Uber Victimized by Social Engineering for its Monkey Business Practices

Editor DeskSaid El Mansour Cherkaoui – 14/9/2022

Compilation from LinkedIn and other sources:


Today 9/20/2022, Uber is accusing the Lapsus$ hacking group as the responsible for its failure to protect their computer network against external breach which a hacker broke into its internal systems last week.

  • Lapsus$ has been linked to a number of recent hacking incidents, including a ransomware attack that compromised COVID-19 vaccination data in Brazil and a cyberattack on Cisco.
  • Uber was hit by a data breach in 2016 that affected about 57 million records, but only disclosed the breach a year later.

Big (unfortunate) news out of Uber yesterday [9/16/2022] – a major data breach.

The culprit? A hacktivist motivated by Uber’s poor employment practices with respect to its “contractor” employees.

Hackers can be classified into different categories such as white hat, black hat, and grey hat, based on their intent of hacking a system. These different terms come from old Spaghetti Westerns, where the bad guy wears a black cowboy hat and the good guy wears a white hat.

Uber X-Files: Stop the Monkey Business

“Uber You Are Driving Us to Poverty

Before the company’s initial public offering on Friday May 10, 2019, Uber drivers in at least 10 U.S. cities, including Chicago, Los Angeles, New York City, and San Francisco, will halt business and strike for up to 24 hours today.

The workers will demand, in part, better wages, basic benefits, and an end to exploitative pay policies from Uber and Lyft, ride-hailing mammoths valued at billions of dollars each.

The San Francisco protest will involve more than 200 drivers from both companies, who will gather outside of Uber’s headquarters at noon. Drivers will turn off their apps for 12 hours.

“[A]s we aim to reduce driver incentives to improve our financial performance, we expect driver dissatisfaction will generally increase,” noted the company’s recent S-1 filing.

The Real Face of Uber Alles: Get more of Shenanigans from your ride

Uber, whose IPO is estimated to run upward of $90 billion, has approximately 3 million drivers in 65 countries. However, Uber willfully admitted that the company lowered fares and bonuses for drivers in an effort to remain profitable.

“Drivers are workers and we deserve a fair share of the millions that we make for Uber and Lyft each year,” said Uber driver Mostafa Maklad in a written statement. “We are all driving to survive, but we work for a company that makes us fend for ourselves when times are tough. Uber and Lyft can choose to change; a living wage, healthcare, paid time off and worker protections aren’t too much to ask from companies potentially worth more than $100 billion.”

More news is starting to come out on the alleged Uber hack yesterday, and it’s looking serious.

The hacker confirmed their approach on Telegram:
1. Social engineered an employee
2. Logged into the VPN
3. Scanned Uber intranet
4. Found a powershell script that contained the username and password for a admin user in Uber’s PAM solution
5. Using this he was able to extract secrets for all services, DUO (MFA), AWS, GSuite, EDR, finance systems, etc.
6. He then posted screenshots of Uber’s AWS instance, HackerOne administration panel, finance reports, and EDR panel.

Uber had 2FA implemented, but the hacker bypassed it using Evilginx and a man in the middle attack. Had Uber’s 2FA integrated ‘phishing-resistant’ forms, this attack tree could have been avoided.

This is a clear use case for hardening and configuring your security controls to ensure the most likely threats are mitigated. Always keep threat modeling, and keep optimising your security controls.

Uber dealing with a live cyber incident- attacker allegedly has admin control of Amazon and Google cloud infrastructure, as well as access to Uber’s HackerOne reports.

Image preview

“The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems, a technique known as social engineering.”

Nothing more elaborate than a social-engineering attack over text message. The attacker pretended to be corporate IT, and messaged a (cybersecurity unaware) user to get their password. Little to no technical hacking skill required. [Edited to elaborate: Some more detail has come out from the attacker – the primary source: the attacker spammed the user with MFA push authorization requests, and then messaged them via WhatsApp claiming to be IT, saying that the user had to accept the MFA prompt for the spamming to stop. The user accepted, and the attacker got in.]

After a successful social engineering attack at Uber, a hacker was able to gain VPN access. The attacker scanned the network finding a file share containing power shell scripts. One of the scripts included a hardcoded password valut administrator credential. Using this credential the attacker now had access to all keys and credentials in the organization including Google Cloud, AWS, HackerOne, Slack, Sentiel One, and internal financial software.

This type of hack takes no special skills, experience, or prowess. This is a simple question sent to the right person who didn’t immediately find it odd. This is going to be a very expensive mistake for Uber.

First Tiktok, then Zoom and the Cisco hack from last month [August 2022], where an employee’s VPN credentials were compromised because the employee stored them in their Chrome browser and synced them to their Gmail account, this attack underscores one simple truth:

No amount of technology will solve the people problem in cybersecurity.

Cybersecurity is 3 things: people first, process second, and technology last.

Invest in cybersecurity awareness. Most attacks these days, outside of sophisticated APT attacks, rely on social engineering, because the defensive tech stack at enterprises tends to be robust and difficult to breach for the average attacker. The Uber attack could have been prevented with rudimentary employee awareness and an iota of vigilance! If only Uber spent as much on awareness as it does on SOC, SIEM, XDR, etc…

Nearly 87% of Canadian Businesses have experienced at least one hacking incident in the last year. Compared to only 69% in the USA, which is a bit mind boggling. It’s not just the the big companies being targeted, but you can bet Uber takes cyber security very seriously.

You can almost count on the fact your company will be targeted at one point in the next 12 months. I received a phishing email in my first week with my new company. Targeting a new employee that might not know any better. When is the last time your business did an audit or applied for cyber security coverage through insurance?

This type of hack takes no special skills, experience, or prowess. This is a simple question sent to the right person who didn’t immediately find it odd. This is going to be a very expensive mistake for Uber.

#cybersecurity #threatprevention #smallbusiness

You May Also Like

+ There are no comments

Add yours