Uber is tonight reeling from what looks like a substantial cybersecurity breach.
The food delivery and ride sharing disruptor has admitted that something is up, saying it is investigating the matter with the Feds:
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
— Uber Comms (@Uber_Comms) September 16, 2022
No other details were shared.
Judging from screenshots leaked onto Twitter, though, an intruder has compromised Uber’s AWS cloud account and its resources at the administrative level; gained admin control over the corporate Slack workspace as well as its Google G Suite account that has over 1PB of storage in use; has control over Uber’s VMware vSphere deployment and virtual machines; access to internal finance data, such as corporate expenses; and more.
If this correct, Uber has been significantly compromised with data at all levels available to the intruder.
Even the US giant’s HackerOne bug bounty account was seemingly compromised, and we note is now closed. According to the malware librarians at VX Underground, the intruder was using the hijacked H1 account to post updates on bounty submissions to brag about the degree of their pwnage, claiming they have all kinds of superuser access within the ride-hailing app biz.
It also means the intruder has access to Uber’s security vulnerability reports.
Update: A Threat Actor claims to have completely compromised Uber – they have posted screenshots of their AWS instance, HackerOne administration panel, and more.
They are openly taunting and mocking @Uber. pic.twitter.com/Q3PzzBLsQY
— vx-underground (@vxunderground) September 16, 2022
Bug hunter Sam Curry claims to have heard from an Uber staffer.
From an Uber employee:
Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”
— Sam Curry (@samwcyo) September 16, 2022
Infosec watcher Corben Leo, meanwhile, said he spoke to the miscreant responsible for this mess, and was told an employee was socially engineered to gain access to Uber’s VPN, through which the intruder scanned the network, found a PowerShell script containing the hardcoded credentials for an administrator user, which were then used to unlock access to all of Uber’s internal cloud and software-as-a-service resources, among other things. After that, everything was at the intruder’s fingertips, allegedly.
The New York Times reported that Uber staff have been told to stop using the corporate Slack, and that the call to quit the messaging app came after the intruder shared a message stating: “I announce I am a hacker and Uber has suffered a data breach.”
The Times states the Slack message listed “several internal databases that the hacker claimed had been compromised.” Several internal systems have now been shut down by Uber IT.
At the time of writing, your vulture’s access to Uber and Uber Eats apps was in no way affected, and I have received no email or other notification from Uber regarding the incident.
Uber experienced a massive data breach in 2016 and tried to cover it up.
That fiasco saw personal information on 57 million passengers and drivers leaked.
Uber has since used classic startup tactics – admission of a stuff-up, followed by promises to do better in future to regain trust – and mostly rehabilitated its image as a scofflaw destroyer of value, helped by its food delivery service becoming something of a lifeline during the COVID-19 pandemic. Just don’t mention the company’s seemingly endless losses, overcharging the disabled, ongoing labor relations issues, and so on.
The Register has asked the company for more detail on the snafu but has not received a response at the time of writing. We will update this story, or pen others, as more information emerges about this situation. ®