Virtualization Technology News and Information
Uber Systems Breached - Full Access Claimed


News broke overnight that Uber has been hacked and its internal systems breached. A hacker gained access to its vulnerability reports and shared screenshots of the company's internal systems, email dashboard and Slack server. Screenshots shared by the hacker show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.

The alleged 18-year-old hacker has even shared that they breached Uber through a social engineering attack on an employee, in which they were able to steal their password.

Uber confirmed the attack, tweeting- "We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available."

This cyberattack is a perfect example of the evolution of cyberattacks.  Industry experts weigh in.


Chris Vaughan, AVP of Technical Account Management, EMEA, Tanium:

"Big digital businesses like Uber are valuable targets for cyber attacks because of the vast amount of sensitive customer data that they hold which hackers can monetize. Whilst not confirmed, there’s a high chance that hackers have extracted data such as credit card details and payroll information. From initial analysis, it looks like the data of both drivers and customers has been compromised.

This is another example of a relatively simple attack causing a big incident and potentially huge reputational damage for the victim organisation. The attacker social engineered an employee to gain access to the network via VPN. Once in, they were able to find hard coded passwords in scripts and then used them to infiltrate several parts of the network. This includes gaining access to their admin management tools as well as several databases. This raises some red flags. One is that a single hard coded password has been used to access their privileged access management (PAM) system, giving access to any area of the IT environment that links to it. Another issue is that multi-factor authentication (MFA) was bypassed by the attacker simply spamming users with push notifications until one was eventually approved. This method has been successful in other security incidents recently, so organisations should consider alternative ways to operate MFA such as only using PINs. Attackers entering a network in this seemingly legitimate way can be particularly dangerous because it’s difficult to distinguish their movements from regular user activity.
This should serve as a reminder that having high levels of cyber hygiene can help prevent the more straightforward attack methods from being successful. As part of this effort, IT teams need to know where their most sensitive data sits at all times in order to effectively protect it. Having full visibility of the corporate network to identify devices that may have been compromised and then fix them quickly is also vital."


Omer Yaron, Head of Research, Enso Security:

"Regardless of the attacker’s entry point, in Uber’s case the social engineering vector, it’s absolutely key to have different controls over applications to reduce the overall risk. Uber’s case shows how bad things can be, at least from what we know. Events escalate quickly and critical assets can be accessed without proper controls in place. Also, Uber is not out of the ongoing event. There are still mitigations they need to perform in real time. And it all comes down to the controls and measures they’ve put in place that will determine the outcome of this attack." 


Jerrod Piker, Competitive Intelligence Analyst, Deep Instinct:

"Over the last several years, we've learned that the bigger the brand name, the larger the target on their back for cybercrime. From hacktivism to corporate espionage, there's always somebody with the motive and means to carry out an attack against large organizations across all verticals. The Uber breach is yet another wake-up call that nobody is truly safe from cyber crime.

This breach involved a self-proclaimed 18-year-old hacker socially engineering an employee, logging into their VPN, and scanning their shared network resources. This scan turned up powershell scripts that had admin credentials for the Privileged Access Management (PAM) system, which then granted the attacker access to many internal resources, including AWS and G-suite. His final flourish included sending a message on one of Uber's internal Slack channels taking credit for the breach.

The key lessons we can learn from this particular breach are:

