Hacker Pwns Uber Via Compromised VPN Account

  /     /     /  
Publicated : 23/11/2024   Category : security


Hacker Pwns Uber Via Compromised VPN Account


A teen hacker reportedly social-engineered an Uber employee to hand over an MFA code to unlock the corporate VPN, before burrowing deep into Ubers cloud and code repositories.



This post was updated at 2:15 ET on Sept. 16, 2022 to reflect additional initial compromise information.
Ride-sharing giant Uber took some of its operations offline late Thursday after it discovered that its internal systems have been compromised. The attacker was able to social-engineer his way into an employees VPN account before
pivoting deeper into the network,
the company said.
While the full extent of the breach has yet to come to light, the person claiming responsibility for the attack (
reportedly a teenager
) claimed to have troves of emails, data pilfered from Google Cloud storage, and Ubers proprietary source code, proof of which he sent out to some cybersecurity researchers and media outlets, including The New York Times.
They pretty much have full access to Uber, Sam Curry, security engineer at Yuga Labs, 
told the Times
. This is a total compromise, from what it looks like.
The Slack collaboration platform was the first system taken offline, but other internal systems quickly followed, according to reports. Just before the disablement, the attacker sent off a Slack message to Uber employees (some of whom 
shared it on Twitter
): I announce I am a hacker and Uber has suffered a data breach.
The perp also told researchers and media that the breach began with a text message to an Uber employee, purporting to be from corporate IT. More specifically, according to independent cybersecurity analyst 
Graham Cluley
, the hacker mounted whats known as an MFA fatigue attack. 
To wit: The attacker had already determined a valid username and password for Ubers VPN, but needed a text-based multifactor authentication (MFA) one-time code to get into the account. So, he bombarded the worker with MFA push notifications for more than an hour before contacting the target via WhatsApp, where he again posed as Uber IT staff. If the person wanted the irritation to stop, he said, they needed to accept the MFA request. The target complied.
While no official explanation has been provided yet, [apparently] the intruder was able to connect to the corporate VPN to gain access to the wider Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share, Ian McShane, vice president of strategy at Arctic Wolf, said in a statement. This is a pretty low-bar-to-entry attack and is something akin to the consumer-focused attackers calling people claiming to be Microsoft and having the end user install keyloggers or remote access tools.
The hacker also 
told other researchers
 that once in, he scanned the company’s intranet, and was lucky enough to find a PowerShell script containing hardcoded credentials for a Thycotic privileged access management (PAM) admin account, which gave him bountiful tools to unlock other internal systems, like Slack.
In a media statement to the Times, an Uber spokesperson confirmed that social engineering was the point of entry, and simply said that the company was working with law enforcement to investigate the breach. Publicly, via Twitter, the 
company posted
, We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
According to reports, the hacker said he is 18 years old and targeted the company to demonstrate its weak security; there may also be a hacktivist element, because he also declared in the Slack message to employees that Uber drivers should be paid more.
Given the access they claim to have gained, Im surprised the attacker didnt attempt to ransom or extort, it looks like they did it for the lulz, McShane added.
Uber was the subject of another massive breach, back in 2016. In that incident, cyberattackers made off with personal information for 57 million customers and drivers, demanding $100,000 in exchange for not weaponizing the data (
the company paid up
). A subsequent criminal investigation led to 
a non-prosecution settlement
 with the US Department of Justice this summer, which included Uber admitting that it actively covered up the full extent of the breach, which 
it didnt even disclose for more than a year
.
Also related to that earlier hit, in 2018 Uber settled 
nationwide civil litigation
 by paying $148 million to all 50 states and the District of Columbia; and, ironically given the new developments, it agreed to implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments.

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Hacker Pwns Uber Via Compromised VPN Account