Attacker's claim
The attacker claimed and offered evidence that they had successfully breached many of the ride-sharing app firm’s internal networks.
The miscreant claimed that they socially engineered an employee before gaining access to their VPN credentials which allowed them to hack into its network and scan Uber’s intranet.
Uber is purported to rely on multi-factor authentication (MFA). According to the attacker, the Uber employee was spammed with push authentication requests for more than an hour before using another channel to trick them into authorizing one of the requests.
The attacker claims they went on to locate a network share containing powershell scripts that included the username and password of a system administrator, this information was used to extract passwords and access Uber’s AWS (Amazon Web Services), Onelogin, and GSuite environments, among others).
They also hacked into an Uber employee’s HackerOne (bug bounty) account which implies the miscreant likely has reports related to sensitive security vulnerabilities in Uber products and infrastructure.
Current status
In an update to its official Twitter account, Uber said: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” Uber also said on Friday that it has “no evidence that the incident involved access to sensitive user data (like trip history).”
Potential impact
Screenshots leaked by the attacker, though, indicate that Uber's systems may have been deeply and thoroughly compromised and that anything the attacker didn't access may have been the result of limited time rather than limited opportunity. This could lead to devastating impact on the company.
Not only the reputation of the company is impacted, millions of Uber users across the globe are impacted.
Access to system admin credentials could be leveraged for much more powerful attacks like compromise of high privileged employees which have access to manage customer data (include Personal Information (PII), payment information and other sensitive data).
There could be backdoors left by the attacker to maintain persistence that could be used for future attacks.
Access to security vulnerability reports could be further leveraged to exploit more system vulnerabilities. If this information is sold by attacker, the vulnerability could be exploited by multiple other attackers.
Access to Onelogin (cloud based Identity and access management system) could contain credentials of several other sensitive systems.
Key takeaways so far:
Techniques like phishing to bypass of two-factor (2FA)/multi-factor authentication (MFA) have been increasingly used by attacker
Not only Uber, this technique of social engineering and bypassing MFA could be successful against many other companies.
Once access to internal network is successful, they could be trusted systems by design that leak sensitive information. Hence, the applications should consider "zero trust" architecture to fight novel attack techniques.
Employee and Enterprise security trainings need to be mandatory and have effective model to be followed.
Ref:
Comments