15.6 C
New York
Sunday, October 2, 2022

Buy now

Serious breach at Uber spotlights hacker’s social deception

It is not known how much data the hacker stole or how long they were in Uber’s network.

Ride-hailing service Uber said all of its services were up and running after what security professionals are calling a major data breach, claiming there was no evidence the hacker was gaining access to sensitive user data.

But the breach, apparently by a lone hacker, put the spotlight on an increasingly effective social engineering break-in routine: The hacker apparently gained entry by impersonating a colleague and tricking an Uber employee into handing in their credentials.

They were then able to locate passwords on the network, giving them the level of privileged access reserved for system administrators.

The potential damage was severe: Screenshots the hacker shared with security researchers indicate that they gained full access to the cloud-based systems where Uber stores sensitive customer and financial data.

It is not known how much data the hacker stole or how long they were in Uber’s network. Two researchers who communicated directly with the person — who identified himself as an 18-year-old to one of them — said they seemed interested in publicity. There was no indication that they had destroyed any data.

But files shared with the researchers and widely posted on Twitter and other social media indicated that the hacker had access to Uber’s most critical internal systems.

“It was really bad the access he had. It’s terrible,” said Corben Leo, one of the researchers who chatted with the hacker online.

The cybersecurity community’s online response — Uber also had a serious breach in 2016 — has been harsh.

The hack “wasn’t sophisticated or complicated and clearly relied on multiple major systemic security culture and technical flaws,” tweeted Lesley Carhart, incident response director of Dragos Inc., specializing in industrial control systems.

Leo said screenshots the hacker shared showed the intruder gained access to systems stored on Amazon and Google cloud-based servers where Uber stores source code, financial data and customer data such as driver’s licenses.

“If he had the keys to the kingdom, he could stop the services. He could erase things. He could download customer data, change people’s passwords,” said Leo, a researcher and head of business development at the security firm Zellic.

Screenshots the hacker shared — many of which made their way online — showed sensitive financial data and access to internal databases. Also widespread online: The hacker announced the breach on Uber’s internal Slack collaboration system on Thursday.

Leo, along with Sam Curry, an engineer at Yuga Labs who also communicated with the hacker, said there was no indication the hacker had done any damage or was interested in more than publicity.

“It’s pretty clear that he’s a young hacker because he wants what 99% of what young hackers want, which is fame,” Leo said.

Curry said he spoke to several Uber employees on Thursday who said they were “working to shut everything down internally” to restrict the hacker’s access. That included the company’s Slack network from San Francisco, he said.

In a statement posted online Friday, Uber said that “internal software tools that we removed yesterday as a precaution are coming back online.”

It said all of its services — including Uber Eats and Uber Freight — were operational and had informed law enforcement. The FBI said via email that it is “aware of the cyber incident involving Uber and that our assistance to the company is underway”.

Uber said there was no evidence that the intruder had access to “sensitive user data” such as travel history, but did not respond to questions from The Associated Press, including whether the data was stored encrypted.

Curry and Leo said the hacker did not specify how much data was copied. Uber has not recommended any specific actions to its users, such as changing passwords.

The hacker warned investigators about the break-in on Thursday through an internal Uber account on the company’s network used to post vulnerabilities identified through the bug bounty program, who pays ethical hackers to detect network weaknesses.

After commenting on those messages, the hacker provided a Telegram account address. Curry and other investigators then engaged in a separate conversation with them, with the intruder providing the screenshots as evidence.

The AP tried to contact the hacker on the Telegram account, but received no response.

Screenshots posted online appeared to confirm what the researchers said the hacker claimed: that they were given privileged access to Uber’s most critical systems through social engineering.

The apparent scenario:

The hacker first obtained the password from an Uber employee, probably via phishing. The hacker then bombarded the employee with push notifications to ask if he was logging into his account remotely. When the employee did not respond, the hacker reached out via WhatsApp, posing as a colleague from the IT department and expressing the urgency. Finally, the employee succumbed and confirmed with a mouse click.

Social engineering is a popular hacking strategy because people are the weakest link in any network. Teens used it to hack Twitter in 2020, and it has recently been used in hacks by tech companies Twilio and Cloudflare, said Rachel Tobac, CEO of SocialProof Security, which specializes in training employees not to fall victim to social engineering.

“The hard truth is that most organizations in the world can be hacked the exact way Uber was just hacked,” Tobac tweeted. In an interview, she said that “even super tech-savvy people fall for social engineering methods every day.”

“Attackers are getting better at bypassing or hijacking MFA (multi-factor authentication),” said Ryan Sherstobitoff, senior threat analyst at SecurityScorecard.

Therefore, many security professionals advocate the use of so-called FIDO physical security keys for user authentication. However, the adoption of such hardware has been spotty among tech companies.

The hack also highlighted the need for real-time monitoring in cloud-based systems to better detect intruders, said Tom Kellermann of Contrast Security. “Much more attention should be paid to protecting clouds from within” as a single master key can typically unlock all of their doors.

Some experts questioned how much cybersecurity at Uber has improved since it was hacked in 2016.

Former chief security officer Joseph Sullivan is currently on trial for allegedly arranging to pay hackers $100,000 to cover up that high-tech heist when the personal information of approximately 57 million customers and drivers was stolen.

Source link

Related Articles


Please enter your comment!
Please enter your name here

Stay Connected


Latest Articles