Flash Brief: Uber Breach

ZeroFox Intelligence has observed the data breach concerning Uber and its customers and has released the following information as of September 16, 2022. The breach occurred as a result of a social engineering attack on an employee.

Key Findings

• Initial access to a breach disclosed by Uber on September 15, 2022, was gained through social engineering.
• Administrative credentials stored in a network-accessible script allowed the additional discovery of even more sensitive credentials.
• While the depth and breadth of the breach is yet to be determined, screenshots posted on social media indicate that the attacker may have had access to over 1 Petabyte of data.

Analyst Commentary

Uber notified the public of an ongoing cybersecurity incident late on September 15, 2022, via Twitter.¹ While Uber itself has not provided much detail, the alleged attacker appeared to share details and screenshots with those who reached out through Telegram.

According to the attacker, they began the attack by repeatedly sending multi-factor authentication (MFA) push requests to an employee’s phone. The attacker then pretended to be someone from Uber’s IT department and told the employee that, in order for the requests to stop, the employee needed to accept the request.

Once the attacker had access to MFA, they were able to log into Uber’s corporate VPN and begin scanning the internal network. This led to the discovery of a network share with PowerShell scripts that contained admin-level credentials. These credentials were then used to access Thycotic, a Privileged Account Management (PAM) solution, to extract credentials for Uber domain administrator accounts and several services such as AWS, Duo, Google Workspace, Onelogin, and VMware vSphere.

After gaining access to company services, the attacker posted a message to Uber employees via Slack.

Comments announcing the compromise were also posted using Uber’s official HackerOne account. Although a message on Uber’s HackerOne profile says that the account is currently disabled, there is still a chance that vulnerability reports have already been accessed. 

Several screenshots of the alleged access have begun circulating online showing administration panels for services like AWS, Google Workspace, SentinelOne, VMware vSphere, and even internal sites displaying financial data. If the screenshots are legitimate, the attacker may have had access to over 1 Petabyte of data.

Recommendations

Although the alleged attacker states that they repeatedly sent MFA requests to the Uber employee for over an hour, it was not until they reached out to the employee directly via WhatsApp posing as someone from IT that the request was finally accepted. ZeroFox recommends staying vigilant and denying MFA requests you did not specifically trigger through logging in or requesting device enrollment. These requests are typically immediate and should not randomly appear throughout the day. 

In addition, ZeroFox recommends taking similar precautions to mitigate the risk of phishing attacks when contacted outside official channels. Ask yourself: 

• Would IT usually reach out in this manner? 
• Is this request outside of typical working hours? 
• Is the request asking me to give my credentials or perform some sensitive action? 
• If anything seems suspicious, contact your IT department directly instead of responding to the message received.

^{1  hXXps://twitter[.]com/Uber_Comms/status/1570584747071639552}

Tags: Breaches, Flash Report, Threat Intelligence