Uber hack explained: Here's what happened and should you be concerned?

By IANS English | Published 26 Sep 2022 18:46 IST
Uber hack explained: Here's what happened and should you be concerned?
Uber hack explained: Here's what happened and should you be concerned?

Cyber-security researchers have revealed there were basic flaws in Uber's security gateways as social engineering was employed as an initial attack vector, making the hack "a classic case of failure on multiple levels".

Social engineering encompasses a broad spectrum of malicious activities via online human interactions, like phishing, pretexting and baiting.

This hack had a tremendous impact on Uber, starting from the obfuscation of the application code, hindering the usability of the application, leaked credentials, and access that could facilitate multiple account takeovers and leaking of sensitive and critical information of the entity, according to AI-driven cyber-security firm CloudSEK.

"Equipping malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence, not to mention the reputational damage for Uber," the researchers from the firm emphasised.

The ride-hailing major Uber last week blamed the infamous Lapsus$ hacking group for the cyber attack on its internal systems. The company reiterated that no customer or user data was compromised during the breach.

"The Uber Hack is a classic case of failure on multiple levels where Over privilege or privilege mismanagement plays a pivotal role. Eliminating privilege escalation paths or monitoring for access changes in accounts can be initial answers for mitigation, apart from Darkweb and surface web monitoring," said Abhinav Pandey, Cyber Threat Researcher, CloudSEK.

The threat actor was able to compromise an employee's HackerOne account to access vulnerability reports associated with Uber.

To demonstrate the legitimacy of the claims, the actor posted unauthorised messages on the HackerOne page of the company.

"Moreover, the attacker has also shared several screenshots of Uber's internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal," said cyber-security researchers.

The actor plausibly employed social engineering techniques as an initial attack vector to compromise Uber's infrastructure. After attaining access to multiple credentials, the actor exploited the compromised victim's VPN access.

Subsequently, the actor gained access to an internal network (Intranet), where the actor got access to a directory, plausibly with a name "share", which provided the actor with numerous PowerShell scripts that contained admin credentials to the privileged access management system (Thycotic).

"This enabled the actor with complete access to multiple services of the entity such as Uber's Duo, OneLogin, AWS, GSuite Workspace, etc," the researchers reported.

Lapsus$ typically uses similar techniques to target technology companies, and this year breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.

(Except for the headline and cover image, the rest of this IANS article is un-edited)

For more technology newsproduct reviews, sci-tech features and updates, keep reading Digit.in

IANS English

About Me: This is an unedited, unformatted feed from the Indo-Asian News Service (IANS) wire. Read More

Tags:
Uber Uber hack Uber breach Cyber Security
Advertisements

Trending Articles

Advertisements

LATEST ARTICLES View All

Advertisements

Hot Deals View All

ARG HEALTH CARE Leg Massager for Pain Relief Foot, Calf and Leg Massage with Vibration and Heat Therapy (Golden)
ARG HEALTH CARE Leg Massager for Pain Relief Foot, Calf and Leg Massage with Vibration and Heat Therapy (Golden)
₹ 15499 | $hotDeals->merchant_name
TRUE HUMAN Anti-Theft and USB charging port backpack with combination lock Laptop bag
TRUE HUMAN Anti-Theft and USB charging port backpack with combination lock Laptop bag
₹ 675 | $hotDeals->merchant_name
AGARO CM2107 Sonic Facial Cleansing Massager, Ultra Hygienic Soft Silicone Facial Cleansing Brush for Deep Cleansing, Skin Care, Gentle Exfoliating and Heated Massaging Waterproof & Dustproof Vibrating Facial Brush, Purple
AGARO CM2107 Sonic Facial Cleansing Massager, Ultra Hygienic Soft Silicone Facial Cleansing Brush for Deep Cleansing, Skin Care, Gentle Exfoliating and Heated Massaging Waterproof & Dustproof Vibrating Facial Brush, Purple
₹ 759 | $hotDeals->merchant_name
ah arctic hunter Anti-Theft 15.6 inches Water Resistant Laptop Bag/Backpack with USB Charging Port and for Men and Women (Black)
ah arctic hunter Anti-Theft 15.6 inches Water Resistant Laptop Bag/Backpack with USB Charging Port and for Men and Women (Black)
₹ 2699 | $hotDeals->merchant_name
Fur Jaden Anti Theft Backpack 15.6 Inch Laptop Bag with USB Charging Port and Water Resistant Fabric
Fur Jaden Anti Theft Backpack 15.6 Inch Laptop Bag with USB Charging Port and Water Resistant Fabric
₹ 799 | $hotDeals->merchant_name