On Thursday, September 15th, 2022, Uber was hacked through a successful social engineering attempt followed by a privilege escalation attack on an internal network. Read this article for a full understanding of what happened and the actions you need to take to protect your data.
What is Social Engineering?
Social engineering is the use of psychological manipulation to trick a user into giving away sensitive information. In this case, the hacker was able to convince an employee — through phishing or another type of social engineering attack and Multifactor Authentication Fatigue — to gain access to a single employee’s credential. This gave the hacker access to Uber’s internal company network (by logging into the VPN using the employee’s credentials).
What is a Privilege Escalation Attack?
A Privilege Escalation is a process where a hacker with limited access to a system (or network) increases their permissions and access to the system. Since the hacker was on Uber’s internal network (via VPN), it was able to snoop around files shared by other employees. One file was a PowerShell script — typically used to automate Windows Servers (Computers) — containing administrative credentials for the Thycotic service.
Thycotic is a privileged access management (PAM) system used to manage secrets (such as passwords). Unfortunately for Uber, the admin user the hacker gained access to was able to extract secrets (passwords) for ALL OF UBER’s SERVICES. In other words, the hacker logged in to Uber’s systems using this admin account and stole the passwords for their services. This includes an array of services including “DA, DUO, Onelogin, AWS [Amazon Web Services], and GSuite [Google Suite]”.
To put in perspective the magnitude of this breach, let’s explain what some of these services do. For one, OneLogin is an Identity and Access Management System (IAM) used to provide Single-Sign On functionality for Uber employees. As an example, SSO is used to allow an employee to use one set of credentials (username and password) to gain access to every application they use. Amazon Web Services (AWS) contains an IAM service that controls who has access to each (Uber) service. In other words, the hacker was able to do whatever it wanted with Uber’s systems.
One of the first actions the hacker took was to join the company’s communication channels on the Slack application and proceed to troll employees. The hacker is shown pinging all of the employees (which sends them a notification) and announcing that Uber has sufferer a data breach. It also hints at this hack being motivated by Hacktivism, specifically protesting against Uber’s underpayment of its drivers.
The hacker was also able to compromise other information including but not limited to Uber’s Google Workspaces, Internal Financial Revenue Metrics Service (Avengers), Amazon Web Service Instances. In other words, the data that Uber stores about you from its application is located on Amazon Database Services. With access to this service, it’s likely that your data (including the credit card information) has already been compromised.
Another important service that the hacker was able to gain access to was HackerOne; which is a vulnerability coordination and bug bounty platform that connects businesses with penetration testers and cybersecurity researchers. Companies on HackerOne can place bounties for bugs that white-hat (good) hackers find and report for cash. The significance of this is that the current Uber hacker now has access to all of the private bugs on HackerOne (that Uber has yet to patch or disclose).
Is My Data Safe?
If Uber follows the best practices for security, important data such as credit card information and individual passwords should be safe. This is guaranteed by a security practice known as salting which involves a one-way encryption to hash plaintext (unencrypted) data once it hits Uber’s services. In other words, your password can only be determined if the hacker knows your plaintext password (i.e strawberry) because the hacker won’t be able to generate the hash (i.e 5e737f891db1175442a39fde73e51d781a545506d71c95477a6deb5988bd7f9a) without the one-way function key.
Unfortunately, it’s likely that the hacker has your data because — unless the one-way function was secured — all the hacker needs to do is find it in the source code, then generate a rainbow table. In other words, the hacker can take a list of common passwords and run it through the one-way function to determine a list of hashes. Then, the hacker can use these hashes to read the database and access your information. This is why it’s not recommended to use a common password.
In other words, if you have a common password (or other piece of common data), it has already been compromised; including the data that Uber is not legally required to protect. In any case, it’s a good idea to ensure that you have multi-factor authentication enabled on all of your accounts. Be sure to use a password manager with a secure password and ensure that your email practices remain safe. Don’t click on random links and don’t share important documents over email.
Unlike its previous data breaches, Uber has already publicly announced its awareness of the “cybersecurity incident”. Others are concerned with the vague response that Uber has put out, given the magnitude of this data breach. Only time will tell the amount of damage this breach has caused to the company worth $65.5 BILLION (as of September 15th, 2022) on the stock market; in addition to its 118 MILLION users (as of 2021).