The Uber Hack Is a Security Nightmare. Here’s What We Know

Uber's systems are now back online, though the damage to the company's reputation has already been done, compounding the blow from Uber's 2016 security incident. According to The New York Times, the bad actor was none other than an 18-year-old who simply gained access because of the company's "weak security," though after its own investigations, Uber is linking the hack to an international ring of hackers known as Lapsus$.

Employees reportedly became aware of the hack after they received an email instructing them to stop using Slack, the company's internal messaging tool. This is the same messaging platform where the bad actor reportedly made their presence known by sending a message which read, “I announce I am a hacker and Uber has suffered a data breach," along with a call for higher pay for drivers. Employees are said to have thought that someone was playing a joke and mocked the bad actor. Later, they reported that any time they attempted to reach a website, they were instead presented with a page displaying a pornographic image alongside the words “F*** you wankers."

In a statement released Friday, Uber said that it had "no evidence" that the bad actor gained access to sensitive user data. It later clarified on Monday that the attackers had not accessed any public-facing systems or databases with sensitive user data on them. Uber did acknowledge that the attackers did have access to several of its core infrastructure resources, something that the attacker openly shared images of with security researchers, last week.

“They pretty much have full access to Uber,” said Sam Curry, a security engineer at Yuga Labs. “This is a total compromise, from what it looks like.”

The threat actor chatted with several security researchers on the matter, providing screenshots and details on their Tactics, Techniques, and Procedures (TTPs) for the breach. According to the hacker, they were able to use social engineering tactics to compromise an employee and obtain their credentials through a low-level technique called social engineering. Uber says that the account compromised actually belonged to an external vendor and it believes that the password was scraped from the dark web and not actually obtained through social engineering as the attacker claimed. The company says that this account did have Multi-Factor Authentication enabled, but the contractor accepted one of the MFA push notifications, and the attacked was permitted to log in.

After obtaining the credentials, the attacker was able to gain access to Uber's internal networks through a Virtual Private Network connection—something that many people use on a day-to-day basis after teleworking became a normal occurrence during Covid. The attacker said that they were then able to scan Uber's internal networks and find multiple management interfaces to exploit, along with an internal file share that contained scripts with hardcoded credentials for privileged accounts.

Uber does participate in HackerOne, a bug bounty program, but its account is currently disabled, likely because it was compromised by the same hacker. In a message sprayed to multiple open reports, a bad actor claimed that they had gained access to administrative accounts for Uber's Windows Active Directory environment, Amazon Web Services, Google GSuite, as well as their VMWare vSphere environment where virtual machines are hosted.

Additional screenshots shared with security researchers backed up the actor's claims by showing that they had also gained access to the dashboard for SentinelOne, the company's endpoint security vendor, as well as the company's internal financial data.

Several days later, another hack with a similar modus operandi (using compromised credentials to access a VPN and stealing source code) came to light. Rockstar Games, the studio behind the Grand Theft Auto series, experienced a significant leak of the game's next installment. The hacker posted the leak on online forums, allegedly claiming that they were the same individual behind the Uber breach. A similar method of access was said to have been used: an employee's credentials were breached and used to log on to the company's Slack instance.

Rockstar confirmed the breach Monday morning but did not go into detail about the attack, or note if any customer data was breached.

While both attacks are substantial, the Uber hack is of particular importance to discuss, especially since the bad actor was so vocal about their TTPs online, many of which align with the Lapsus$ group. In 2017, Uber fired its top security executive, Joe Sullivan, after the company's handling of its breach the year prior. However, it seems that there are still some issues.

From a security perspective, there seem to be a significant amount of issues in Uber's infrastructure that were made public by the attacker. For starters, a lack of network segmentation reportedly allowed the breached account to scan all of Uber's management networks from a single VPN connection, or at least pivot to other areas of the network where this was possible. Likewise, based on the attacker's response, it would appear that Uber may not follow the basic Principle of Least Privilege for account access, meaning employees could have more access than they should to resources not essential to their job duties. Another issue appears to be hardcoded administrator credentials that the attacker says they found in plaintext scripts hosted on network shares, which led to other accounts being breached, according to the attacker. Lastly, but perhaps most important, is user training. Because a single user gave up their credentials or accepted an invalid MFA prompt, the bad actor was able to infiltrate Uber's environment and exfiltrate data.

Uber says that despite the hack, it was still able to ensure that its systems were largely unaffected. The company says that it still used this as an opportunity to reset employee passwords and rotate any keys that may have been exposed to limit the access and persistence that the attacker might have. The attacker seemingly only exfiltrated some messages from Slack and information from Uber's finance tools, which in itself doesn't align with Lapsus$'s typical behavior, meaning that the attacker (or attackers) may be affiliated with the group in some way, though the hack may not have been a coordinated effort for financial gain. That much is still unknown and is being investigated by the FBI and the U.S. Department of Justice.

With vehicles becoming more connected than ever and online services circling just about every part of our lives, Uber's breach is just one of many that are likely to come over the next several years. It should be a lesson in cyber hygiene for not just big companies, but also for the information that ordinary people—you and I—share online every day.

Got a tip or question for the author? Contact them directly: rob@thedrive.com