Uber “responding to a cybersecurity incident” after hacker claims to have breached several systems
Uber has launched an investigation after a hacker claimed to have breached many of the ride sharing giant’s systems.
Uber has not shared any information, but it has confirmed that it’s responding to a cybersecurity incident. The company says law enforcement has been notified and it has promised to share updates on Twitter.
One individual has taken credit for the attack. He has posted several screenshots and talked to members of the cybersecurity community and the media to demonstrate his claims. Some Uber employees have also apparently confirmed that the company’s systems have been breached.
The hacker told The New York Times he is 18 years old and that he used SMS phishing to trick an Uber employee into handing over their credentials. He said he has been working on his cybersecurity skills for years.
Researcher Corben Leo reported that after obtaining the employee’s credentials, the hacker allegedly logged into the company’s VPN and scanned its intranet, where he found a network share containing PowerShell scripts. One of these scripts contained admin user credentials for a privilege access management service that enabled him to obtain ‘secrets for all services’, including cloud and identity services, the hacker said.
Vx-underground, which provides malware samples and other resources, said the hacker has posted screenshots apparently showing that he gained access to AWS instances, an internal tool showing financial information, a vSphere instance, a Google Workplace account, a cybersecurity product dashboard, and even one of Uber’s accounts on the HackerOne bug bounty platform.
HackerOne has temporarily disabled the Uber program and is assisting the company. Researcher Sam Curry reported that the hacker commented on every vulnerability report on HackerOne, claiming to have breached many of the ride sharing company’s systems. There is some concern that the attacker downloaded reports for unpatched and undisclosed vulnerabilities.
Curry said he learned from an Uber employee that the attacker also gained access to Slack and that employees were redirected to pornographic content when trying to access websites. The hacker started writing messages on Slack, telling employees that Uber has been hacked, but some staff thought it was a joke, even after they were instructed to stop using Slack.
This is not the first time Uber has been breached. In 2016, the details of 57 million riders and drivers were taken from the company’s systems by two individuals living in the United States and Canada.
The company recently reached a settlement with federal investigators over its efforts to cover up the 2016 breach, but Uber’s then-CSO, Joe Sullivan, is facing a trial over his alleged role in the cover-up, which included paying the attackers $100,000 through its bug bounty program to destroy the stolen data and make it look like the breach had a smaller impact.
Related: Twilio, Cloudflare Attacked in Campaign That Hit Over 130 Organizations