Uber reels from 'security incident' in which cloud systems seemingly hijacked
AWS and G Suite admin accounts likely popped, HackerOne bug bounty page hit, and more
Updated Uber is tonight reeling from what looks like a substantial cybersecurity breach.
The food delivery and ride sharing disruptor has admitted that something is up, saying it is investigating the matter with the Feds:
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.— Uber Comms (@Uber_Comms) September 16, 2022
No other details were shared.
Judging from screenshots leaked onto Twitter, though, an intruder has compromised Uber's AWS cloud account and its resources at the administrative level; gained admin control over the corporate Slack workspace as well as its Google G Suite account that has over 1PB of storage in use; has control over Uber's VMware vSphere deployment and virtual machines; access to internal finance data, such as corporate expenses; and more.
If this correct, Uber has been significantly compromised with data and infrastructure at multiple levels potentially available to the intruder. This may include customers, employees, and drivers' personal data.
There have been further claims of unauthorized access to a Confluence installation, private source code repositories, and a SentinelOne security dashboard used by the app developer's incident response team. The credentials for an superadmin account, to be used only in a security emergency to help recover IT systems, were also seemingly compromised, too.
Even the US giant's HackerOne bug bounty account was seemingly compromised, and we note is now closed.
According to the malware librarians at VX Underground, the intruder was using the hijacked H1 account to post updates on bounty submissions to brag about the degree of their pwnage, claiming they have all kinds of superuser access within the ride-hailing app biz.
It also means the intruder has access to, and is said to have downloaded, Uber's security vulnerability reports.
Infosec watcher Corben Leo, meanwhile, said he spoke to the miscreant responsible for this mess.
We're told that an employee was socially engineered by the attacker to gain access to Uber's VPN, through which the intruder scanned the network, found a PowerShell script containing the hardcoded credentials for an administrator user in Thycotic, which were then used to unlock access to all of Uber's internal cloud and software-as-a-service resources, among other things.
After that, everything was at the intruder's fingertips, allegedly.
The New York Times reported that Uber staff were told to stop using the corporate Slack, and that the call to quit the chat app came after the intruder sent a message declaring: “I announce I am a hacker and Uber has suffered a data breach.”
The Times stated the Slack message listed “several internal databases that the hacker claimed had been compromised.” Various corporate systems have now been shut down by Uber.
A good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke
The newspaper also reported the socially engineered Uber staffer was phished via SMS, mistakenly handing over their login credentials to the intruder, allowing them into the VPN.
Bug hunter Sam Curry said he had heard from Uber staff who revealed some workers thought the intruder's messages were a practical joke and carried on using Slack despite the IT team ordering them to log off.
"Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke," Curry said. "After being told to stop going on slack, people kept going on for the jokes."
Evidence of that misunderstanding has surfaced on Twitter in the form of a screenshot of Uber's private Slack workspace. Curry added that the miscreant also hit staff with obscene language and pictures.
At the time of writing, your vulture’s access to Uber and Uber Eats apps was in no way affected, and I have received no email or other notification from Uber regarding the incident.
- Uber to pay millions to settle claims it ripped off disabled people with unfair fees
- Leaked Uber docs reveal frequent use of 'kill switch' to deactivate tech, thwart investigators
- Singapore's Grab enters maps-as-a-service market
Uber experienced a massive data breach in 2016 and allegedly tried to cover it up.
That fiasco saw personal information on 57 million passengers and drivers leaked.
Uber has since used classic startup tactics – admission of a stuff-up, followed by promises to do better in future to regain trust – and mostly rehabilitated its image as a scofflaw destroyer of value, helped by its food delivery service becoming something of a lifeline during the COVID-19 pandemic. Just don’t mention the company’s seemingly endless losses, overcharging the disabled, ongoing labor relations issues, and so on.
The Register has asked the company for more detail on the snafu but has not received a response at the time of writing. We will update this story, or pen others, as more information emerges about this situation. ®
Updated to add
In a statement Friday, Uber avoided confirming the extent of the intrusion.
"We have no evidence that the incident involved access to sensitive user data (like trip history)," it claimed.
"All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational. Internal software tools that we took down as a precaution yesterday are coming back online this morning."
Meanwhile, the intruder reportedly said they are 18 years old, broke into Uber for fun, may release some of its source code, and described the company's security as "awful."