NetworkTigers on how the Uber hack happened.
Rideshare giant Uber fell victim to a cyberattack allegedly carried out by a teenage hacker. How did this hack happen? What has the fallout been so far? Could it have been prevented?
How the Uber hack happened
On Thursday, September 15th, users of Uber’s internal Slack message board discovered a curious message from a mysterious poster called “NWave” that read, “I announce I am a hacker and Uber has suffered a data breach.” The individual then posted confidential company information they claimed to have accessed, followed by a hashtag that read “#uberunderpaisdrivers.”
Due to the bold nature of the post, Uber employees initially assumed that it was a prank of some kind. Some even went so far as to interact with the poster, replying to the message with memes or humorous quips.
Shortly after, Uber revealed in a tweet from their Uber Comms account that a legitimate breach had occurred and that they were “in touch with law enforcement and will post additional updates here as they become available.” The company’s Slack and other systems were taken down as Uber attempted to understand what had taken place fully.
For their part, the hacker claiming responsibility showed little restraint in communicating with security researchers, bragging about the breach and explaining how easy it had been for them to initiate.
According to a report from Wired that referenced the attacker’s conversation with security researcher Corben Leo, the hacker reports having “first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After over an hour, the attacker claims, they contacted the same target on WhatsApp, pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login.”
Based on their claims, it would appear that social engineering allowed the hacker to infiltrate a targeted system not through elaborate code navigation but by convincing an employee to hand over access by posing as a trusted source.
The technique used here is called an “MFA fatigue” attack. One can easily imagine the worker’s eagerness to end the persistent notification interruptions that disrupted their day.
The hacker’s conversations and shared screenshots reveal that they were able to dig deep into the company’s source code once initial access had been achieved.
Additionally, they commandeered Uber’s HackerOne account, where the company privately discloses the information for bug bounty hunters. These vulnerability correspondences are meant to be kept secret until the company issues a patch.
Before losing access, the attacker is believed to have downloaded this information, although Uber reports that any bugs within the system have already been fixed.
The Uber hack fallout thus far
In a tweet the following day, Uber provided the following updates:
- We have no evidence that the incident involved access to sensitive user data (like trip history).
- All our services, including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.
- As we shared yesterday, we have notified law enforcement.
- Internal software tools we took down as a precaution yesterday morning are coming back online this morning.
However, researchers are skeptical of the company’s few official statements.
Screenshots shared by the hacker lead some to believe that they gained access to OneLogin, which would allow them a look into every nook and cranny of Uber’s data, including the user data that the company claims was safe from the breach.
While initially the hacker did not appear to be financially motivated or connected with any malicious hacker gang or enterprise, Uber reported that they believe the individual is associated with the Lapsus$ hacker gang. However, they have not disclosed exactly how they have drawn that conclusion.
Lapsus$ has recently experienced a meteoric rise in notoriety due to the collective’s successful hacks and ransomware attacks against high-profile victims in the tech and gaming industries. The fact that most Lapsus$ members seem to be teenagers gives credence to the hacker’s claims, and the bold manner in which they announced their presence is also par for the course regarding the gang’s brand.
Regarding some of the hacker’s assertions, Uber believes that the individual purchased stolen login credentials from the dark web instead of relying exclusively on social engineering to conduct the breach.
Mere days after the Uber hack, an attacker alleging to be the same person using the name “teapotuberhacker” took credit for hacking Rockstar Games and leaking a tremendous amount of footage from the publisher’s upcoming entry into the Grand Theft Auto series. They claim to have also stolen the game’s source code and have expressed interest in holding the data for ransom.
The boldness of the two hacks, the targeted companies’ nature, and the attacks’ back-to-back nature fit in with previous patterns established by Lapsus$.
The timing couldn’t be worse for Uber. It takes place five years after the company had suffered an attack that saw them discreetly pay a hacker $100,000 to keep the breach a secret. Joe Sullivan, Uber’s former chief security officer, is currently on trial for criminal obstruction in that case.
Additionally, US lawmakers have been taking a hard look under the hood at big tech’s security policies. Elon Musk’s legal battle with Twitter, reinforced by a whistleblower’s statement, has again put Silicon Valley uncomfortably under the federal microscope.
However, the hack of Rockstar and the leaking of video related to one of the gaming industry’s most anticipated titles in nearly a decade will likely result in the attack on Uber fading from the public’s attention.
Could this hack have been prevented?
As with many recent attacks that relied heavily on phishing or social engineering tactics, the hacker may have been stopped in their tracks had the targeted employee not taken the bait and verified their attempts at authorizing their access. This reliance on human error has become a favored methodology for hackers, as even the tightest security is only as strong as peoples’ ability to keep login credentials private.
Hackers are acutely aware of this vulnerability. They know how to achieve success and that being given login credentials is the path of least resistance when mounting a successful attack.
Companies and organizations know this as well. However, it is impossible to completely prevent a breach that relies on trickery instead of brute force system penetration or the detectable insertion of malicious software.
Firewalls, antivirus, and antimalware programs are necessary lines of defense but do not affect someone who can simply walk through the front door. Even multi-factor authentication, a highly recommended security protocol, is obviously of limited usefulness against this strategy.
The most effective preventative measure for this type of hack is education. Employees need to know the telltale signs of a phishing scam when they encounter one.
Organizations need to put policies in place about verifying requests for sensitive data or login credentials. While many companies are loath to create additional hoops to jump through when it comes to seemingly mundane activity, the financial risk of a potentially devastating attack far outweighs the inconvenience of slightly slower response times.
While low-level workers tasked with high correspondence turnover are regularly targeted due to being on the front lines of email and message-based attacks, high-level employees are not immune.
From messages purported to originate from the IT department at Twilio to a fake job offered to a senior engineer at Axie Infinity, it would appear as though hackers have found the security Achilles heel that no amount of sophisticated coding or White Hat hacking can fully protect against.