Uber hack not just a reputational damage but reveals basic security flaws

Bengaluru, Sep 26

Cyber-security researchers have revealed there were basic flaws in Uber's security gateways as social engineering was employed as an initial attack vector, making the hack "a classic case of failure on multiple levels".

Social engineering encompasses a broad spectrum of malicious activities via online human interactions, like phishing, pretexting and baiting.

This hack had a tremendous impact on Uber, starting from the obfuscation of the application code, hindering the usability of the application, leaked credentials, and access that could facilitate multiple account takeovers and leaking of sensitive and critical information of the entity, according to AI-driven cyber-security firm CloudSEK.

"Equipping malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence, not to mention the reputational damage for Uber," the researchers from the firm emphasised.

The ride-hailing major Uber last week blamed the infamous Lapsus$ hacking group for the cyber attack on its internal systems. The company reiterated that no customer or user data was compromised during the breach.

"The Uber Hack is a classic case of failure on multiple levels where Over privilege or privilege mismanagement plays a pivotal role. Eliminating privilege escalation paths or monitoring for access changes in accounts can be initial answers for mitigation, apart from Darkweb and surface web monitoring," said Abhinav Pandey, Cyber Threat Researcher, CloudSEK.

The threat actor was able to compromise an employee's HackerOne account to access vulnerability reports associated with Uber.

To demonstrate the legitimacy of the claims, the actor posted unauthorised messages on the HackerOne page of the company.

"Moreover, the attacker has also shared several screenshots of Uber's internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal," said cyber-security researchers.

The actor plausibly employed social engineering techniques as an initial attack vector to compromise Uber's infrastructure. After attaining access to multiple credentials, the actor exploited the compromised victim's VPN access.

Subsequently, the actor gained access to an internal network (Intranet), where the actor got access to a directory, plausibly with a name "share", which provided the actor with numerous PowerShell scripts that contained admin credentials to the privileged access management system (Thycotic).

"This enabled the actor with complete access to multiple services of the entity such as Uber's Duo, OneLogin, AWS, GSuite Workspace, etc," the researchers reported.

Lapsus$ typically uses similar techniques to target technology companies, and this year breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.