The biggest breakthrough for "Uber"... How did a teenager manage to control a multi-billion dollar company?

On the morning of last Thursday, September 15, Lucas Ruiz woke up and did his usual morning routine, then made his daily commute to his Uber office in Santo Domingo, Province of Heredia, in northern Costa Rica.

Normally, his day would have gone by as usual, with the same problems and complaints he receives from clients every day.

But Lucas was on a date with a different and sudden incident that will turn his day, and even the day of the entire "Uber" company!

When Lucas opened the Slack app that employees at the company use to communicate with one another, he found a message from an anonymous person that said, "I'm declared a hacker, and that Uber has a data breach."

The message also referred to a number of the company's databases and cloud services that the hacker claimed to have access, and ended his message with the word "uberunderpaisdrives", meaning that Uber pays little money to drivers.

When the individual breached Uber, they sent a slack notification to everyone informing them the company had been breached.

Employees thought it was a joke.

Photo via @ColtonSeal pic.twitter.com/tTTdPCTdV4

— vx-underground (@vxunderground) September 16, 2022

Teen in the face of Uber!

On the evening of the same day, Thursday, September 15, Uber confirmed that it was dealing with a "cybersecurity incident" and was contacting law enforcement to report the breach.

The New York Times first reported the matter, and noted that the hacker left a message on the Slack app, which the company uses for internal communication between employees, to announce himself.

(1)

We are currently responding to a cybersecurity incident.

We are in touch with law enforcement and will post additional updates here as they become available.

— Uber Comms (@Uber_Comms) September 16, 2022

In response, Uber temporarily turned off access to Slack and some other internal services, before bringing them back to Slack and internal services in an update it released the next day.

In the same update, the company also stated that "there is no evidence that the breach involved access to sensitive user data such as their flight histories" (2), but it soon became clear that the problem was more complex than Uber claimed.

Over the next hours, the hacker shared screenshots with several security researchers on Twitter, and those screenshots indicated that Uber's internal systems may have been severely compromised, even accessing the company's internal financial data.

Apparently, anything the hacker didn't access was probably a result of his limited time rather than the strength of the company's security defenses, or the complexity of its data protection systems.

The hacker posted some messages on HackerOne, a platform that reports on corporate vulnerabilities that Uber itself and other companies use to manage reports of vulnerabilities and reward researchers who find them.

In an interview with the Washington Post, the hacker declared that he had hacked Uber “for fun,” that he might leak the company’s source code within a few months, and that Uber’s cybersecurity is “very poor.”

(3) The idea that this hacker confirmed that he was working alone and was only 18 years old, and bragged about explaining how he carried out the hack, when he was not afraid of the authorities because he lives outside the United States.

how did that happen?

The hacker claimed that he was able to hack into Uber's systems by targeting an employee inside them;

Send him several notifications to log into the system with Multi-Factor Authentication.

After more than an hour, he personally contacted the employee on WhatsApp, pretending to work in the IT department of Uber, and told him that those notifications would stop once the employee agreed to log in.

These attacks (4) are based on the concept of social engineering, which is used to identify people working in the security field of the company in order to use a gateway to hack, also known as “MFA fatigue”. Where the account holder must agree to log in via a notification sent to his device instead of other available means, such as generating a code with a random number entered by the user to be able to log in to the account.

You will find these notifications in an application such as "Gmail" on your phone, when you try to access your account from any other device, if you enable this feature, it will send you a notification on the application to agree and you can sign in on the other device.

Uber, what you need to know, the thread.

1) pic.twitter.com/CXU75bqrZU

— Kevin Beaumont (@GossiTheDog) September 16, 2022

After sending several notifications, the victim gets tired and agrees to login, then the hacker can access the company's VPN and other systems he wants to target.

This type of hacking attempt has recently gained popularity among hackers, and in general, hackers have developed new methods to circumvent the two-factor authentication feature, especially with its increasing use in various companies and institutions.

Huge hack!

