The Uber data breach summary

Cybersecurity
Written By Shasheen Bandodkar

Roughly a week ago, Uber suffered a data breach in its computer systems which led to internal systems being compromised and inaccessible. The hacker could access Uber source code, emails, and other internal systems. Earlier in the week, Uber provided no specifics, but independent security researchers were able to categorize the attack and dive deep into the specific details. 

The breach initially involved compromising the employee's Slack account and broadcasting messages on the company's internal slack. The hacker repeatedly sent notifications for MFA and was able to trick an Uber employee into providing access to their account using social engineering techniques to accept a Multi-Factor Authentication (MFA) prompt, which allowed the hacker to register its device. The hacker then sent a WhatsApp message pretending to be part of Uber's IT team, asking for login approval, and gaining access to the internal slack system. MFA notification fatigue and patience led the employee to give up. This attack vector was previously seen in the Mailchimp and Twilio Breach. 

After gaining that initial access and foothold, the hacker found an internal network share that contained Powershell scripts with privileged admin credentials, granting access to critical systems like AWS, GCP, OneLogin (SSO tenant), Sentinel One, and Slack. Powershell is a built-in tool/feature within Windows OS. It is used as a post-exploitation tool. However, abusing Powershell script execution elevates the security risk for systems to cyber threats such as code injections, malware & ransomware. 

Following these incidents, data logs were put on sale, indicating that at least two Uber employees were infected by the malware "Raccoon" which gathers personal information, including passwords, browser cookies, and autofill data & "Vidar" collects data on 2-factor authentication & used as a spyware. Security researcher Sam Curry also revealed the hacker gained access to privately disclosed vulnerability reports submitted via HackerOne, which is part of Uber's Bug Bounty Program. 

According to recent reports, the breach was conducted by a member of the Lapsus$ hacking group who goes by the actor name "teapotuberhacker" which, in the past six months, have targeted high-profile companies such as Nvidia, Samsung, Okta, Twilio, Cloudflare, etc, and stole data. 

Key Learnings from the Incident

  1. Social Engineering stays one of the most successful and prevalent vectors of attack. Organizations can train users to spot these attack methods, but human error never disappears.

  2. Multi-Factor Authentication is a robust security layer of protection, but it is insufficient with the ever-evolving threat landscape. It is vital to advance MFA capabilities and stay ahead of adversaries.

  3. The need to eliminate implicit trust by verifying and validating every stage of the security process needs to be implemented using Zero Trust Assessment. Encryption of data at rest and in transit is crucial.

  4. It is crucial to determine your organization's attack surface.

  5. Cybersecurity should be prioritized at the executive level. Acknowledgment should start right from the top of the tree.

References:

https://thehackernews.com/2022/09/uber-blames-lapsus-hacking-group-for.html

https://www.washingtonpost.com/technology/2022/09/15/uber-hack/

Shasheen Bandodkar
Previous

What is Http Strict Transport Security (HSTS)?
Next

How can one exploit a CORS policy?