Ride share service provider Uber investigates hack (Sept. 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German] U.S. ride share service provider Uber appears to have been the victim of a hack, with an 18-year-old penetrating the provider's system. Uber employees initially thought the whole thing was a joke. The hacker claims to have entered the Uber system "for fun", but then probably found a PowerShell script on a share, which contained administrator credentials. And now the hacker is probably an administrator of the Uber IT systems.


Advertising

It's just a short tweet from Uber pointing out the facts. It simply states that they are "currently responding to a cybersecurity incident and are in contact with law enforcement.

Uber hack

Uber seems to have shutdown some internal IT systems during investigation. So the cybersecurity incident might be serious.

The Wallstreet Journal (WSJ) reports here, that a hacker using the Telegram handle Tea Pot gained (also) control of the Uber account at HackerOne on Thursday. HackerOne brokers bug bounty programs between companies and security researchers. Through the Uber account, the hacker then posted screenshots purporting to prove that this individual had extensive access to a number of administrative accounts at Uber. Uber IT systems accessed by the hacker as an administrator include Amazon Web Services and Google Cloud instances, as well as VMware systems. The WSJ quotes Robert Graham, a cybersecurity consultant, as saying that if the hacker's claims are true, the incident would represent a widespread compromise for the company.

Initial access via social engineering

Speaking to Sam Curry, a security engineer at Yuga Labs, which is behind Bored Ape Yacht Club, the Tea Pot hacker stated that an Uber employee was tricked into granting access to Uber's virtual private network. The Uber employee was made to believe that one was a member of the company's IT, it said here. Curry had access to a number of records of the hacker(s). In Uber's internal IT network, the hacker probably came across the PowerShell script with the administrator credentials. That's according to a tweet linked by The Verge showing a Telegram session.


Advertising

The PS script contined the username and password of an administrator at Thycotic, a Privileged Access Management (PAM) solution. From then on, the attacker was able to gain access data for other systems via this administrator's PAM account and had access to the crown jewels, so to speak – assuming all this is true.  The Verge reports here that the hacker introduced himself on Uber's internal Slack system with a post.

I'm announcing that I'm a hacker and Uber has suffered a data breach.

The alleged hacker (it could be a group of people) then listed confidential company data he claimed to have accessed and posted a hashtag saying that Uber pays its drivers too little. Uber employees thought this was a joke and responded with smiley faces like popcorn or sirens.

First hack back in 2016

The WSJ mentions that Uber was already affected by a data breach in 2016, when about 57 million records were accessed by unauthorized people. File were accessed the names, emails and phone numbers of millions of Uber drivers, as well as the data of about 600,000 driver's licenses. Uber only came clean about this incident a year later and announced the data breach. At the time, the company had paid the hackers $100,000.

A trial against Joseph Sullivan, a former Uber executive, has just begun in San Francisco. Sullivan is charged with his role in paying the hackers at the time. Also at the time, it was said that the hackers had discovered a security vulnerability in Uber's systems.

Similar articles
Uber files: Dirty lobbying campaign in Europe


Advertising

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).