How Uber’s IT Systems Were Hacked and What You Can Learn
On 15th September 2022, an 18-year-old hacker penetrated Uber’s systems by accessing the company’s third-party services. It has echoes of the SolarWinds hack of 2019, with a similar m.o. According to the media and Twitter, the young cybercriminal accesses Uber’s vulnerability report, Slack server, email dashboard, and internal systems. Screenshots floating around social media, allegedly posted by the hacker, showed the teen gained access to crucial Uber systems, including its Windows domain, security software, Amazon Web Services console, and its VMware ESXi virtual machines.
According to the story published by the NY Times, the hacker reached out to the news organisation, claiming he managed to complete the hack through a social engineering scam on an unsuspecting Uber employee. Using this strategy, the hacker accessed Uber’s HackerOne Bug Bounty program. This breach allowed the teen to view all the bug bounty tickets, giving them a complete overview of the security vulnerabilities in Uber’s systems.
A Timeline of the Uber Hack
16th September 2022 – Initiation
According to the NYT, the hacker was upfront with the methods used to penetrate Uber’s systems. Uber utilises a push notification MFA for its employees. It’s a common misconception that MFA (Multi-Factor Authentication) prevents social engineering hacks. The reality is MFA protects against hackers who have the marks credentials, but it’s vulnerable to MiTM hacks. The attacker set up a fake domain relaying Uber’s login page using tools like ‘Evilginx.’ It’s easy to miss the difference in the domain name visited by the user, setting the stage for the attack. After compromising the Uber employee, the hacker used the victim’s VPN access to penetrate the internal network. These internal systems are less evaluated and audited than Uber’s external infrastructure. The hacker found an internal network share containing scripts, giving them access to privileged employee credentials. As a result, the hacker gained access to Uber’s OneLogin, Duo, GSuite, and AWS environments.
16th September 2022 – The Aftermath
The following day, Uber released the following statement via Twitter. “We have no evidence that the incident involved access to sensitive user data (like trip history). All our services, including Uber, Uber Eats, Uber Freight, and the Uber Driver app, are operational.” The hacker supposedly downloaded the vulnerability reports before losing access to the Uber bug bounty program. This report has all the information the attacker needs to leverage the security risks in Uber’s systems.
What Can We Learn from the Uber Hack?
The lesson in this hack is clear. Even the employees of Fortune 500 companies can fall victim to social engineering scams, creating vulnerabilities in company security. These social engineering hacks can target anyone in the organization, not just the IT team. Even those non-tech employees in the company can give up information and data applicable to hackers. The reality is no organization is safe from cybercrime. Companies can only safeguard themselves against these problems by working with the right security team. You need an IT team to monitor your network security in real time if you want to mitigate the risks of hacks.