Thursday night, Uber, the ride-sharing giant confirmed that he was responding to “a cyber security incident” and was contacting police about the breach. An entity claiming to be an 18-year-old individual hacker claimed responsibility for the attack, bragging to multiple security researchers about the steps they took to breach company security. the attacker reportedly posted, “Hello @here I am announcing that I am a hacker and Uber has suffered a data breach,” in an Uber Slack channel Thursday night. The Slack post also listed a number of Uber databases and cloud services that the hacker claimed to have breached. The message reportedly concluded with the signature, “uberundercountrydrives.”
The company temporarily removed access Thursday night to Slack and some other internal services, according to The New York Timeswhich first reported the breach. in a noon update on Friday, the company said that “internal software tools that we removed yesterday as a precaution will be brought back online.” Invoking traditional breach notification language, Uber also said Friday that it “has no evidence that the incident involved access to sensitive user data (such as ride history).” However, screenshots leaked by the attacker indicate that Uber’s systems may have been deeply and completely compromised and that anything the attacker did not access may have been the result of limited time rather than limited opportunity. .
“It’s disheartening, and Uber is definitely not the only company this approach would work against,” says offending security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this trick so far are quite similar to what many members of the red team, myself included, have used in the past. So, unfortunately, these kinds of infractions don’t surprise me anymore.”
The attacker, who WIRED could not reach for comment, claim (it is who first gained access to company systems by targeting an individual employee and repeatedly sending them multi-factor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login.
Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login via a push notification on their device instead of other means, such as providing a randomly generated message. code. Fast MFA phishes have become more and more popular with attackers. And in general, hackers have developed more and more phishing attacks to bypass two-factor authentication as more companies implement it. The recent Twilio leak, for example, illustrated just how dire the consequences can be when a company that provides multi-factor authentication services is compromised. Organizations that require physical authentication keys for logins have was successful defend against such remote social engineering attacks.
The phrase “zero trust” has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to at least show an example of what zero trust is not. Once the attacker had initial access within the company, claim they were able to access network shares that included scripts for Microsoft’s management and automation program, PowerShell. The attackers said that one of the scripts contained encrypted credentials for an administrator account of the Thycotic access management system. With control of this account, the attacker claimed he was able to obtain access tokens for Uber’s cloud infrastructure, including Amazon Web Services, Google’s GSuite, VMware’s vSphere Dashboard, Duo Authentication Manager and Critical Service. of OneLogin identity and access management.