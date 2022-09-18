Uber said late Thursday afternoon, September 15, 2022 (San Francisco, California time) that it contacted police after confirming that a hacker had apparently breached its network. A security engineer at Yuga Labs, Sam Curry, told The New York Times that in an exchange of messages with the alleged hacker, he discovered that he had full access to Uber’s system. The hacker contacted the newspaper saying that he is 18 years old and has been working on his cybersecurity skills for several years. He also said that he hacked into Uber’s systems because the company had weak cybersecurity. In a post on the company’s Slack, the hacker also said that Uber drivers should be paid more.

This Friday the 16th, the value of Uber’s shares fell 5.2% in pre-market negotiations on the New York Stock Exchange.

In a Telegram conversation with security researchers, he revealed that with the credentials he obtained, he had access to Uber’s intranet. Inside, he discovered that there was a network share containing some PowerShell scripts. One of them contained the username and password for administering Thycotic, a privileged access management (PAM) platform. With that he got the secrets of all services – DA, DUO, Onelogin, AWS and GSuite.

Screen taken by Imran Parray (click to enlarge)

Systems engineer Imran Parray, CEO of Indian company Snapsec, posted a conversation screen with the hacker indicating that he appears to have hacked into the account of an Uber employee at hackerone – thus, he would have gained access to all of Uber’s vulnerability reports. company.

Hacker talks to researcher and explains how he hacked (click to enlarge)

Because of the incident, several internal communication and engineering systems were shut down, the newspaper reported. The attacker compromised the security of internal systems, and sent screenshots of corporate email, cloud storage, and code repositories to cybersecurity researchers and the newspaper to prove the breach.

Since the incident was confirmed, Uber employees have been banned from using the internal messaging service Slack. At this time, Uber does not say when full access to the tools will be restored. Just before Slack was suspended, according to the NYT, employees received a message from the hacker stating that “Uber had a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.

According to an Uber spokesperson, the hacker hacked into an employee’s Slack account and used it to send the message. It was later revealed that he had managed to gain access to other internal systems after posting a photo on the employee’s internal information page. The attacker who claimed responsibility for the hack told The New York Times that he obtained the password by sending a message to the Uber employee claiming he was a corporate IT expert — and so convinced the employee to provide his password, which allowed him access. to systems. In an internal email, an Uber executive told employees that the attack was under investigation.

This isn’t the first time a hacker has stolen Uber data. In 2016, hackers stole information from 57 million Uber driver and passenger accounts and then contacted the company demanding $100,000 to erase their copy of the data. At the time, Uber executives – including the chief security officer – made a deal with the hackers to cover up the incident. However, the incident was discovered by newly arrived executives at the company and reported to authorities. The company’s former CISO is currently on trial for obstruction of justice and concealment of a crime.

Paolo Passeri, cyber intelligence lead at Netskope, commented that “social engineering is often a critical part of a cyber attack (…) Malicious actors regularly impersonate IT teams, CEOs and other trusted figures in efforts to use the social engineering as a tool to gain access to corporate systems and data. The main message to employees should always be don’t trust anything“.

