Uber hack update: Initial analysis suggests contractor creds bought on dark web

“We’ve not seen the attacker accessed the production systems."

Last week’s Uber hack started with a contractor’s Uber login details being bought on the “dark web”, the company says, as it blames cybercrime group Lapsus$ for the attack, and claims no user data was breached.

The claim comes a week after incident response firm CrowdStrike said malware use was plummeting because it was so easy to buy valid user credentials on cybercrime forums that give an initial entry point to networks.

The Uber hack update, posted late UK time on 19 September, also said however that the contractor’s personal device was infected with malware, giving access to their Uber credentials. The company also confirmed the contractor was subjected to MFA push spamming, until they finally gave in and accepted a request.

See: Uber hacker claims access to its internal AWS, SentinelOne, VMware

“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites,” said the Uber hack update post.

The latter part of the quote above seemingly confirms the report from an anonymous Uber employee, quoted by Yuga Labs’ Sam Curry, saying any attempt to load a website instead brought up “a pornographic image and the message ‘F*** you wankers.’”

https://twitter.com/NuclearTux/status/1571865633259753472

But while initial reporting of the hack suggested the attackers gained access to significant swathes of Uber’s IT infrastructure, the company denied they had accessed anything significant.

“We’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history,” said Uber.

“We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3).”

Uber said an internal system used to “manage some invoices” was breached, with the attacker exfiltrating data from the system. The company said it was “analysing” the stolen data.

Follow The Stack on LinkedIn

The Uber hack update did confirm its Slack and HackerOne environments had been breached, as widely reported.

In the case of the latter, it said all bug reports the hacker could have accessed had been remediated.

Uber’s confirmation that the breach started thanks to stolen credentials underlines the trend towards credential trading, rather than malware, which researchers have been seeing. Given the growing spread of compromised credentials, and the systemic weaknesses in some approaches to MFA, the time is ripe for a new approach to trust and authentication.

The company said it had identified compromised employee accounts, "disabled many affected or potentially affected internal tools" (which given early screenshots showed had included most environments must be... a challenge for productivity) rotated keys for internal services, locked down its codebase and was "further strengthening our multi-factor authentication (MFA) policies" (without providing further details on what that means.)