Uber Breach: The Dark Web Leads To Corporate Account Takeover
Last week, Uber confirmed that its internal systems were breached by a hacker. The company stated that a contractor's account, working for Uber EXT, was compromised, they have named a group known as Lapsus$ behind the attack. Now, we’ll break down what happened, and help you protect yourself from similar attacks.
So, What happened?
On September 15th Uber made their first announcement via their newsroom that they were “currently responding to a cyber security incident”. This vague first comment left the cyber security world waiting for answers.
In the early hours of September 16th images circulated on Twitter of internal Uber systems that the attacker claimed to have compromised. Screenshots of Ubers AWS instance, HackerOne administration panel, Google admin and financial systems were all shown.
Following this, Uber released their second comment which confirmed they were continuing their investigation and gave us some more details about the severity of the incident. They stated that they “have no evidence that the incident involved access to sensitive user data” and the only effect was seen in internal software tools.
The final statement was made by Uber on September 19th, in which they broke down what happened and what they did about the attack. Here’s a summary of what they had to say.
Uber stated that a contractor had their account compromised by an attacker who likely purchased the account information on the dark web. The attacker then repeatedly tried to log in. Each time, the contractor received a two-factor authentication login approval request, which was initially denied. Eventually, the contractor allowed a login request giving the attacker access to the account.
A recent blog post from GoSecure outlines this type of technique:
“They will perform the push notification spamming repeatedly until the user approves the login attempt and lets the attacker gain access to the account. This usually happens because the user is distracted or overwhelmed by the notifications and, in some cases, it can be misinterpreted as a bug or confused with other legitimate authentication requests.”
From there the attacker found admin account details on an internal network share, which they used to access a higher level of permissions and a number of company tools. This included Slack, a communication tool which the attacker posted on announcing they had hacked Uber and stolen confidential data.
What was the risk to Uber?
The attacker had high-level permissions within internal systems, but given enough time they could have gained access to the sensitive user or employee information. This attack, even without the loss of data, will cost Uber a large amount of money for the time they’ve spent investigating the incident and the downtime for internal systems.
What can we learn from this incident?
If you receive a two-factor authentication login request you do not recognise or are receiving multiple requests you haven’t sent, you should always reset your password with a completely new one.
of credentials is a must! Most password managers use encryption to store credentials but you need to avoid storing it in plain text in a spreadsheet, for example.
Companies also need to enforce better policies and training to regularly educate employees so they know how to handle two-factor authentication and passwords. Training can be provided through many options and if you need any support with training we can provide this as a service by our team at North West Cyber Resilience Centre.