Uber announced on Thursday evening that it was responding to a cybersecurity incident, which led to the ride-sharing giant taking internal communications and engineering systems offline.
The New York Times reports that the individual claiming responsibility for the breach sent pictures of email, cloud storage, and code repositories to some cybersecurity researchers. Sam Curry, a security engineer at Yuga Labs who corresponded with the individual, said "they pretty much have full access to Uber... It seems like maybe they're this kid who got into Uber and doesn't know what to do with it, and is having the time of his life."
In fact, the culprit claimed that he or she is 18 years old and has been working on cybersecurity skills for years. The motivation for breaching Uber, the hacker said, is because the company had weak security systems in place and that drivers should receive higher pay.
vx-underground, an organization that frequently shares information related to malware and security incidents, posted this on Twitter:
Update: A Threat Actor claims to have completely compromised Uber - they have posted screenshots of their AWS instance, HackerOne administration panel, and more.
— vx-underground (@vxunderground) September 16, 2022
They are openly taunting and mocking @Uber. pic.twitter.com/Q3PzzBLsQY
According to this cyber wonderkid, they used social engineering to pull off the hack.
Cybersecurity researcher Kevin Beaumont shared that the hacker essentially spammed an Uber employee into gaining access:
Uber, what you need to know, the thread.
— Kevin Beaumont (@GossiTheDog) September 16, 2022
1) pic.twitter.com/CXU75bqrZU
After initial access was gained, they were able to access other internal systems, including the company Slack channel, Uber source code, email, and some other systems.
Significance of the incident
This incident is yet another example of how easy it is for malicious threat actors to use social engineering to gain access to an organization's internal systems.
Mackenzie Jackson, a security advocate at GitGuardian, said this about the scale of the intrusion:
"What makes this breach appear so significant is that this does not appear to be a breach of a single system. The attackers seem to have moved laterally between systems for a complete organization takeover. We very often find credentials and secrets for specific systems that have leaked, but finding admin credentials to an access management system is like finding a master key to every room and alarm system, in every building, in every country that an organization owns."
And Darryl MacLeod, a vCISO at LARES Consulting, discussed the incident and social engineering:
"This breach highlights the need for companies to educate their employees about the dangers of social engineering and how to defend against it. Social engineering attacks are becoming more common and more sophisticated, so it's important to be aware of the dangers. If you work for a company that holds sensitive data, make sure you know how to spot a social engineering attack and what to do if you encounter one."
Uber's response to being breached... again
Since the incident occurred, Uber provided an update on the situation, sharing what information it could:
- "We have no evidence that the incident involved access to sensitive user data (like trip history)."
- "All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational."
- "As we shared yesterday, we have notified law enforcement."
- "Internal software tools that we took down as a precaution yesterday are coming back online this morning."
This breach is not the first time Uber has dealt with a cybersecurity incident. In 2016, the company experienced a breach that resulted in information for 57 million drivers and riders being exposed.
The threat actor demanded a payment of $100,000 to delete the data, which Uber's top security executive, Joe Sullivan, agreed to pay, though he kept it quiet for over a year. Sullivan was fired and charged with obstructing justice after failing to disclose the breach to appropriate authorities.
Uber's current Chief Information Security Officer, Latha Maripuri, said in an internal email to employees about the current situation: "We don't have an estimate right now as to when full access to tools will be restored, so thank you for bearing with us."
It appears Uber has learned from its past mistakes and is handling this incident better.