Uber employee allegedly gave password to IT impersonator

An 18-year-old hacker has claimed responsibility for what is believed to be a massive breach of security controls at Uber.

The New York Times said Thursday that the hackers claimed to have been given initial access via one of the oldest tricks in the attacker’s arsenal. It involves impersonating a member of the company’s IT department and persuading the victim to give them the company’s password.

The breach appears to have compromised many of Uber’s internal systems, as the person claiming responsibility for the hack sent emails, cloud storage, and images of code repositories to cybersecurity researchers, according to The Times.

“They almost have full access to Uber,” The Times quoted Yuga Labs security engineer Sam Curry, who contacted the suspected hacker. “From the looks of it, this is a perfect compromise.”

Uber has not disclosed details of the hack and whether the person it claims to have done the break-in defrauded its employees. It’s also unclear whether employee accounts were protected with multi-factor authentication (MFA), which the attackers were able to bypass.

As is often the case with hacks of high-profile organizations, security vendors were quick to comment. If the 18-year-old woman’s claim is accurate and the employee used MFA, using multi-factor authentication alone would not have been sufficient to protect against the lateral movements the attackers allegedly made. CTO Yaron Kassner – founder of Silverfort, said in a statement.

“Organizations should ensure they use MFA, which can protect against lateral movement. For example, attackers say they accessed a shared folder containing credentials used for scripts. , exactly the kind of resource that benefits from multi-factor authentication.”

“According to the details shared, these maliciously obtained service account credentials were used to compromise PAM (privileged access management) solutions, giving attackers the keys to the kingdom and many sensitive systems. This underscores the fact that service accounts must also be protected and that it is not sufficient to just protect access to PAM with MFA. Access must be protected using a secret.”

Ilia Kolochenko, founder of ImmuniWeb and member of the Europol Data Protection Experts Network, was more skeptical about the attacker’s identity.

“The purported sheer scale and scope of data breaches may be evidence of carefully planned and rigorously executed attacks by sophisticated threat actors,” he said in a statement. said. “The reported social engineering attack vector seems highly unlikely here, apart from other activities, as many different critical systems are being compromised simultaneously. Of course, internal security controls ( It is possible to hypothesize that MFA, etc.) is completely absent and that Uber is reusing a lot of passwords, but this version currently seems unconvincing.

“Once the investigation is complete, we will have to wait for an official statement from Uber. Uber has fallen victim to sophisticated cyber attackers seeking sensitive information about the locations and travels of VIP figures, journalists and politicians. It’s possible that the version of the incident is just a smokescreen.”

According to Ian McShane, vice president of strategy at Arctic Wolf, Uber is known to have some of the best cybersecurity in the business, so the fact that Uber was compromised is something everyone should know. indicates what to do. N.Even a perfectly managed security organization can be compromised. “The key is how quickly you react and how you mitigate the problem. They seem to have done that here.”

According to McShane, the intruder apparently connected to the company’s VPN to gain access to the wider Uber network. Then plain to a network share he seems to have found gold in the form of admin credentials stored in text.

“Given the access they claim to have obtained, I’m surprised the attackers haven’t attempted a ransom or extortion,” he added. “Apparently it was done on a whim”

Uber’s communications feed on Twitter issued the following message Thursday night: We are in contact with law enforcement and will post additional updates here as they become available. ”

Uber was the victim of a 2016 hack in which two individuals attempted to extort the company after stealing the data of 57 million drivers and customers. Uber paid the hacker his US$100,000 to silence the case. Rumors that security controls had been compromised did not reach the company’s board of directors, nor did they become public knowledge until a year later. Uber paid US authorities a fine of $146 million for the incident. He promised to tighten security.

Two months ago, Uber accepted responsibility for failing to report its violations to the U.S. Federal Trade Commission as part of a settlement with U.S. prosecutors to avoid criminal liability.