“ I announce I am a hacker and Uber has suffered a data breach, “intruder says on Slack.
Uber employees on Thursday discovered that huge swaths of their internal network had been accessed by someone who announced the feat on the company Slack channel. The intruder, who sent screenshots documenting the breach to The New York Times and security researchers, claimed to be 18 years old and was unusually forthcoming about how it occurred and just how far it reached, according to the news outlet, which broke the story.
It didn’t take long for independent researchers, including Bill Demirkapi, to confirm The New York Times coverage and conclude that the intruder likely gained initial access by contacting an Uber employee over WhatsApp.
After successfully obtaining the employee’s account password, the hacker tricked the employee into approving a push notification for multi-factor authentication. The intruder then uncovered administrative credentials that gave access to some of Uber’s crown-jewel network resources. Uber responded by shutting down parts of its internal network while it investigates the extent of the breach.
It’s not yet clear precisely what data the hacker had access to or what other actions the hacker took. Uber stores a dizzying array of data on its users, so it’s possible private addresses and the hourly comings and goings of hundreds of millions of people were accessible or accessed.
Here’s what’s known so far.
How did the hacker get in?
According to the NYT, the above-linked tweet thread from Demirkapi, and other researchers, the hacker socially engineered an Uber employee after somehow discovering the employee’s WhatsApp number. In direct messages, the intruder instructed the employee to log in to a fake Uber site, which quickly grabbed the entered credentials in real time and used them to log in to the genuine Uber site.
Uber had MFA, short for multi factor authentication, in place in the form of an app that prompts the employee to push a button on a smartphone when logging in. To bypass this protection, the hacker repeatedly entered the credentials into the real site. The employee, apparently confused or fatigued, eventually pushed the button. With that the attacker was in.
After rifling around, the attacker discovered powershell scripts that an admin had stored that automated the process of logging in to various sensitive network enclaves. The scripts included the credentials needed.
Let’s talk how they compromised :
- Let’s talk about how they were compromised. The attacker has been quite upfront about how they compromised Uber’s corporate infrastructure. Uber appears to use push notification MFA (DUO) for their employees. How can an attacker get around MFA? 2/N
- An extremely common misconception people have with standard forms of MFA (Push/touch/mobile) is it prevents social engineering. Although MFA can protect against an attacker who only has the victim’s credentials, it is commonly still vulnerable to MITM attacks. 3/N
- An attacker can set up a fake domain that relays Uber’s real login page with tooling such as Evilginx .The only difference is the domain they are visiting, which is easy to miss.For most MFA ,nothing stops the attacker from relaying the authentication process.4/N.
How does an organization even protect themselves against such an attack?
- For starters , using “ phishing – resistant “ forms of MFA, such as FIDO2, is an extremely effective measure against these social engineering attacks.5/N
- Back to the Uber, once the attacker compromised an employee, they appear to have used that victim’s existing VPN access to pivot to the internal network & internal infrastructure is often significantly less audited and evaluated compared to external infrastructure.6/N
- In this case,the attacker appears to have an internal network share that contains scripts with privileged credentials,giving them the keys to the kingdom. They have to claim to have compromised Uber’s Duo, One login, AWS & G Suite environments. 7/N
What happened next?
The attacker reportedly sent company-wide texts on Uber Slack channels, announcing the feat.
“I announce I am a hacker and Uber has suffered a data breach,” one message read, according to the NYT. Screenshots provided evidence that the individual had access to assets, including Uber’s Amazon Web Services and G Suite accounts and code repositories.
This story is still developing and these are some extreme claims, but there does appear , But there does appear to be evidence to support it. The attacker have shared the several screenshots of their Uber internal’s environment , including their G drive, Vcentre, sales metrics & Slacks and even their portal.8N
It remains unclear what other data the hacker had access to and whether the hacker copied or shared any of it with the world at large. Uber on Friday updated its disclosure page to say: “We have no evidence that the incident involved access to sensitive user data (like trip history).”
Uber’s AWS environment appears to be compromised as well. This screenshot of their IAM portal appears to show that the attacker has administrative access. If true, cloud access could not only include Uber’s websites, but other critical internal services as well. 9/N
The fact that the attackers appear to have compromised an IR team member’s account is worrisome. EDRs can bake in “backdoors” for IR, such as allowing IR teams to “shell into” employee machines (if enabled), potentially widening the attacker’s access. 10/N
What do we know about the hacker?
Not much. The person claims to be 18 years old and took to Uber Slack channels to complain that Uber drivers are underpaid. This, and the fact that the intruder took no steps to conceal the breach, suggest that the breach is likely not motivated by financial gain from ransomware, extortion, or espionage. The identity of the individual remains unknown so far.
What is Uber doing now?
The company acknowledged the breach and is investigating.
After the investigation
Did an 18-year-old really access the crown jewels of one of the world’s most sensitive companies? How can this be?
It’s too soon to say for sure, but the scenario seems plausible, even likely. Phishing attacks remain one of the most effective forms of network intrusion. Why bother with expensive and complex zero-day exploits when there are much easier ways to trespass?
What’s more, phishing attacks over the past few months have grown increasingly sophisticated. Witness this attack that recently breached Twilio and has targeted many more companies. The phishing page automatically relayed entered usernames and passwords to the attackers over the messaging service Telegram, and the attacker entered those into the real site. When a user entered a one-time password generated by an authenticator app, the attackers simply entered that as well. In the event an account was protected by an app such as Duo Security, the attackers would gain access as soon as the employee complied.
Does this mean MFA using one-time passwords or pushes are useless?
This sort of MFA will protect users if their password is compromised through a database breach. But as has been demonstrated repeatedly, they are woefully inadequate at stopping phishing attacks. So far, the only forms of MFA that are phishing-resistant are those that comply with an industry standard known as FIDO2. It remains the MFA gold standard.
Many organizations and cultures continue to believe that their members are too smart to fall for phishing attacks. They like the convenience of authenticator apps as compared to FIDO2 forms of MFA, which require the possession of a phone or physical key. These types of breaches will remain a fact of life until this mindset changes.
What is the reaction to the breach so far?
Uber’s stock price was down about 4 percent on Friday, amid a broad sell off that sent share prices of many companies even lower. The Dow Jones Industrial Average dropped 1 percent. The S&P 500 and Nasdaq Composite fell 1.2 percent and 1.6 percent, respectively. It’s not clear what’s driving Uber shares lower and what effect, if any, the breach has in the drop.
Here is the Uber Hack Chain ;