On Thursday evening, ride-share giant Uber confirmed that it was responding to “a cybersecurity incident” and was contacting law enforcement about the breach. An entity that claims to be an individual 18-year-old hacker took responsibility for the attack, bragging to multiple security researchers about the steps they took to breach the company. The attacker reportedly posted, “Hi @here I announce I am a hacker and Uber has suffered a data breach,” in a channel on Uber's Slack on Thursday night. The Slack post also listed a number of Uber databases and cloud services that the hacker claimed to have breached. The message reportedly concluded with the sign-off “uberunderpaisdrives.”
The company temporarily took down access on Thursday evening to Slack and some other internal services, according to The New York Times, which first reported the breach. In a midday update on Friday, the company said that “internal software tools that we took down as a precaution yesterday are coming back online.” Invoking time-honored breach-notification language, Uber also said on Friday that it has “no evidence that the incident involved access to sensitive user data (like trip history).” Screenshots leaked by the attacker, though, indicate that Uber's systems may have been deeply and thoroughly compromised, and that anything the attacker didn't access may have been the result of limited time rather than limited opportunity.
“It’s disheartening, and Uber is definitely not the only company that this approach would work against,” says offensive security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this hack so far are pretty similar to what a lot of red teamers, myself included, have used in the past. So, unfortunately, these types of breaches no longer surprise me.”
The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login.
Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code. MFA-prompt phishes have become more and more popular with attackers. And in general, hackers have increasingly developed phishing attacks to work around two-factor authentication as more companies deploy it. The recent Twilio breach, for example, illustrated how dire the consequences can be when a company that provides multifactor authentication services is itself compromised. Organizations that require physical authentication keys for logins have had success defending themselves against such remote social engineering attacks.
The phrase “zero trust” has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to at least show an example of what zero trust is not. Once the attacker had initial access inside the company, they claim they were able to access resources shared on the network that included scripts for Microsoft's automation and management program PowerShell. The attacker said that one of the scripts contained hard-coded credentials for an administrator account of the access management system Thycotic. With control of this account, the attacker claimed, they were able to gain access tokens for Uber's cloud infrastructure, including Amazon Web Services, Google's GSuite, VMware's vSphere dashboard, the authentication manager Duo, and the critical identity and access management service OneLogin.
Screenshots leaked by the attacker support the claims of this deep access, including to OneLogin. In an analysis on Friday, researchers from the cybersecurity firm Group IB suggested that the attacker may have first breached Uber earlier this week and only made their presence known on Thursday.
One independent security engineer described the OneLogin account access the Uber hacker seems to have had access to as “the golden ticket jackpot.”
“That’s God—they own that, there’s nothing they can’t access," the security engineer added. "It’s Disneyland. It’s a blank check at the candy shop and Christmas morning all rolled up together. But sure, customer ride data wasn’t impacted. OK.”
The situation at Uber comes on the heels of congressional testimony on Wednesday from Twitter’s former security chief Peiter “Mudge” Zatko, who has invoked whistleblower protections as part of accusations alleging deplorable security practices within the social media giant. Zatko's testimony this week got senators fired up about the importance of security within Big Tech. But in the past, even the direst and rattling hacks have led only to incremental progress on the most basic best practices. Zatko's testimony did not seem to impact Twitter's stock price at all on Wednesday. Uber's stock had a small dip Friday morning, but it had partly recovered by the closing bell.
For now, the full scope of the situation inside the ride-sharing giant remains unknown.
"I think there are a lot of opportunities to work on detections and preventions proactively," offensive security engineer Owens says. “This can be difficult to execute in practice, though, when you have lots of other fires to put out, political challenges inside of an organization, et cetera. Maybe I’m slowly becoming jaded, since I’ve been around in this space for a while.”
