Uber worker allegedly gave password to an IT impersonator

Share post:

An 18-year-old hacker is claiming responsibility for what is believed to be a huge breach of security controls at Uber.

The New York Times said Thursday the hacker claims to have been given initial access through one of the oldest tricks in a threat actor’s arsenal: Pretending to be a member of the company’s IT department and persuading the victim to tell them their corporate password.

British-based cybersecurity reporter Graham Cluley reports that the alleged hacker posted a message with more detail, claiming they spammed the employee for over an hour with push messages apparently asking for login confirmation. Then contacted the staffer via WhatsApp posing as the IT worker, who advised the Uber employee that if they wanted to stop the messages they should accept the access request.

The breach appeared to have compromised many of Uber’s internal systems, the Times said, because the person claiming responsibility for the hack sent images of email, cloud storage, and code repositories to cybersecurity researchers.

“They pretty much have full access to Uber,” the Times quoted Sam Curry, a security engineer at Yuga Labs, who corresponded with the alleged hacker. “This is a total compromise, from what it looks like.”

Uber hasn’t given details of the hack and whether the person who claims they made the intrusion did trick an employee. Nor is it known if the employee’s account was protected with mutlfactor authentication (MFA) that the attacker was able to bypass.

As often happens in the hack of a highly-visible organization, security vendors were quick to comment. If the claims of the 18-year old are accurate, and if the employee used MFA, the incident shows that just using multifactor authentication is not enough to protect against the kind of lateral movement the attacker says took place, Yaron Kassner, CTO and co-founder of Silverfort said in a statement.

“Organizations need to make sure they are using MFA capable of protecting against lateral movement. For example, the attacker says they accessed a shared folder containing credentials used for scripts. This is exactly the kind of resource that would benefit from multi-factor authentication.”

“According to the details being shared, these maliciously obtained service account credentials were then used to compromise a PAM (privileged access management) solution, giving the attacker the keys to the kingdom and access to many sensitive systems. This stresses the fact that service accounts must also be protected, and that protecting access to the PAM with MFA is insufficient. One must also protect access with the secrets extracted from PAM.”

Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, was more skeptical about the identity of the attacker.

“The allegedly immense scale and scope of the data breach may evidence a carefully planned and rigorously executed attack by a sophisticated threat actor,” he said in a statement. “The reported social engineering attack vector – in isolation from other activities – seems to be highly improbable here, as many different and critical systems have been simultaneously compromised. One may, of course, hypothesize a total lack of internal security controls (e.g. MFA) and massive password reuse at Uber, however, this version currently seems to be unpersuasive.

“We should wait for the official statement from Uber once the investigation is over: it is possible that Uber fell victim to a sophisticated cyber threat actor looking to get sensitive information about locations and trips of VIP persons, journalists, and politicians, whilst the disclosed version of the incident is just a smoke screen.”

Uber is renowned for having some of the best cybersecurity in the business, said Ian McShane, vice-president of strategy at Arctic Wolf, so the fact they have been compromised points to what everyone should all know: Nobody’s perfect and even the best managed security organizations can be compromised. “The key is how quickly you respond and mitigate the issue, which they appear to have done here.”

The intruder apparently was able to connect to a corporate VPN to gain access to the wider Uber network, McShane said, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share. 

“Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort,” he added. “it looks like they did it ‘for the lulz’.”

Uber’s communications feed on Twitter issued this message Thursday evening: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

Uber was the victim of a 2016 hack when two people tried to extort the company after stealing data on 57 million drivers and customers. Uber paid US$100,000 to the hackers to keep the incident quiet. Word of that compromise of security controls didn’t become known to the company’s board, and then to the public, until a year later. Uber paid a US$146 million fine to American authorities over the incident. and promised to tighten security.

Two months ago, Uber accepted responsibility for not reporting that breach to the U.S. Federal Trade Commission as part of a settlement with U.S. prosecutors to avoid criminal charges.

(This story has been updated from the original with the addition of the link to Graham Cluley’s story)

The post Uber worker allegedly gave password to an IT impersonator first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, March 27, 2024 – A botnet exploits old routers, a new malware loader discovered, and more warnings about downloading code from...

This episode reports on a new network of 40,000 infected small and home office routers and other devices that are part of a criminal botnet

Cyber Security Today, March 25, 2024 – A suspected China threat actor going after unpatched F5 and ScreenConnet installations

This episode reports on a new campaign stealing email passwords ,the latest data breaches

A hacker’s view of the civic infrastructure: Hashtag Trending, the Weekend Edition for March 23rd, 2024

What does the civic infrastructure look like through the eyes of a hacker? The legendary general Sun Tzu in the Art of War said that in order to defeat your enemy, you must first understand your enemy. How do you do this? He said, “to know your enemy, you must become your enemy.” If we

Cyber Security Today, Week in Review for week ending Friday, March 22, 2024

This episode features discussion on lessons learned from the ransomware attack on the British Library, advice for managing expectations of IT/security teams, why firms are leaving Google Firebase unprotecte

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways