Controversial ride-sharing service Uber is investigating a significant cyber safety breach that has pressured it to take various crucial methods offline following an alleged social engineering assault on an worker by an obvious teenage hacktivist.
The incident got here to mild late on Thursday 15 September when in keeping with the New York Occasions, which was first to report the story, a person claiming duty for the assault shared screengrabs of assorted compromised Uber sources with the newspaper, and with safety researchers.
Uber’s communications workforce confirmed the breach via Twitter at 2:25am BST on Friday 16 September. They stated: “We’re presently responding to a cyber safety incident. We’re in contact with regulation enforcement and can publish further updates right here as they develop into accessible.”
Uber had not supplied any further touch upon the incident on the time of writing.
Sam Curry, a safety engineer at Yuga Labs, who was amongst these to be contacted by the hacker, described a “complete compromise” to the NYT and stated the attacker appeared to have entry to the vast majority of its methods.
The NYT moreover revealed that the attacker had advised its reporters they’d compromised Uber after efficiently breaching an worker’s community entry by sending them textual content messages posing as an inside IT admin to acquire their credentials.
From there, they seem to have been in a position to set up persistence and gain access to the majority of Uber’s internal resources after scanning the corporate’s community and discovering a PowerShell script that contained privileged credentials for an admin consumer of Thycotic, a supplier of privileged entry administration (PAM) options. These credentials gave the attacker additional entry to a number of companies.
Among the many methods claimed to be compromised are Amazon Net Providers, Duo, GSuite, OneLogin, Slack, VMware and Home windows. Bleeping Laptop moreover reported the attacker had accessed and brought information from Uber’s HackerOne bug bounty programme, which could possibly be notably harmful for Uber if it accommodates undisclosed or unpatched vulnerabilities in its utility.
The attacker went on to make use of Slack to ship Uber staff a message itemizing the compromised sources and posted pornographic imagery on an intranet web page. The attacker claimed to be 18 years outdated and testing their expertise, and stated they wished Uber drivers to be higher paid.
There’s presently no info as as to if or not the attacker has entry to Uber worker or buyer information, though the chance would appear very actual. A 2016 information breach at Uber noticed info on 57 million consumer accounts – 2.4 million within the UK – compromised. Uber was fined virtually $150m for overlaying up this breach, and its then chief safety officer, Joe Sullivan, is presently going through legal prices over the incident.
The alleged involvement of a teenage hacktivist within the assault additionally calls to thoughts various newer cyber assaults in opposition to tech corporations perpetrated by the Lapsus$ group, which exploited failings in multifactor authentication (MFA) to compromise a number of victims in a remarkably comparable trend. Though there isn’t a proof to hyperlink the Uber incident to Lapsus$, various the gang’s members turned out to be teenage hackers, who have been caught after they fell out with each other.
A research performed for the upcoming Worldwide Cyber Expo in London discovered an growing tendency for minors to become involved in cyber crime, a pattern which may be in peril of being exacerbated by the cost-of-living disaster (the same pattern was noticed linked to mass furloughs and lay-offs through the Covid-19 pandemic). The research suggests 40% of fogeys are anxious to a point that their youngsters might flip to cyber crime.
Simon Newman, an advisory council member for Worldwide Cyber Expo and CEO of the Cyber Resilience Centre for London, stated: “With hacking instruments changing into more and more accessible and reasonably priced on the web, now we have witnessed an increase in ‘script kiddies’ – inexperienced hackers who perform cyber assaults.
“Whereas ‘kiddies’ don’t essentially seek advice from the hacker’s age a lot as their expertise, many have been discovered to be youngsters. In truth, within the UK, the common age of a referral to the Nationwide Cyber Crime Unit is simply 15 years outdated.
“Though regulation enforcement businesses are working exhausting to take down the web sites and boards that promote hacking, the outcomes of this survey additionally reveal a necessity for folks/guardians to take an energetic curiosity in what their youngsters are doing on-line to forestall them from falling on the incorrect aspect of the regulation,” stated Newman.