Hacker Pwns Uber Via Compromised VPN Account

This post was updated at 2:15 ET on Sept. 16, 2022 to reflect additional initial compromise information.

Ride-sharing giant Uber took some of its operations offline late Thursday after it discovered that its internal systems have been compromised. The attacker was able to social-engineer his way into an employee's VPN account before pivoting deeper into the network, the company said.

While the full extent of the breach has yet to come to light, the person claiming responsibility for the attack (reportedly a teenager) claimed to have troves of emails, data pilfered from Google Cloud storage, and Uber's proprietary source code, "proof" of which he sent out to some cybersecurity researchers and media outlets, including The New York Times.

"They pretty much have full access to Uber," Sam Curry, security engineer at Yuga Labs, told the Times. "This is a total compromise, from what it looks like."

Compromise Dominoes

The Slack collaboration platform was the first system taken offline, but other internal systems quickly followed, according to reports. Just before the disablement, the attacker sent off a Slack message to Uber employees (some of whom shared it on Twitter): "I announce I am a hacker and Uber has suffered a data breach."

The perp also told researchers and media that the breach began with a text message to an Uber employee, purporting to be from corporate IT. More specifically, according to independent cybersecurity analyst Graham Cluley, the hacker mounted what's known as an "MFA fatigue attack." 

To wit: The attacker had already determined a valid username and password for Uber's VPN, but needed a text-based multifactor authentication (MFA) one-time code to get into the account. So, he bombarded the worker with MFA push notifications for more than an hour before contacting the target via WhatsApp, where he again posed as Uber IT staff. If the person wanted the irritation to stop, he said, they needed to accept the MFA request. The target complied.

"While no official explanation has been provided yet, [apparently] the intruder was able to connect to the corporate VPN to gain access to the wider Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share," Ian McShane, vice president of strategy at Arctic Wolf, said in a statement. "This is a pretty low-bar-to-entry attack and is something akin to the consumer-focused attackers calling people claiming to be Microsoft and having the end user install keyloggers or remote access tools."

The hacker also told other researchers that once in, he scanned the company’s intranet, and was lucky enough to find a PowerShell script containing hardcoded credentials for a Thycotic privileged access management (PAM) admin account, which gave him bountiful tools to unlock other internal systems, like Slack.

In a media statement to the Times, an Uber spokesperson confirmed that social engineering was the point of entry, and simply said that the company was working with law enforcement to investigate the breach. Publicly, via Twitter, the company posted, "We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available."

According to reports, the hacker said he is 18 years old and targeted the company to demonstrate its weak security; there may also be a hacktivist element, because he also declared in the Slack message to employees that Uber drivers should be paid more.

"Given the access they claim to have gained, I'm surprised the attacker didn't attempt to ransom or extort, it looks like they did it 'for the lulz,'" McShane added.

Not Uber's First Data Breach Ride

Uber was the subject of another massive breach, back in 2016. In that incident, cyberattackers made off with personal information for 57 million customers and drivers, demanding $100,000 in exchange for not weaponizing the data (the company paid up). A subsequent criminal investigation led to a non-prosecution settlement with the US Department of Justice this summer, which included Uber admitting that it actively covered up the full extent of the breach, which it didn't even disclose for more than a year.

Also related to that earlier hit, in 2018 Uber settled nationwide civil litigation by paying $148 million to all 50 states and the District of Columbia; and, ironically given the new developments, it agreed to "implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments."