to have breached Microsoft, Cisco, Samsung, Nvidia, and Okta, in 2022 alone.
Going further, a Wired Magazine article reports that the attacker gained access to several internal Uber systems, and that the level of access gained by the hacker was equivalent to a Roald Dahl’s “golden ticket”. Clearly, we will have to wait and see just how much access the hacker gained, and how much, if any, data was exfiltrated.
Bleeping Computer suggests that the hacker may have gained access to Uber’s “bug bounty” program, and may already be selling details of bugs or vulnerabilities in Uber’s systems on the dark web, which would present a major issue for Uber, and a significant increase in its vulnerability to future attacks.
Uber’s stock dipped slightly following the announcement of the issue, from USD $34.00 on 15 September, to a low of $30.96 on Friday morning, and has hovered below $32.00 since.
This attack is certainly an illustration of how quickly an attacker can move laterally inside a given network once they have access to any portion of the network. While there are some reports that the hacker was in Uber’s network for up to four days, it appears that the hacker gained access to multiple platforms, and was able to bypass Uber’s internal security relatively easily.
That is not likely to sit well with the Congressional committee investigating so-called “Big Tech” and may well lead to Uber executives being called to testify.
While Uber is still taking the position that no sensitive user information was accessed, this will bear watching in the coming weeks and months.
If you need help optimising your company’s systems to prevent such an attack, or help recovering from one, please reach out to CyberClan using the form below.