Uber informed the public on Thursday it was responding to a cybersecurity incident after somebody breached its network. From what we have been able to find out so far, the attacker managed to compromise an employee’s access to the chat app Slack. The intruder may also have gained access to the Amazon and Google-hosted cloud environments where Uber stores its source code and customer data, and to the company's HackerOne account, which contains information about security flaws in its products.
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
There has been no indication that Uber’s fleet of vehicles or its operation was affected.
Security researchers that spoke with the hacker, who claims to be 18 years of age, are under the impression that the threat actor’s main motive seems to be to show off what he did. The person also said Uber drivers should receive higher pay.
A highly respected source revealed that the threat actor spammed an employee with MFA push requests, an established tactic that can defeat some kinds of multi-factor authentication by simply annoying a victim into submission. This type of MFA sends a notification to a user whenever their username and password are used. The user has to approve the login by pressing a button on a smartphone app. The idea is that a stolen username and password are useless to an attacker unless they also have physical access to the victim's phone. It doesn't always work like that though. Unfortunately, some criminals have learned that they can batter people into submission by repeatedly using the username and password until the victim approves the login just to make the notifications stop.
In this case the attacker reportedly contacted the employee on WhatsApp and told them they had to accept the requests to make them stop, at which point the victim did as instructed.
Slack
Slack is a messaging system that's widely used by, and within, tech companies as an alternative to email. It allows direct messages between individuals, and conversations among groups of people take place in channels dedicated to specific topics or areas of concern. Channels contain a complete history of every conversation they have ever hosted, and may contain sensitive or valuable information. In other words, Slack can be a potential gold mine for an attacker looking to expand their access and impact.
The New York Times reports that Uber was forced it to take several internal communications and engineering systems offline after the attacker used Slack to send a message to Uber employees.
The Slack message, including spelling errors, read:
“I announce I am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and two monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives”
The message was received as a joke by Uber's employees in the Slack channel at first, but people soon started realizing the claims were serious. To prove that the intruder really had access they posted a photo on an internal information page for employees, as well as screenshots of the Uber AWS instance, HackerOne administration panel, and more.
HackerOne is a vulnerability coordination and bug bounty platform that connects businesses who want to know about security issues in their products with penetration testers and cybersecurity researchers looking to be rewarded for their bug-hunting efforts.
I suppose if there is one thing you don’t want a hacker to get their hands on, it’s the company’s HackerOne administration panel. Imagine someone having access to a list of unfixed security vulnerabilities affecting your organization, alongside proof-of-concept code that can exploit them.
We reached out to HackerOne to ask about the security measures that apply to a company account. We are awaiting their response.
No hush, hush this time
Uber famously covered up a 2016 data breach that affected its 57 million customers and drivers. The company hid the incident from the public and paid the hackers $100,000 to delete the data and keep quiet. That Uber hack came to light after new leadership took over the company in 2017, a year after the incident occurred. Uber settled the case with the DOJ (US Department of Justice) and paid $148M for civil litigation settlement.