Once the hacker gained initial access to the company's internal systems, he was able to gain access to very special and important resources, including Microsoft's automation and management program known as "PowerShell", a window similar to the "Command Prompt" in Windows, but it They vary in functionality, of course, and include more than 130 standard command lines for various functions within the system, often used by system administrators (administrators) to perform various tasks on the operating systems of their devices as well as for the devices they control after.

(5)

In the case of the Uber hack, a PowerShell program contained encrypted login credentials for the account of a Thicotic privilege manager, the system used to protect sensitive company login data.

By controlling this account, the hacker gained access to the company’s cloud services, including the control panels for the Amazon cloud services “AWS”, the corporate service “G-suit” from Google, as well as the identity and access management service “OneLogin”, along with some sensitive information. Others, such as the company's internal financial statements.

Apparently there was an internal network share that contained powershell scripts…

"One of the powershell scripts contained the username and password for a admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite" pic.twitter.com/FhszpxxUEW

— Corben Leo (@hacker_) September 16, 2022

After all this leaked data, and the huge scale of the breach, Uber claims that there is no evidence of access to sensitive user data, and the question remains: How can we believe such a claim?

Especially since Uber in particular has a history of wide-ranging sensitive data breaches involving drivers and customers.

Not the first time!

The main problem here is the extent of the breach, which the company was not transparent about in the first place, which has led some cybersecurity experts to point out that given the extent of the breach, the hacker could have access to users’ data (6).

Some of the leaked screenshots actually showed limited access to some customer information.

But this alone does not mean much, because what really matters is the amount of data that the hacker was able to access, and unfortunately this size is unknown until now.

This incident calls to mind the massive data leak that happened to Uber in 2016, in which hackers managed to steal personal data from the accounts of 57 million customers and drivers, and demanded the company pay a ransom of $100,000 to get rid of their copy of that sensitive data.

In the end, Uber agreed to pay the ransom, but hid the incident completely for more than a year.

Then, in 2017, the company ousted its top information security executive, Joe Sullivan, for his role in concealing the data leak.

The company said at the time that the data that was leaked included the names, email addresses and phone numbers of 50 million customers around the world, as well as the personal information of about 7 million drivers, and confirmed at the time that it did not include numbers, credit card information, trip details, location or other data.

(7)

Therefore, the issue of customer data leakage may be very present, but if the hacker, as he claims, is a young teenage 18-year-old, the huge amount of data will be an obstacle to him, or so everyone hopes!

Repeating pattern!

Well, let's now turn to the big picture of the event: why do big tech companies look so vulnerable to hacks?

The answer is that while technology companies are famous for hiring the best and brightest technical minds in most fields, those expertise are often required to practice building new products rather than protecting them in the first place.

The Uber incident comes just two days after Twitter's former chief security officer, Peter Zatko, testified at a US Senate hearing that the company had severe shortcomings in a range of areas, including privacy and digital security, and that managers Executives prefer to increase profits over the security of users!

(8)

Peter Zatko worked at Twitter after the platform suffered its worst hack in its history in July of 2020. In this attack, a 17-year-old teenager from Florida convinced a Twitter employee that he was his co-worker, using the previously mentioned social engineering tactic. .

At that time, he was able to bypass the security systems of the platform and access a group of famous accounts such as former US President Barack Obama, current President Joe Biden, American billionaire Elon Musk, singer Kanye West, and others.

(9)

In March, Okta, a digital identity verification service, announced that it had encountered a security breach affecting 366 of its customers.

The company stated that the hackers, the hacker group known as "Lapsus" ($Lapsus), gained access to the company's data through the laptop of one of its engineers.

(10) In the same month, Microsoft announced that it had been hacked by the same group, but the company stated that the hackers' access was limited and did not include any customer data.

(11)

This pattern of hacking and data leakage for the largest technology companies has become frequent in the past period, and perhaps the Uber incident will not be the last, especially with the interest of these companies in maximizing their profits at the expense of paying attention to their protection systems, which makes their defenses very fragile, even in the face of an angry teenager who reaches He is only 18 years old.

——————————————————————————––

Sources: