Uber Hacked – How did it happen, and what does it mean?
Yesterday news broke that Uber had experienced a cyber attack. You would be forgiven for thinking this breach was discovered by one of Uber’s extensive list of cybersecurity tools, or by one of its IT staff diligently pouring over logs somewhere in a back room. Instead the breach only became apparent when the hacker boldly announced their presence on Uber’s internal corporate messaging platform with a simple but chilling statement:
“I announce I am a hacker and Uber has suffered a data breach”
What has left many in the industry scratching their heads is that this brazen attack was not carried out by a nation-state nor a financially-backed threat actor, but rather by one 18-year old man.
So what happened?
One of the interesting aspects of this breach is the openness with which the hacker has been sharing how they managed to access Uber’s systems.
In brief, it appears they were able to compromise a single user’s credentials (how they were able to bypass Uber’s Duo Multi-Factor Authentication is yet to be determined) and with that, connect to Uber’s network using a VPN. With the VPN established, it was a simple matter of snooping around the network until they found a script file that contained an administrative username and password for their internal password management app. Ironically, it is believed this script file was part of an automation suite designed to help remediate cyber breaches.
With the proverbial “keys to the kingdom” in-hand, he was able to obtain credentials and encryption keys for all of Uber’s corporate systems. So far he has shown evidence of administrative access to Uber’s Google Drive storage account containing over 1PB (Petabyte) of internal data, their Amazon Web Services (AWS) Cloud account, an internal VMware virtualisation platform, Uber’s SalesForce CRM and even access to internal security platforms that are supposed to help prevent breaches just like this.
While it may take further days or weeks (or even longer) to fully understand the facts and ramifications of this breach, it is clear that nobody is completely safe when faced with a suitably motivated attacker. I have often said that Multi-Factor Authentication (MFA) reduces “drive-by” hacks by over 90%, but that isn’t what happened here.
This breach was not performed by someone sitting in an off-shore office trying their luck at a list of millions of usernames and passwords to see which ones let them in. This appears to be a targeted attack levelled at Uber specifically – and those are much more challenging to defend against.
While the details haven’t been confirmed, I would wager the initial point of entry – the “chink in the armour” if you will – was a simple phish of an Uber employee.
A seemingly innocent link, or an apparently legitimate phone call purporting to be from IT, was likely all it took for someone to let them in.
Certainly it is apparent some extremely critical technical errors were made within Uber’s network (including clear-text passwords within scripts is a MASSIVE no-no) but, it all began with the breach of a human being.
Humans remain the weakest link in any cyber strategy and, aside perhaps from having Multi-Factor Authentication to prevent all those drive-by attacks, ensuring adequate training for staff is the most impactful security investment any organisation can make.
If you’d like to read more about the details of this breach, Microsoft Security Researcher Bill Demirkapi has a great “blow-by-blow” on Twitter.