Uber hacked by 18-year-old using standard phishing techniques
posted Sunday Sep 18, 2022 by Scott Ertz
It seems like every company is constantly under attack from the outside world. Unfortunately, no amount of "IT responsibility training" can protect them from a phishing attack, no matter how many times the company forces employees to watch these videos. This week, Uber was the recipient of one of these social engineering attacks, which apparently allowed an 18-year-old to access the inner workings of the company and its computer systems.
Currently, what we know is based on a lot of public boasting. However, the initial research suggests that the information is correct. So, what happened and how did one of the biggest tech companies in the world get so easily hacked?
It started out with the discovery of an employee's WhatsApp number. Using that, our intrepid hacker set up a fake Uber page that looked real and sent the link to the employee. The employee then tried to log into the fake portal using their credentials, which were then stored by the teen. Using those credentials, the hacker logged into the real Uber system.
Of course, Uber uses MFA (or multi-factor authentication) for its systems, meaning there was still another step to overcome. In an effort to confuse the employee, the hacker continuously sent MFA notifications to the employee's phone, which finally led to the employee approving one of these requests, either out of confusion or exhaustion or possibly even simply by accident (we've all hit a notification when we were trying to hit the back button on our phones).
With this, the hacker was in the system and had a look around. This led to the discovery of a network share drive containing PowerShell scripts, including admin username and password, giving access to resources such as Amazon Web Services and G Suite accounts.
How do we know what went down?
This is the most interesting part of the whole story. The hacker announced their presence on the network by sending messages on the company's Slack channels. In fact, the messages were not covert in any way, with one literally saying,
I announce I am a hacker and Uber has suffered a data breach
Because of the openness of the hacker, it is believed that financial and malicious intents were not the goal. Instead, it appears that it might have all been part of some sort of protest. The individual posted several messages across Slack saying that drivers are not paid enough, indicating strongly that this was the goal.
How has Uber responded?
First and foremost, the company has admitted the hack, saying,
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
The company currently does not believe that any sensitive data was accessed, such as user location or route data, but has begun an exhaustive investigation to verify. If it turns out to be a political action, less will need to be done. However, if personal data was accessed, Uber might have to follow the lead of other companies and offer identity protection and more. Either way, though, I suspect employees will all have to watch those useless videos again on how to prevent social engineering.