On Thursday night, Uber ride-sharing giant confirmed that it was responding to “a cybersecurity incident” and was contacting law enforcement about the breach. An entity claiming to be an 18-year-old hacker claimed responsibility for the attack, bragging to multiple security researchers about the steps they had taken to compromise the company. The attacker reported posted, “Hello @ here I am a hacker and Uber has suffered a data breach,” in an Uber Slack channel Thursday night. The Slack post also lists a number of Uber databases and cloud services that the hacker claims to have compromised. The reported message ends with logout, “uberunderpaisdrives.”
The company temporarily removed access Thursday night to Slack and a number of other internal services, according to The New York Timeswhich first report violations. In one midday update on Friday, the company said “internal software tools that we took down as a precaution yesterday will be back online.” Given its time-honored breach notification language, Uber also said on Friday that it “has no evidence that the incident involved access to sensitive user data (such as trip history).” However, the screenshots leaked by the attacker show that Uber’s systems may have been deeply and thoroughly compromised, and anything the attackers didn’t access could be due to time constraints. not due to limited opportunity.
Offensive security engineer Cedric Owens said of the phishing and social engineering tactics hackers claimed to be using to compromise the company: “It’s disappointing and Uber is certainly not the only company where the way This approach can be counterproductive. “The techniques mentioned in this hack so far are quite similar to what a lot of red teams, myself included, have used in the past. So, unfortunately, violations of this type no longer surprise me.”
The attacker, who was unable to reach WIRED for comment, claim that they gained access to corporate systems for the first time by targeting an individual employee and repeatedly sending them multi-factor authentication login notifications. After more than an hour, the attacker claimed, they contacted the same target on WhatsApp pretending to be an Uber IT employee and said that the MFA notifications would stop once the target approved the login.
Such attacks, sometimes referred to as “MFA fatigue” or “burnout” attacks, take advantage of authentication systems in which account owners simply approve logins via notifications. push on their device rather than through other means, such as providing a code. Scams by MFA reminders are increasing popular with attackers. And in general, hackers have increasingly developed phishing attacks to work around two-factor authentication as more companies implement it. Recently Violating Twilio, for example, illustrates how dire the consequences can be when a multi-factor authentication company itself is compromised. Organizations that require a physical authentication key for login can succeeded protect yourself against such remote social engineering attacks.
Phrase “distrust“has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to at least show an example of what distrust is. Once an attacker has initial access input inside the company, they request they can access shared resources on the network including scripts for Microsoft automation and management programs PowerShell. The attackers say that one of the pieces of code contains hard-coded credentials for the administrator account of the Thycotic access management system. With control of this account, the attacker claims, they were able to obtain access tokens for Uber’s cloud infrastructure, including Amazon Web Services, Google’s GSuite, VMware’s vSphere console , Duo authentication manager and OneLogin key identity and access management service.
