Serious Uber breach highlights hacker's social deception

Serious Uber breach highlights hacker’s social deception

It is not known how much data the hacker stole or how long they spent inside the Uber network.

Delivery service Uber said Friday that all of its services were up and running after what security experts describe as a massive data breach, claiming there was no evidence the hacker gained access to sensitive user data.

But the hack, apparently by a lone hacker, has highlighted an increasingly effective hacking routine that includes social engineering: the hacker apparently gained access posing as a colleague, tricking an Uber employee into giving up his credentials.

They were then able to determine the passwords on the network that gave them the privileged access level reserved for system administrators.

The potential damage was severe: Screenshots that the hacker shared with security researchers indicate that they gained full access to the cloud-based systems where Uber stores customer data and sensitive financial data.

It is not known how much data the hacker stole or how long they spent inside the Uber network. Two researchers who came into direct contact with the person — one of whom identified an 18-year-old — said they seemed interested in the publicity. There was no indication that they had corrupted the data.

But files shared with researchers and widely shared on Twitter and other social media indicated that the hacker was able to gain access to Uber’s most important internal systems.

“It was really awful that he got there,” said Corbin Liu, one of the researchers who spoke with the hacker online.

The online cybersecurity community — Uber also suffered a serious breach in 2016 — has reacted harshly.

The hack “was not sophisticated or complex and is clearly dependent on many large systemic security culture and engineering failures,” Leslie Carhart tweeted, Incident Response Manager, Dragos Inc. Specialized in industrial control systems.

Liu said screenshots shared by the hacker showed the intruder gained access to systems stored on cloud-based Amazon and Google servers where Uber maintains source code, financial data and customer data such as driver’s licenses.

“If he has the keys to the kingdom he can start stopping services. He can delete things. He can download customer data and change people’s passwords,” said Liu, a researcher and head of business development at security firm Zellic.

Screenshots shared by the hacker – many of which found their way online – showed sensitive financial data and internal databases accessed. It was also widely circulated online: The hacker announced the hack Thursday on Uber’s internal collaboration platform Slack.

Liu, along with Sam Curry, an engineer at Yuga Labs who also reached out to the hacker, said there was no indication that the hacker caused any harm or was interested in anything more than publicity.

“It’s pretty clear he’s a young hacker because he wants what 99% of what young hackers want, which is fame,” Liu said.

Carey said he spoke to several Uber employees on Thursday who said they were “working to shut down everything internally” to restrict the hacker’s access. That includes San Francisco’s Slack network, he said.

In a statement posted online on Friday, “The internal software tools that we removed as a precaution yesterday are back online,” Uber said.

It said all of its services – including Uber Eats and Uber Freight – were operating and that it had reported it to law enforcement. The FBI said by email that it was “aware of the cyber incident related to Uber, and our assistance to the company continues.”

Uber said there was no evidence the hacker accessed “sensitive user data” such as the flight log, but did not respond to questions from the Associated Press including whether the data was stored in encrypted form.

Carey and Liu said the hacker did not indicate how much data was copied. Uber has not recommended any specific actions to its users, such as changing passwords.

The hacker alerted researchers to the break-in Thursday using an internal Uber account on the company’s network used to propagate vulnerabilities identified by its bug-bounty, Which pays ethical hackers to discover network vulnerabilities.

After commenting on those posts, the hacker provided the address of the Telegram account. Curry and other researchers then engaged them in a separate conversation, with the intruder providing screenshots as evidence.

The AP tried to contact the hacker on the Telegram account, but received no response.

Screenshots posted online seem to confirm what the researchers said about the hacker: They gained access to Uber’s most important systems through social engineering.

Appear scenario:

The hacker first obtained the password of an Uber employee, most likely through phishing. Then the hacker bombarded the employee with push notifications asking him to confirm remote login to his account. When the employee did not respond, the hacker reached out via WhatsApp, pretending to be a co-worker from the IT department and expressing his urgency. In the end, the employee gave up and confirmed with the click of a mouse button.

Social engineering is a common hacking strategy, as humans tend to be the weakest link in any network. Rachel Tobak, CEO of SocialProof Security, which specializes in training workers not to fall victim to social engineering, said it was used by teens in 2020 to hack Twitter, and it was recently used in hacks of tech companies Twilio and Cloudflare.

“The hard truth is that most organizations in the world can be hacked the same way Uber was,” Tupac wrote on Twitter. In an interview, she said, “Even high-tech savvy people fall in love with social engineering methods every day.”

“Attackers are getting better at bypassing or stealing MFA (Multi-Factor Authentication),” said Ryan Cherstopitov, Senior Threat Analyst at SecurityScorecard.

That’s why many security professionals advocate the use of so-called FIDO physical security keys for user authentication. However, adoption of such devices has been sporadic among technology companies.

Tom Kellerman of Contrast Security said the hack also highlighted the need for real-time monitoring in cloud-based systems to better detect intruders. “More attention should be paid to the protection of the tow from the inside” because one master key can usually open all of its doors.

Some experts have questioned how much Uber’s cybersecurity has improved since it was hacked in 2016.

Former chief security officer Joseph Sullivan is currently on trial for arranging a $100,000 payment to hackers to cover up that high-tech theft, when the personal information of 57 million customers and drivers was stolen.


#Uber #breach #highlights #hackers #social #deception

Leave a Comment

Your email address will not be published.