ESETa leading company in proactive threat detection, warns that Uber confirmed that he had a security incident and is investigating what happened. Apparently, the company was the victim of unauthorized access to several of its systems and the attacker sent investigators and media such as the New York Times (NYT), which broke the newsscreenshots of emails, cloud storage services and code repositories to prove that he had managed to access the systems.
According to the attacker, to gain access to Uber’s systems, they first defrauded an employee through social engineering, gained access to his VPN, and then scanned the intranet.
Detective Sam Curry is said to have exchanged messages with who claims to be responsible for the attack. He sent him screenshots to show that he had gained full access to an important and critical piece of Uber’s technology infrastructure, such as: access to administrator accounts, to Amazon Web Service servers, the HackerOne panel with the vulnerabilities report. , the Slack channel , access to vSphere and Google Suite administrator accounts. According to Curry, it seems like a total compromise of their systems:
In contrast, Uber employees were asked not to use the communication platform Slack, which was later decommissioned.
Apparently there was a network share with powershell scripts and one of these scripts contained the credentials for an administrative user for a solution called thycotic’s PAM which is used for privileged access control. And from here they would have entered the rest of the services.
On Friday Uber public updated information about the incident and note the following:
- So far, there is no evidence that malicious actors have gained access to sensitive user information, such as travel history.
- All services via the apps, such as Uber or Uber Eats, are operational.
- The company reported the incident to authorities.
- Tools for internal use, which were interrupted on Thursday as a precaution, became operational again on Friday morning.
As reported by the NYT journalist, Kevin Rosea person claiming to be responsible for the attack on Uber contacted the media and said he is 18 years old and that he carried out the attack because security was weak. Shame revealed that the attacker said he first stole credentials from an Uber employee. It then sent the employee multiple push notifications over the course of an hour to accept or decline a login attempt. And while the Uber employee did not validate these logins, the attacker contacted the employee on WhatsApp and said that he was an Uber IT employee and that he should stop the push notifications he was supposed to accept.
This isn’t the first instance where attackers have gained access to a company’s network after tricking an employee with social engineering. From ESET they have already analyzed the cases of: Twitterin the attack of EA Sports ransomware and recently in the ronin sidechain attack.
For more information on computer security, visit the ESET news portal: https://www.welivesecurity.com/la-es/2022/09/16/uber-sufrio-ciberataque-granon-accesso-a-sistemas/
On the other hand, ESET invites you to know: Secure connection, your podcast to find out what’s happening in the world of computer security. To listen to it go to: