Saturday, September 24, 2022
HomeOpinion & AnalysisThe Uber hack explained

The Uber hack explained

NetworkTigers on how the Uber hack happened.

Rideshare giant Uber has fallen victim to a cyberattack that was allegedly carried out by a teenage hacker. How did this hack happen? What has the fallout been so far? Could it have been prevented?

How the Uber hack happened

On Thursday, September 15th, users of Uber’s internal Slack message board discovered a curious message from a mysterious poster called “NWave” that read “I announce I am a hacker and Uber has suffered a data breach.” The individual then posted confidential company information that they claimed to have accessed followed by a hashtag that read “#uberunderpaisdrivers.”

Due to the bold nature of the post, Uber employees initially assumed that it was a prank of some kind. Some even went so far as to interact with the poster, replying to the message with memes or humorous quips.

Shortly thereafter, Uber revealed in a tweet from their Uber Comms account that a legitimate breach had occurred and that they were “in touch with law enforcement and will post additional updates here as they become available.” The company’s Slack and other systems were taken down as Uber attempted to fully understand what had taken place.

For their part, the hacker claiming responsibility showed little restraint in communicating with security researchers, bragging about the breach and explaining how easy it had been for them to initiate.

According to a report from Wired that referenced the attacker’s conversation with security researcher Corben Leo, the hacker reports to have “first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login.

It would appear, based on their claims, that the use of social engineering allowed the hacker to infiltrate a targeted system not through an elaborate navigation of code but rather by convincing an employee to hand over access by posing as a trusted source. 

The technique used here is referred to as an “MFA fatigue” attack. One can easily imagine the worker’s eagerness to put an end to persistent notification interruptions that disrupted their day.

The hacker’s conversations and shared screenshots reveal that they were able to dig deep into the company’s source code once initial access had been achieved.

Additionally, they commandeered Uber’s HackerOne account, where the company privately discloses information for bug bounty hunters. These vulnerability correspondences are meant to be kept secret until the company issues a patch.

Before losing access, the attacker is believed to have downloaded this information, although Uber reports that any bugs within the system have already been fixed.

The Uber hack fallout thus far

In a tweet the following day, Uber provided the following updates:

  • We have no evidence that the incident involved access to sensitive user data (like trip history).
  • All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.
  • As we shared yesterday, we have notified law enforcement.
  • Internal software tools that we took down as a precaution yesterday morning are coming back online this morning.

However, researchers are skeptical of the company’s few official statements to date. 

Screenshots shared by the hacker lead some to believe that they gained access to OneLogin, which would allow them a look into every nook and cranny of Uber’s data, including the user data that the company claims was safe from the breach.

While initially the hacker did not appear to be financially motivated or connected with any malicious hacker gang or enterprise, Uber reported that they believe the individual is associated with the Lapsus$ hacker gang. However, they have not disclosed exactly how they have drawn that conclusion.

Lapsus$ has recently experienced a meteoric rise in notoriety due to the collective’s successful hacks and ransomware attacks against high profile victims in the tech and gaming industries. The fact that most Lapsus$ members seem to be teenagers gives credence to the hacker’s claims, and the bold manner in which they announced their presence is also par for the course when it comes to the gang’s brand.

Refuting some of the hacker’s assertions, Uber believes that the individual purchased stolen login credentials from the dark web as opposed to relying exclusively on social engineering to conduct the breach.

Mere days after the Uber hack, an attacker alleging to be the same person using the name “teapotuberhacker” took credit for hacking Rockstar Games and leaking a tremendous amount of footage from the publisher’s upcoming entry into the Grand Theft Auto series. They claim to have also stolen the game’s source code and have expressed interest in holding the data for ransom.

The boldness of the two hacks, the nature of the targeted companies and the back-to-back nature of the attacks does indeed fit in with previous patterns established by Lapsus$.

The timing couldn’t be worse for Uber. It takes place five years after the company had suffered an attack that saw them discreetly pay a hacker $100,000 to keep the breach a secret. Joe Sullivan, Uber’s former chief security officer, is currently on trial for criminal obstruction in that case.

Additionally, US lawmakers have been taking a hard look under the hood with regard to big tech’s security policies, as Elon Musk’s legal battle with Twitter, reinforced by statements from a whistleblower, have put Silicon Valley uncomfortably under the federal microscope once again.

However, the hack of Rockstar and the leaking of video related to one of the gaming industry’s most anticipated titles in nearly a decade will likely result in the attack on Uber fading from the public’s attention.

Could this hack have been prevented?

As with many recent attacks that relied heavily on phishing or social engineering tactics, the hacker may have been stopped in their tracks had the targeted employee not taken the bait and verified their attempts at authorizing their access. This reliance on human error has become a favored methodology for hackers, as even the tightest security is only as strong as peoples’ ability to keep login credentials private.

Hackers are acutely aware of this vulnerability. They know how to achieve success and they know that being given login credentials is the path of least resistance when it comes to mounting a successful attack.

Companies and organizations know this as well. However, it is all but impossible to completely prevent a breach that relies on trickery as opposed to brute force system penetration or the detectable insertion of malicious software.

Firewalls, antivirus and antimalware programs are necessary lines of defense, but have no effect on someone who has the ability to simply walk through the front door. Even multi factor authentication, a highly recommended security protocol, is obviously of limited usefulness against this strategy.

The most effective preventative measure when it comes to this type of hack is education. Employees need to know the telltale signs of a phishing scam when they encounter one.

Organizations need to put policies in place with regard to verifying requests for sensitive data or login credentials. While many companies are loath to create additional hoops to jump through when it comes to seemingly mundane activity, the financial risk of a potentially devastating attack far outweighs the inconvenience of slightly slower response times.

While low level workers tasked with high correspondence turnover are regularly targeted due to being on the front lines of email and message-based attacks, high level employees are not immune.

From messages purported to originate from the IT department at Twilio to a fake job offered to a senior engineer at Axie Infinity, it would appear as though hackers have found the security Achilles heel that no amount of sophisticated coding or White Hat hacking can fully protect against.

Derek Walborn
Derek Walborn
Derek Walborn is a freelance research-based technical writer. He has worked as a content QA analyst for AT&T and Pernod Ricard.

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like

Stay Connected

Must Read

Related News