Security

Cyber-crime

Uber reels from 'security incident' in which cloud systems seemingly hijacked

AWS and G Suite admin accounts likely popped, HackerOne bug bounty page hit, and more


Updated Uber is tonight reeling from what looks like a substantial cybersecurity breach.

The food delivery and ride sharing disruptor has admitted that something is up, saying it is investigating the matter with the Feds:

No other details were shared.

Judging from screenshots leaked onto Twitter, though, an intruder has compromised Uber's AWS cloud account and its resources at the administrative level; gained admin control over the corporate Slack workspace as well as its Google G Suite account that has over 1PB of storage in use; has control over Uber's VMware vSphere deployment and virtual machines; access to internal finance data, such as corporate expenses; and more.

If this correct, Uber has been significantly compromised with data and infrastructure at multiple levels potentially available to the intruder. This may include customers, employees, and drivers' personal data.

There have been further claims of unauthorized access to a Confluence installation, private source code repositories, and a SentinelOne security dashboard used by the app developer's incident response team. The credentials for an superadmin account, to be used only in a security emergency to help recover IT systems, were also seemingly compromised, too.

Uber fail

Even the US giant's HackerOne bug bounty account was seemingly compromised, and we note is now closed.

According to the malware librarians at VX Underground, the intruder was using the hijacked H1 account to post updates on bounty submissions to brag about the degree of their pwnage, claiming they have all kinds of superuser access within the ride-hailing app biz.

It also means the intruder has access to, and is said to have downloaded, Uber's security vulnerability reports.

Infosec watcher Corben Leo, meanwhile, said he spoke to the miscreant responsible for this mess.

We're told that an employee was socially engineered by the attacker to gain access to Uber's VPN, through which the intruder scanned the network, found a PowerShell script containing the hardcoded credentials for an administrator user in Thycotic, which were then used to unlock access to all of Uber's internal cloud and software-as-a-service resources, among other things.

After that, everything was at the intruder's fingertips, allegedly.

The New York Times reported that Uber staff were told to stop using the corporate Slack, and that the call to quit the chat app came after the intruder sent a message declaring: “I announce I am a hacker and Uber has suffered a data breach.”

The Times stated the Slack message listed “several internal databases that the hacker claimed had been compromised.” Various corporate systems have now been shut down by Uber.

A good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke

The newspaper also reported the socially engineered Uber staffer was phished via SMS, mistakenly handing over their login credentials to the intruder, allowing them into the VPN.

Bug hunter Sam Curry said he had heard from Uber staff who revealed some workers thought the intruder's messages were a practical joke and carried on using Slack despite the IT team ordering them to log off.

"Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke," Curry said. "After being told to stop going on slack, people kept going on for the jokes."

Evidence of that misunderstanding has surfaced on Twitter in the form of a screenshot of Uber's private Slack workspace. Curry added that the miscreant also hit staff with obscene language and pictures.

At the time of writing, your vulture’s access to Uber and Uber Eats apps was in no way affected, and I have received no email or other notification from Uber regarding the incident.

Uber experienced a massive data breach in 2016 and allegedly tried to cover it up.

That fiasco saw personal information on 57 million passengers and drivers leaked.

Uber has since used classic startup tactics – admission of a stuff-up, followed by promises to do better in future to regain trust – and mostly rehabilitated its image as a scofflaw destroyer of value, helped by its food delivery service becoming something of a lifeline during the COVID-19 pandemic. Just don’t mention the company’s seemingly endless losses, overcharging the disabled, ongoing labor relations issues, and so on.

The Register has asked the company for more detail on the snafu but has not received a response at the time of writing. We will update this story, or pen others, as more information emerges about this situation. ®

Updated to add

In a statement Friday, Uber avoided confirming the extent of the intrusion.

"We have no evidence that the incident involved access to sensitive user data (like trip history)," it claimed.

"All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational. Internal software tools that we took down as a precaution yesterday are coming back online this morning."

Meanwhile, the intruder reportedly said they are 18 years old, broke into Uber for fun, may release some of its source code, and described the company's security as "awful."

Send us news
44 Comments

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

Uber Australia to pay $178M to settle cabbies' class action

Nice payday for some, but plenty of Australians still pay extra to help drivers

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

March Patch Tuesday sees Hyper-V join the guest-host escape club

Critical bugs galore among 61 Microsoft fixes, 56 from Adobe, a dozen from SAP, and a fistful from Fortinet

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

EU antitrust cops probe Microsoft ties between Entra ID and 365 services

Google claims rival has made an 'art and science' out of licensing

Don't be like these 900+ websites and expose millions of passwords via Firebase

Warning: Poorly configured Google Cloud databases spill billing info, plaintext credentials

Forget TikTok – Chinese spies want to steal IP by backdooring digital locks

Uncle Sam can use this snooping tool, too, but that's beside the point

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Truck-to-truck worm could infect – and disrupt – entire US commercial fleet

The device that makes it possible is required in all American big rigs, and has poor security

Five Eyes tell critical infra orgs: Take these actions now to protect against China's Volt Typhoon

Unless you want to be the next Change Healthcare, that is

White House and lawmakers increase pressure on UnitedHealth to ease providers' pain

US senator calls cyber attack 'inexcusable,' calls for mandatory security rules