Uber hacked, internal systems breached and vulnerability reports stolen

"Uber suffered a cyberattack Thursday afternoon with a hacker gaining access to vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server...

The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain...

The New York Times, which first reported on the breach, said they spoke to the threat actor, who said they breached Uber after performing a social engineering attack on an employee and stealing their password...

According to Yuga Labs security engineer Sam Curry, the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets..."

https://www.bleepingcomputer.com/ne...ms-breached-and-vulnerability-reports-stolen/

 

"Uber apparently hacked by teen, employees thought it was a joke...

The alleged hacker, who claims to be an 18-year old, says they have administrator access to company tools including Amazon Web Services and Google Cloud Platform...

The hacker appears to have made themselves known to Uber’s employees by posting a message on the company’s internal Slack system. 'I announce I am a hacker and Uber has suffered a data breach,'...

The claimed hacker then listed confidential company information they said they’d accessed, and posted a hashtag saying that Uber underpays its drivers...

The Slack message from the alleged hacker was so brazen that many Uber employees appear to have initially thought it was a joke, the Washington Post reports...

The hacker claimed to the NYT to be 18 years old, and told The Post that they breached Uber for fun and is considering leaking the company’s source code...

'This is a total compromise, from what it looks like...It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life'..."

https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell

 

"Uber investigating cybersecurity incident after hacker breaches its internal network...

The sole hacker behind the beach, who claims to be 18 years old, told the NYT that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems...

According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface, and the company’s EDR portal.

'If you had your data in Uber, there’s a high chance so many people have access to it,' Reed said, noting that it’s not yet clear how the attacker bypassed two-factor authentication (2FA) after obtaining the employee’s password...

Sam Curry, a security engineer at Yuga Labs who described the breach as a 'complete compromise'..."

https://techcrunch.com/2022/09/16/uber-internal-network-hack/

 

"Uber hacker claims to have full control of company’s cloud-based servers...

Incredibly, the attack appears to have mimicked the one back in 2016, which compromised the personal data of 57 million. This suggests that Uber failed to fix a massive security hole, enabling the same attack to be made six years later…"

https://9to5mac.com/2022/09/16/uber-hacker/

 

This is no surprise to me, if even Twilio and LastPass can get hacked, why not others? Seems like they don't use any anti-phishing protection, and certain MFA methods aren't good enough.

 

Anyone can be hacked if they are targeted by someone smart enough. What they need to be working on is encrypting the data or keeping it on machines not connected to the internet to make such hacks less effective.

 

Yes, but the problem is that these hacks could have been prevented by better MFA and anti-phishing. These aren't sophisticated hacks, that's the shocking part.

 

The bad guys would just step up their game. They have plenty of incentive. If what they got was worthless then they would have less incentive to try at all.

 

Yes, but this is no excuse, why make it even more easy? These companies should step up their game, that's the problem! There will always be ways to attack systems, but hackers can't use magic and many of the attacks that we read about on a monthly basis could have been prevented by stuff like patching and better security tools and procedures. That's the conclusion that I make after reading about the latest hacks on Twilio, LastPass and Uber.

 

I didn't believe I was implying making it more easy. You suggested "better MFA and anti-phishing" which puts more burden on the user. If something is harder for the user they won't use it. I suggested making the spoils of the bad guys' labor more worthless, so even if they do get something they can't use it.

 

No I don't think you implied making it more easy, but it feels like you are simply giving up, while there is no need to. Because I have to disagree, there are plenty of solutions that don't put a huge burden on the user. Many of these attacks start with credential phishing, YubiKey's (U2F) for example makes this way harder.

Also, anti-phishing and device fingerprinting tools on the server should be able to notice these kind of attacks, since the attacker is logging in from unknown systems. All in all, I just feel that security isn't good enough in these companies. Just look at the latest reveals in the Twitter case, security was pretty much crap over there. It will now give Elon Musk a way out of the Twitter deal, which he was never planning to buy anyway LOL.

 

Source code for companies like this should not be accessible from the internet. If for some reason they need remote developers then it should be on a separate network, with a different IP, and only whitelisted machines should be able to connect at all.

 

Exactly this. I have been trying to make this argument at my job as well with not much success. Though if someone stole our code, it would be nothing of the level of an Uber or some other big tech company. Still though, security.

 

Of course practical, safer, and just good common sense @Trooper/@xxJackxx. Speaking of the security/prevention measures mentioned.
There use to be a thing in the XP days, yes even Windows 98 of a simple term or expression known as Intranet.
Keep your network 'separate' (as to do with remote access) and apart within a controllable internal group, accessible only by a common 'proven safe' standard.

It is reckless and just begging for trouble not taking better care of what should be private accessibility with companies these days.

