How Uber was hacked — again

Last week, an 18-year old hacker used social engineering techniques to compromise Uber’s network. He compromised an employee’s Slack login and then used it to send a message to Uber employees announcing that it had suffered a data breach. Uber confirmed the attack on Twitter within hours, issuing more details on this page. The company claims no user data was at risk, they have notified law enforcement, and all of their services have been restored to operational status. (There were some brief interruptions of various software tools but they are back online too). Uber now thinks the hacker is part of a hacking group called Lapsus$. 

What’s interesting about this incident was the speed at which various publications and security analysts provided coverage, how quickly Uber notified the world, and how much detail we already have about what happened. Contrast this with another Uber hack back in 2016, when the personal information of about 57 million customers and drivers was stolen. That breach wasn’t made public for more than a year and resulted in Uber firing its Chief Security Officer, Joseph Sullivan. He is currently on trial for allegedly arranging to pay hackers $100,000 to cover things up and for the delay in disclosing the breach. The hackers were supposedly forced to sign non-disclosure agreements, an odd way to deal with the breach, to be sure.

How did the breach happen?

Last week’s breach is explained in this Twitter thread, which is unusual because of this level of detail shared by the attacker, who supposedly shared the screen shots shown in the thread. They include consoles controlling Uber’s Amazon Web Services and Google Workspace accounts, along with other critical systems. One security analyst, who reacted to the breach in his own Twitter thread, said that the hacker has almost total administrative control over the company’s computer systems, including software source code and internal messaging systems. 

The hacker — who Uber now believes is a member of the Lapsus$ hacking group which has been behind numerous other high-profile breaches — subsequently spoke to various reporters, and admitted that they gained access by using social engineering techniques on a contractor for the company. They set up a man-in-the-middle MFA portal that tricked this person into revealing his authentication credentials, claiming to be from Uber’s IT department.

The hacker then logged into the corporate VPN and roamed around the network, looking for targets, including a PowerShell script that contained admin access to a privileged access management platform. One destination was Uber’s HackerOne bug bounty reports, which could be very damaging since they would know vulnerabilities that have not yet been remediated and could fetch a premium payout if shared on the dark web. 

Lessons learned

Here are some key takeaways to keep in mind following this breach:

1. Not all MFA methods are created equally

Uber wasn’t using FIDO2 passkeys and hardware tokens to secure its most critical internal accounts. These are more resistant to phishing attacks such as what happened here. Attackers can easily create phony login pages that can collect a user’s information to unsuspecting employees. 

2. Social engineering is still very much a threat

You can have all sorts of security systems, but fighting basic human nature is still hard. It was easy to see how the hacker gained the trust and compromised the Uber employee. Ars Technica points out, “Many organizations and cultures continue to believe that their members are too smart to fall for phishing attacks. They like the convenience of authenticator apps as compared to FIDO2 forms of MFA, which require the possession of a phone or physical key. These types of breaches will remain a fact of life until this mindset changes.”

3. Admin login credentials shouldn’t be hardcoded anywhere

…Especially not in scripts. This essentially means you have zero-factor authentication, since anyone reading the script can figure out the credentials.

4. Having a fallback communication channel is crucial

This channel should be out of band of your network to communicate among your breach response team. After the hacker compromised Slack, they sent various messages claiming the feat which weren’t taken seriously by Uber security staffers, who thought this was a prank (it wasn’t).

Fortunately, Uber reported this breach and acted on it quickly. The company took various steps to lock down its code repository, change credentials, and identified other compromised accounts. They continue to add content to their webpage.