Controversial ride-sharing service Uber is investigating a major cyber security breach that has forced it to take a number of critical systems offline following an alleged social engineering attack on an employee by an apparent teenage hacktivist.
The incident came to light late on Thursday 15 September when according to the New York Times, which was first to report the story, an individual claiming responsibility for the attack shared screengrabs of various compromised Uber resources with the newspaper, and with security researchers.
Uber’s communications team confirmed the breach via Twitter at 2:25am BST on Friday 16 September. They said: “We are currently responding to a cyber security incident. We are in touch with law enforcement and will post additional updates here as they become available.”
Uber had not provided any additional comment on the incident at the time of writing.
Sam Curry, a security engineer at Yuga Labs, who was among those to be contacted by the hacker, described a “total compromise” to the NYT and said the attacker appeared to have access to the majority of its systems.
The NYT additionally revealed that the attacker had told its reporters they had compromised Uber after successfully breaching an employee’s network access by sending them text messages posing as an internal IT admin to obtain their credentials.
From there, they appear to have been able to establish persistence and gain access to the majority of Uber’s internal resources after scanning the company’s network and finding a PowerShell script that contained privileged credentials for an admin user of Thycotic, a provider of privileged access management (PAM) solutions. These credentials gave the attacker further access to multiple services.
Among the systems claimed to be compromised are Amazon Web Services, Duo, GSuite, OneLogin, Slack, VMware and Windows. Bleeping Computer additionally reported the attacker had accessed and taken data from Uber’s HackerOne bug bounty programme, which could be particularly dangerous for Uber if it contains undisclosed or unpatched vulnerabilities in its application.
The attacker went on to use Slack to send Uber employees a message listing the compromised resources and posted pornographic imagery on an intranet page. The attacker claimed to be 18 years old and testing their skills, and said they wanted Uber drivers to be better paid.
There is currently no information as to whether or not the attacker has access to Uber employee or customer data, although the possibility would seem very real. A 2016 data breach at Uber saw information on 57 million user accounts – 2.4 million in the UK – compromised. Uber was fined almost $150m for covering up this breach, and its then chief security officer, Joe Sullivan, is currently facing criminal charges over the incident.
The alleged involvement of a teenage hacktivist in the attack also calls to mind a number of more recent cyber attacks against tech companies perpetrated by the Lapsus$ group, which exploited failings in multifactor authentication (MFA) to compromise multiple victims in a remarkably similar fashion. Although there is no evidence to link the Uber incident to Lapsus$, a number of the gang’s members turned out to be teenage hackers, who were caught when they fell out with one another.
A study conducted for the upcoming International Cyber Expo in London found an increasing tendency for minors to get involved in cyber crime, a trend that may be in danger of being exacerbated by the cost-of-living crisis (a similar trend was observed linked to mass furloughs and lay-offs during the Covid-19 pandemic). The study suggests 40% of parents are worried to some degree that their children may turn to cyber crime.
Simon Newman, an advisory council member for International Cyber Expo and CEO of the Cyber Resilience Centre for London, said: “With hacking tools becoming increasingly accessible and affordable on the internet, we have witnessed a rise in ‘script kiddies’ – inexperienced hackers who carry out cyber attacks.
“While ‘kiddies’ do not necessarily refer to the hacker’s age so much as their experience, many have been found to be teenagers. In fact, in the UK, the average age of a referral to the National Cyber Crime Unit is just 15 years old.
“Although law enforcement agencies are working hard to take down the websites and forums that promote hacking, the results of this survey also demonstrate a need for parents/guardians to take an active interest in what their children are doing online to prevent them from falling on the wrong side of the law,” said Newman.