Uber had hoped to put its history of cybersecurity incidents behind it, but a new network breach demonstrates that the company may not have learned all the lessons it should have from its prior issues.
A teenage hacker revealed two serious flaws in the company’s system with his recent network breach, both of which are things that should be addressed in standard cybersecurity education and controls in all types of organizations. The teen was first able to abuse multi-factor authentication (MFA) push notification spam to make initial entry, then was able to find plaintext administrator usernames and passwords within easily accessible portions of the company network.
Uber network breach: A case study in what not to do
The cybersecurity incident began with an approach that has become very common in recent months; an attacker spams employees with MFA push notifications, attempting to get them to approve a login to the company VPN. In this case, no one bit on the initial barrage of messages. However, when the attacker followed up by targeting a specific employee on WhatsApp and convincing them that they were with the Uber IT department, they were able to prod the target into agreeing to one of these notifications.
While this is a common attack type, and one that companies should be training employees to expect, MFA fatigue finally getting to an employee is at least understandable. What happened next is what is likely to cause the most serious damage to Uber. The attacker was able to quickly escalate the network breach by coming across admin credentials stored in PowerShell scripts in plaintext, with enough access to open the doors to just about everything in the company including its source code.
The hacker did not appear to be out to do damage or steal anything, although they did apparently take a copy of the source code for themselves. It appeared to instead be a young hobbyist demonstrating their skills and playing around. At least, that is the best available information based on the hacker’s communications with the media and the statements Uber has made about the cybersecurity incident. The hacker used a temporary Telegram account to communicate with the media that has since been abandoned. Uber says that customer and driver personal and payment information is safe, but given the breadth of access the hacker had it is possible that story may change at a later date.
Another major cybersecurity incident for Uber to weather
Uber discovered the network breach just before the weekend, and pulled a number of internal systems offline as they investigated. This did not appear to impact the app from the customer or driver end, though the hacker had comprehensive access to its internal workings.
Uber employees were first warned by the hacker himself, who interrupted the company Slack channel to announce the network breach. After his posts were not taken seriously, he went to an assortment of major media sources with screenshots to back up his claims. If the screenshots are to be believed, the hacker had access to just about everything: cloud storage accounts, OneLogin, and the company email system among other sensitive applications. The hacker did not leak anything, but did say they were considering dumping the source code to the public before disappearing.
There are concerns about follow-up cybersecurity incidents given that the hacker appears to have accessed vulnerability reports prepared for the company by security company HackerOne.