Uber suffered a cyberattack on Thursday afternoon with a suspected 18-year-old hacker who downloaded vulnerability reports from HackerOne and shared screenshots of the company’s internal systems, email dashboard and Slack server.
Screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company’s security software and the Windows domain.
Other systems the hacker accessed include the company’s Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin panel for managing Uber email accounts.
The threat actor also breached the Uber Slack server, which he used to post messages to employees stating that the company was hacked. Nevertheless, Uber Slack screenshots indicate that these announcements were first met with memes and jokes, as employees had not been aware that a real cyberattack was taking place.
Uber has since confirmed the attack, tweeting that they are in contact with police and will post additional information as it becomes available.
“We are currently responding to a cybersecurity incident. We are in contact with law enforcement and will post additional updates here as they become available.” tweeted Uber Communications account.
The New York Times, which first reported about the breach, they said they spoke with the threat actor, who said they breached Uber after performing a social engineering attack on an employee and stealing their password.
The threat actor then gained access to the company’s internal systems using the stolen credentials.
More details emerge
After the attacker loudly announced that he had breached Uber’s systems on the company’s Slack server and in comments to the HackerOne bug bounty program submission, security researchers contacted the threat actor to obtain information. more information about the attack.
In a conversation between threat actor and security researcher Corben Leo, the hacker said they were able to access Uber’s intranet after performing a social engineering attack against an employee.
According to the threat actor, they attempted to log in as Uber employees, but did not provide details on how they gained access to the credentials.
Since the Uber account was protected with multi-factor authentication, the attacker allegedly used an MFA fatigue attack and pretended to be Uber IT support to convince the employee to accept the MFA request.
font: Kevin Beaumont
MFA fatigue attacks occur when a threat actor has access to corporate login credentials, but multi-factor authentication blocks access to the account. They then issue repeated MFA requests to the target until the victims get tired of seeing them and finally accept the notification.
This social engineering tactic has become very popular in recent attacks against well-known companies, including Twitter, mailchimp, Robin HoodY okta.
After gaining access to the credentials, the threat actor told Leo that they logged into the internal network through the corporate VPN and began scanning the company intranet for sensitive information.
As part of these scans, the hacker says he found a PowerShell script containing administrator credentials for the company’s Thycotic privileged access management (PAM) platform, which was used to access login secrets for other internal services of the company.
“Well basically Uber had a network share \\[redacted]points the share contained some powershell scripts.
one of the PowerShell scripts contained the username and password of an admin user in Thycotic (PAM) With this I was able to extract secrets for all services, DA, DUO, Onelogin, AWS, Gsuite”
The New York Times reports that the attacker claimed to have accessed Uber databases and source code as part of the attack.
To be clear, this information is from the threat actors and has not been verified by Uber, which has not responded to our requests for more information.
HackerOne vulnerability reports exposed
While the threat actor may have stolen data and source code from Uber during this attack, they also had access to what could be an even more valuable asset.
According to Yuga Labs security engineer sam currythe hacker also had access to the company’s HackerOne bug bounty program, where they commented on all of the company’s bug bounty tickets.
Source: Curry
Curry told BleepingComputer that he first became aware of the breach after the attacker left the above comment in a vulnerability report he submitted to Uber two years ago.
Uber runs a HackerOne bug bounty program which allows security researchers to privately reveal vulnerabilities in their systems and applications in exchange for a monetary bounty for bugs. These vulnerability reports should be kept confidential until a fix can be published to prevent attackers from exploiting them in attacks.
Curry further shared that an Uber employee said the threat actor had access to all of the company’s private vulnerability submissions on HackerOne.
A source also told BleepingComputer that the attacker downloaded all vulnerability reports before losing access to Uber’s bug bounty program. This likely includes vulnerability reports that have not been fixed, posing a serious security risk to Uber.
HackerOne has since disabled Uber’s bug bounty program, cutting off access to the disclosed vulnerabilities.
However, it would not be surprising if the threat actor had already downloaded the vulnerability reports and was likely selling them to other threat actors to quickly cash in on the attack.
Update 09/16/22: Added more details provided by the hacker on how the attack was carried out.
