On Thursday 15th September, Uber employees saw a strange post on their internal Slack messenger that opened with, ‘I announce I am a hacker and Uber has suffered a data breach.’ Initially some laughed it off, then the hacker started sharing screenshots with media outlets and security researchers, proving he had gained access to cloud-based systems where Uber keeps its source code, financial data, and customer data.
The hack is believed to have been carried out by a lone actor who self-identified as an 18 year old – with recent information suggesting he may have links to the Lapsus$ group. At present it’s not clear exactly how long the hacker was in Uber’s systems for or whether they stole any data. He claimed not to be interested in anything other than publicity, and doesn’t appear to have caused any damage.
Uber said in a statement that everything is now operational again and claim the hacker did not steal sensitive data or harm their critical systems. It could have been a lot worse and serves as a timely warning to other organizations about the risks of social engineering attacks.
The scenario seems to have played out like this. The hacker got hold of an Uber contractor’s login credentials (Uber claim they were purchased on the dark web following malware infecting the contractor’s personal device). The hacker then attempted to bypass MFA authentication by bombarding the employee with push notifications, requesting they confirm a remote log-in to their account as legitimate. This didn’t work straight away, so the hacker messaged the employee via WhatsApp, impersonating an Uber worker from the IT department.
The employee believed it was a genuine urgent request and gave in – inadvertently giving the hacker an entry point onto Uber’s VPN. From there, the hacker was able to scan Uber’s intranet and locate admin credentials with more far-reaching powers. This gave them privileged access at the level of system administrator level, often referred to as ‘keys to the kingdom’. With that level of access, the hacker could have caused catastrophic damage if they had chosen to.
Power of social engineering
This breach has put the spotlight on social engineering, proving once again that the best route into an organization is often a human, rather than a piece of technology. There was no malicious software or spoofed website used in the Uber hack – it was simply one person tricking another into thinking they’re someone else.
It’s concerning that a major company can be breached in this manner. It doesn’t matter how good defenses, password policies, or encryption of stored data are when a human mistake can be such a weak link in the chain. This hack proves passwords are still a weak point that can be exploited with social engineering. It only takes one employee to share their details or lose them in a phishing attack, and a hacker has their route in.
Social engineering is popular, as hackers know humans are the weak link in the system – even tech-savvy professionals can be caught out, especially from more sophisticated attacks. But if a single person being tricked can lead to such a huge security incident, the fault is arguably with the company, not the employee.
It’s important organizations learn from their own (and others’) mistakes. Uber was also hacked in 2016, when attackers stole AWS login credentials and accessed the personal information of 57 million drivers and customers. Uber have not responded to questions asking whether stored data from the more recent breach was encrypted. More questions are bound to be raised about whether they learned their lesson from 2016.
A key point from the 2022 breach was how easily MFA was circumvented by the attacker. MFA offers an extra hurdle for attackers, but it can be worryingly easy for them to get around via social engineering. Organizations should consider bolstering their MFA processes with physical security keys or unshareable biometrics.
Another lesson to learn from this breach was the risk of leaving privileged account logins ‘lying around in the open’ and easily searchable for the attacker. These credentials were the reason it was so easy for the attacker to escalate the intrusion – and why it could have been far worse. Privileged access management (PAM) best practices should always be followed.
Can future social engineering attacks be prevented?
This hack highlighted the human risks within a business. You can patch a software vulnerability but not a human. Security awareness training helps employees spot the signs of phishing emails and SMS messages. However, some attacks are targeted and highly sophisticated. People can always be caught out, especially if they’re rushing or working under pressure.
Training is just the start – on its own it still leaves too much pressure on the individuals themselves to detect and report attacks. As evidenced in the Uber breach, it’s a huge risk to leave so much responsibility for stopping cyber attacks on the shoulders of individual employees. Especially in this case where it was a contractor working from a personal device.
Organizations need to support their people with defenses that can detect social engineering attacks in real time. Egress Intelligent Email Security uses social graphs, natural language processing, and machine learning to detect advanced phishing attacks that slip past secure email gateways and native cloud email security. Learn how Intelligent Email Security can protect and educate your people in real time.