 

https://www.bleepingcomputer.com/ne...-and-videos-leaked-after-rockstar-games-hack/

Why am I tacking this onto the Uber hack thread? Because there is unconfirmed reports the same 18 year-old hacker is behind the Rockstar Games/ GTA6 source code leak.

Stay tuned, I guess.

 

Fortunately I get to make the call at my job because nobody else understands it. The only machine with an open port is a web server that is on its own box and off the domain.

 

Unless they don't have other option. Cloudflare has mandatory hardware security keys. System won’t let you log in without it.
As for bussiness value of stolen source code I don’t think it always is that important. I mean company has grave problem if they would lose it, but not that important problem when it is copies by cybercriminals. Frankly most of internal bussiness software (CRUD-ish) is quite boring when it comes to source code and uses common solutions and patterns.

 

"Uber says Lapsus$-linked hacker responsible for breach

Sept 19 (Reuters) - Uber Technologies Inc (UBER.N) said on Monday a hacker affiliated with the Lapsus$ hacking group was responsible for a cyber attack that forced the ride-hailing company to shut several internal communications temporarily last week..."

https://www.reuters.com/business/au...e-cybersecurity-incident-2022-09-19/?rpc=401&

"Uber added that the attacker used the stolen credentials of an Uber EXT contractor in an MFA fatigue attack where the contractor was flooded with two-factor authentication (2FA) login requests until one of them was accepted...

Lapsus$ is known for breaching other high-profile tech companies such as Microsoft, Cisco, NVIDIA, Samsung, and Okta..."

https://www.databreaches.net/uber-links-breach-to-lapsus-group-blames-contractor-for-hack/contractor-lapsus-192339707.html?src=rss

 

LOL, so exactly as I predicted this was once again a pretty simple hack, that easily bypassed MFA. And I totally forgot that Microsoft, Nvidia, Cisco and Okta were also hacked, most likely in a similar way, what a joke! This basically means that security isn't good enough, so MFA should be beefed up, so that it's less prone to phishing. And endpoints should be secured way better, and people should never rely only on AV's. Strong behavior blockers that can automatically block cookie and credential stealing are also needed.

 

LOL, here is another painful hack from online bank Revolut.

https://www.bleepingcomputer.com/ne...data-of-50-000-users-fuels-new-phishing-wave/

 

And here is another hack that involved phishing, this time hackers try to spread malware on as many users as possible, so it wasn't even targeted. Strangely enough, not all AV's can spot this RedLine data stealing malware, as seen on VirusTotal:

https://www.bleepingcomputer.com/ne...cked-help-desk-targeted-players-with-malware/

 

That's to be expected. Some of the lesser known antiviruses do terribly at detecting malware. Some others can often be slow to add signatures for new threats.

 

"Uber Is Hiring For Over 80 Cybersecurity Jobs After Being Hacked Last Week...

Despite having years of historical breach data it seems prevention is still not considered cheaper than the cure and Uber is another example of how security budgets increase after a breach..."

https://informationsecuritybuzz.com...ersecurity-jobs-after-being-hacked-last-week/

"Roles that are still open for applications include senior security incident commander to lead incident response, security engineer and security engineering manager at the company's threat detection division, and senior security engineers across applications security, enterprise security, and investigations..."

https://www.itpro.co.uk/security/cy...ring-spree-after-attributing-breach-to-lapsus

 

"Likely Uber Hacking Suspect, 17, Arrested By City Of London Police...

In conjunction with an investigation by the U.K. National Cyber Crime Unit, the City of London Police announced on Friday the arrest of a 17-year-old on suspicion of hacking offenses...

...as the arrest was made in Oxfordshire, and given the suspect's age, cybersecurity experts are pretty sure this is the supposed leader of the Lapsus$ crime group and thought to be behind the Uber and Rockstar Games hacks..."

https://www.forbes.com/sites/daveyw...ted-by-city-of-london-police/?sh=2607e0d2455e

"...In March, Bloomberg reported that a person believed to be behind several of the Lapsus$ hacking group's major attacks was a then-16-year-old whose home the police visited near Oxford, England, which is in the county of Oxfordshire..."

https://www.theverge.com/2022/9/23/...ect-arrested-city-of-london-lapsus-gta-6-uber

While the BBC has stated that no other details about the arrest were given, US-based reporter Matthew Keys has added to the initial report to say that this was indeed an arrest of the suspected hacker behind the GTA 6 leak and Uber hack, and has come in collaboration with the FBI..."

https://www.thesixthaxis.com/2022/0...-has-reportedly-been-arrested-in-oxfordshire/

 

Now that I know how bad security is and how relatively easy it is to hack these companies, I'm not surprised at all that it's actually a couple of teenagers who are behind these attacks. Don't forget, Okta, Twilio, Cisco and Microsoft are all pretty big names in computer security and all got hacked too. IT security is pretty much a joke at many of these companies.