  • Humans are still the weakest link, and Zero Trust is a necessity, not just a suggestion anymore
  • Leaving scripts with embedded privileged account credentials stored on widely accessible network shares is bad practice”
Brad Hong, Customer Success Manager, Horizon3ai:
"This is really just testament to the fact that almost every multi-million dollar security program is worth nothing without employee awareness, clean data hygiene practices, and constant validation of security controls through testing. We’ve seen way too many examples of credentialed attacks still being the #1 utilized attack vector for attackers.
The layman walks around thinking, “why would they hack me? I’m a nobody!” without realizing that they’re the perfect foothold into an organization. The irony is not lost on me that following a social engineering attack which led to the stealing of a password, that the attacker posted messages on Uber’s Slack in an attempt to capture more credentials.
Without looking through the eyes of an attacker, enterprise IT groups  miss the most obvious routes to data breach, instead focusing on the high hanging fruit of the latest vulnerabilities discussed in the news. Especially without verified data segmentations in place, it only takes one bad password and two skipping stones to get to the crown jewels. The Uber attack is the perfect example of this--a single password led to the compromise of Uber IT systems, security software, Windows domain, SaaS products, VMs, and even vulnerability reports from their HackerOne account."
Saryu Nayyar, CEO, Gurucul:
"Well, looks like Uber's been taken for a ride - and this is a ride they will pay for dearly. All it takes is one successful compromise to circumvent most preventive controls and this attacker used the most accessible and simple technique of social engineering to take over a valid Uber user account.
What is required is a stronger detection program that also monitors for and identifies risky access controls, entitlements and user behaviors, and associated abnormal or deviant activity. This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks."
Nick Sanna, CEO, RiskLens:
"A data breach like Uber’s undoubtedly has the potential to have a severe financial impact to the organization, now and into the future. Just how large that impact will be remains to be seen. For all organizations facing cyber threats, the insights gained by proactively quantifying and communicating cyber risk are invaluable in understanding the potential for financial losses, and in making risk-informed decisions about how to cost-effectively invest cybersecurity funds to prepare for and mitigate those losses."
Jai Dargan, Chief of Staff at Axio:

“What the Uber breach shows us is that these types of attacks can happen to ANY company - regardless of size, industry, location. Uber is one of the largest tech companies on the planet. They have access to the best technologies and top talent in the security field. Assuming that the existing reporting holds up — and again, I’d caution that we don’t know all the facts, and it will be weeks, if not months, before this situation gets fully handled — this demonstrates why cyber resiliency is absolutely so key. Hackers have an edge against defenders. Their techniques are evolving quickly. And security teams need to ensure that their entire organizations aren’t taken offline just because a single person was phished through a social engineering attack.

It looks like Uber had all the defensive controls they needed, but this incident still happened. Security matters in the margins. We need to be continuously testing, validating, and evolving defenses to defend against cyber adversaries (whether they are teenagers or nation-states).”
John Dasher, VP of Product Marketing at Banyan Security:

"Given the nature of how this attack occurred, the need for stronger user education around social engineering attacks and better identity and more robust deployment of MFA with device trust is clear. For years, many organizations have believed that MFA is the magic bullet to conquer all security issues, however we saw here how simple it was for this hacker to bypass Uber’s security systems once he gained an employee’s credentials.

Organizations need to look at this event and learn from it. They need to implement stronger security controls, use the principle of least privilege access, and employ device trust. Had these been utilized properly, even employee credentials wouldn’t have been enough for this hacker to get into Uber’s system, because they would have needed the user's computer in addition to their credentials.

The more difficulties we can create for attackers, the better. If workers are only given access to what they need, are continuously authorized, and policies are in place that require users access resources from registered devices, it creates barriers for threat actors who will no longer move laterally throughout an organization’s network by accessing one weak vector."
Ofer Maor, CTO and co-founder of Mitiga:

"The Uber breach is just another example of a phishing campaign that successfully obtained high-level privileges and used them to compromise multiple assets and environments. It is a reminder that no company is immune — even mature companies, like Uber, with the best security teams can be affected by social engineering attacks. As IR and forensic teams investigate the breach, it is clear that such an incident is not trivial because the data required to investigate goes beyond any singular audit log. We certainly understand that the challenge ahead for the Uber security team isn’t an easy one to contend with.

The hacker claims to have gotten permissions from multiple services from which they were able to log on and perform actions upon, including the Thycotic PAM platform, AWS, CloudTrail, Google Workspace, HackerOne, and Slack. Only through the combination of all audit logs and activity and usage reports can investigators truly understand what happened.

While there is no solution that could guarantee it could prevent a breach like this, there are a few measures organizations can consider to prepare for potential attacks. They can adopt a holistic breach readiness approach, which includes proactive forensic data collection and storage to accelerate investigation and response."
Published Friday, September 16, 2022 12:58 PM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<September 2022>