Uber was hacked Thursday afternoon when an 18-year-old hacker allegedly downloaded HackerOne vulnerability reports and shared screenshots of the company’s internal systems, email clipboard, and Slack server.
Screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to several critical Uber IT systems, including the company’s security software and Windows domain.
Other systems the hacker accessed include the company’s Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing Uber email accounts.
The threat actor also breached the Uber Slack server, which he used to send messages to his employees stating that the company had been hacked. Again, Screenshots from Uber’s plethora He states that these announcements were first met with memes and jokes, as employees did not realize that there was a real cyberattack.
Uber has since confirmed the attack, tweeted that it is in contact with law enforcement and will release additional information as it becomes available.
“We are currently responding to a cybersecurity incident. We are in contact with law enforcement and will post additional updates here as they become available.” tweeted out Uber Communications account.
The New York Times, which first reported In the breach, they said they spoke to the threat actor, who said they had breached Uber after performing a social engineering attack on an employee and stealing their password.
The threat actor then used the stolen credentials to gain access to the company’s internal systems.
More details emerge
After the attacker loudly announced that he had breached Uber’s systems on the company’s Slack server, and in comments posted to the HackerOne bug bounty program, security researchers reached out to the threat actor to learn more about the attack.
Inside and talk Amongst threat actor and security researcher Corben Leo, the hacker said they were able to access Uber’s Intranet after it performed a social engineering attack on an employee.
According to the threat actor, they tried to log in as an Uber employee, but did not provide details on how they accessed his credentials.
Because the Uber account is protected by multi-factor authentication, the attacker allegedly used an MFA Fatigue attack and pretended to be Uber IT support to persuade the employee to accept the MFA request.
Source: Kevin Beaumont
MFA Fatigue attacks are situations where a threat actor has access to corporate login credentials but is denied access to the account with multi-factor authentication. It then sends repeated MFA requests to the target until victims get tired of seeing them, and eventually accepts the notification.
This social engineering tactic has recently become very popular in attacks on well-known companies. excitement, MailChimp, Robinhoodand eight.
After gaining access to his credentials, the threat actor told Leo that they had logged into the Internal network via corporate VPN and began scanning the company’s Intranet for sensitive information.
As part of these scans, the hacker says they found a PowerShell script that contains administrative credentials for the Thycotic privileged access management (PAM) platform, which is used to access login secrets for the company’s other internal services.
“okay so basically uber had a network share \\[redacted]points, the share included some powershell scripts.
one of the powershell scripts contained username and password for an admin user in Thycotic (PAM) Using this I was able to extract secrets for all services, DA, DUO, Onelogin, AWS, Gsuite”
The New York Times reported that the attacker claimed to have accessed Uber databases and source code as part of the attack.
To be clear, this information is from threat actors and has not been verified by Uber, which has not responded to our requests for more information.
HackerOne vulnerability reports surfaced
While it’s possible that the threat actor may have stolen data and source code from Uber during this attack, they also had access to an asset that could be even more valuable.
According to Yuga Labs security engineer Sam CurryThe hacker also had access to the company’s HackerOne bug bounty program, where they commented on all bug bounty tickets.
Source: Curry
Curry told BleepingComputer that he first learned of the breach two years ago after the attacker left the above comment on a vulnerability report he submitted to Uber.
Uber a HackerOne bug bounty program This allows security researchers to privately disclose vulnerabilities in their systems and applications in exchange for a monetary reward for bugs. These vulnerability reports are intended to be kept private until a hotfix is released to prevent attackers from exploiting them in attacks.
Curry also shared that an Uber employee said the threat actor had access to all of the company’s private vulnerability notices on HackerOne.
A source also told BleepingComputer that the attacker downloaded all vulnerability reports before they lost access to Uber’s bug bounty program. This includes reports of vulnerabilities that are possibly unfixed and pose a serious security risk to Uber.
HackerOne has since cut off access to the disclosed vulnerabilities by disabling the Uber bug bounty program.
However, it wouldn’t be surprising if the threat actor had already downloaded the vulnerability reports and sold them to other threat actors to quickly monetize the attack.
Update 9/16/22: Added more details about how the attack took place, provided by the hacker.
