So, I just got back from a trip to Georgia, the one in the US. I used Uber three times. Convenient, clean, hassle-free and the drivers were very nice. An over-all great experience. Until……Uber has reported this past weekend it is investigating a major cyber security breach that has forced it to take several critical systems offline following an alleged social engineering attack on an employee by an apparent teenage hacktivist.
The incident was exposed last week on 15 September, when an individual claiming responsibility for the attack shared screengrabs of various compromised Uber resources with the newspaper, and with security researchers. Uber’s communications team confirmed the breach via Twitter at 2:25am BST on 16 September. Uber said: “We are currently responding to a cyber security incident. We are in touch with law enforcement and will post additional updates here as they become available.” Uber had not provided any additional comment on the incident at the time of writing.
A security engineer at Yuga Labs, who was among those to be contacted by the hacker, described a “total compromise” media sources and said the attacker appeared to have access to the majority of its systems. It was revealed that the attacker had compromised Uber after successfully breaching an employee’s network access by sending them text messages posing as an internal IT admin to obtain their credentials. From there, they appear to have been able to establish persistence and gain access to the majority of Uber’s internal resources after scanning the company’s network and finding a PowerShell script that contained privileged credentials for an admin user of Thycotic, a provider of privileged access management (PAM) solutions. These credentials gave the attacker further access to multiple services.
Among the systems claimed to be compromised are Amazon Web Services, Duo, GSuite, OneLogin, Slack, VMware and Windows. Bleeping Computer additionally reported the attacker had accessed and taken data from Uber’s HackerOne bug bounty program, which is dangerous for Uber if it contains undisclosed or unpatched vulnerabilities in its application.
The attacker went on to use Slack to send Uber employees a message listing the compromised resources and posted pornographic imagery on an intranet page. The attacker claimed to be 18 years old and testing their skills, and said they wanted Uber drivers to be better paid.
There is currently no information as to whether or not the attacker has access to Uber employee or customer data, although the possibility would seem very real. A 2016 data breach at Uber saw information on 57 million user accounts – 2.4 million in the UK – compromised. Uber was fined almost $150m for covering up this breach, and its then chief security officer is currently facing criminal charges over the incident.
The alleged involvement of a teenage hacktivist in the attack also calls to mind a number of more recent cyber-attacks against tech companies perpetrated by the Lapsus$ group, which exploited failings in multifactor authentication (MFA) to compromise multiple victims in a remarkably similar fashion. Although there is no evidence to link the Uber incident to Lapsus$, a number of the gang’s members turned out to be teenage hackers, who were caught when they fell out with one another.
A study conducted for the upcoming International Cyber Expo in London found an increasing tendency for minors to get involved in cyber-crime, a trend that may be in danger of being exacerbated by the cost-of-living crisis (a similar trend was observed linked to mass furloughs and lay-offs during the Covid-19 pandemic). The study suggests 40% of parents are worried to some degree that their children may turn to cyber-crime.
An advisory council member for International Cyber Expo and CEO of the Cyber Resilience Center for London said, “With hacking tools becoming increasingly accessible and affordable on the internet, we have witnessed a rise in ‘script kiddies’ – inexperienced hackers who carry out cyber-attacks. While ‘kiddies’ do not necessarily refer to the hacker’s age so much as their experience, many have been found to be teenagers. In fact, in the UK, the average age of a referral to the National Cyber Crime Unit is just 15 years old. “Although law enforcement agencies are working hard to take down the websites and forums that promote hacking, the results of this UK based survey also demonstrate a need for parents/guardians to take an active interest in what their children are doing online to prevent them from falling on the wrong side of the law,” said the CEO.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings