Uber hacked, internal systems breached and vulnerability reports stolen

Uber hacked, internal systems breached and vulnerability reports stolen

Uber suffered a cyber attack Thursday afternoon with an allegedly 18-year-old hacker downloading HackerOne vulnerability reports and sharing screenshots of the company’s internal systems, email dashboard and Slack server.

The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain.

Other systems accessed by the hacker include the company’s Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard to manage the Uber email accounts.

The threat actor also breached the Uber Slack server, which he used to post messages to employees about the company being hacked. But, screenshots from Uber’s slack indicates that these announcements were initially met with memes and jokes as employees had not realized that an actual cyberattack was taking place.

Uber has since confirmed the attack and tweeted that it is in contact with the police and will release additional information as it becomes available.

“We are currently responding to a cyber security incident. We are in contact with law enforcement and will post further updates here as they become available,” tweeted Your Uber Communications account.

The New York Times, which first reported the breach, said it spoke with the threat actor, who said they breached Uber after conducting a social engineering attack on an employee and stealing their password.

The threat actor then gained access to the company’s internal systems using the stolen credentials.

More details will emerge

After the attacker loudly announced that they breached Uber’s systems on the company’s Slack server and in comments submitted to the HackerOne bug bounty program, security researchers contacted the threat actor to learn more about the attack.

IN a conversation between the threat actor and security researcher Corben Leo, the hacker said they were able to gain access to Uber’s intranet after performing a social engineering attack on an employee.

According to the threat actor, they attempted to log in as an Uber employee, but did not provide details on how they gained access to the credentials.

Since the Uber account was protected with multi-factor authentication, the attacker allegedly used an MFA Fatigue attack and pretended to be Uber IT support to convince the employee to accept the MFA request.

Hackers claim to have used an MFA Fatigue attack
Hackers claim to have used an MFA Fatigue attack
Source: Kevin Beaumont

MFA Fatigue attacks are when a threat actor has access to your company’s credentials, but is blocked from accessing the account by multi-factor authentication. They then send repeated MFA requests to the target until the victims get tired of seeing them and finally accept the notification.

This social engineering tactic has become very popular in recent attacks against well-known companies, including Twitter, MailChimp, Robinhood, and Okta.

After gaining access to the credentials, the threat actor told Leo that they logged into the internal network through the company’s VPN and began scanning the company’s intranet for sensitive information.

As part of those scans, the hacker says they found a PowerShell script containing admin credentials for the company’s Thycotic privileged access management (PAM) platform, which was used to access the login secrets for the company’s other internal services.

“ok so basically uber had a network share \\[redacted]pt share contained some powershell scripts.

one of the powershell scripts contained the username and password of an admin user in Thycotic (PAM) Using this I was able to extract secrets for all services, DA, DUO, Onelogin, AWS, Gsuite”

The New York Times reports that the attacker claimed to have access to Uber’s databases and source code as part of the attack.

To be clear, this information is from the threat actors and has not been verified by Uber, which has not responded to our requests for more information.

HackerOne Vulnerability Reports Revealed

While it is possible that the threat actor stole data and source code from Uber during this attack, they also had access to what may be an even more valuable asset.

According to Yuga Labs security engineer Sam Currythe hacker also had access to the company’s HackerOne bug bounty program, where they commented on all of the company’s bug bounty tickets.

Comment left by the hacker on HackerOne submissions
Comment left by the hacker on HackerOne submissions
Source: Curry

Curry told BleepingComputer that he only learned of the breach after the attacker added the above comment to a vulnerability report he submitted to Uber two years ago.

Uber runs a HackerOne bug bounty program that allows security researchers to privately disclose vulnerabilities in its systems and apps in exchange for a monetary bug bounty reward. These vulnerability reports are intended to be kept confidential until a fix can be released to prevent attackers from exploiting them in attacks.

Curry further shared that an Uber employee said the threat actor had access to all of the company’s private vulnerability submissions on HackerOne.

BleepingComputer was also told by a source that the attacker downloaded all vulnerability reports before losing access to Uber’s bug bounty program. This likely includes vulnerability reports that have not been fixed, which poses a serious security risk to Uber.

HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities.

However, it would not be surprising if the threat actor had already downloaded the vulnerability reports and was likely to sell them to other threat actors to quickly cash in on the attack.

Update 9/16/22: Added more details provided by the hacker about how the attack took place.

Source link

Back to top button