Uber hack not just a reputational damage but reveals basic security flaws


Bengaluru, Sep 26 (IANS): Cyber-security researchers have revealed there were basic flaws in Uber's security gateways as social engineering was employed as an initial attack vector, making the hack "a classic case of failure on multiple levels".

Social engineering encompasses a broad spectrum of malicious activities via online human interactions, like phishing, pretexting and baiting.

This hack had a tremendous impact on Uber, starting from the obfuscation of the application code, hindering the usability of the application, leaked credentials, and access that could facilitate multiple account takeovers and leaking of sensitive and critical information of the entity, according to AI-driven cyber-security firm CloudSEK.

"Equipping malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence, not to mention the reputational damage for Uber," the researchers from the firm emphasised.

The ride-hailing major Uber last week blamed the infamous Lapsus$ hacking group for the cyber attack on its internal systems. The company reiterated that no customer or user data was compromised during the breach.

"The Uber Hack is a classic case of failure on multiple levels where Over privilege or privilege mismanagement plays a pivotal role. Eliminating privilege escalation paths or monitoring for access changes in accounts can be initial answers for mitigation, apart from Darkweb and surface web monitoring," said Abhinav Pandey, Cyber Threat Researcher, CloudSEK.

The threat actor was able to compromise an employee's HackerOne account to access vulnerability reports associated with Uber.

To demonstrate the legitimacy of the claims, the actor posted unauthorised messages on the HackerOne page of the company.

"Moreover, the attacker has also shared several screenshots of Uber's internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal," said cyber-security researchers.

The actor plausibly employed social engineering techniques as an initial attack vector to compromise Uber's infrastructure. After attaining access to multiple credentials, the actor exploited the compromised victim's VPN access.

Subsequently, the actor gained access to an internal network (Intranet), where the actor got access to a directory, plausibly with a name "share", which provided the actor with numerous PowerShell scripts that contained admin credentials to the privileged access management system (Thycotic).

"This enabled the actor with complete access to multiple services of the entity such as Uber's Duo, OneLogin, AWS, GSuite Workspace, etc," the researchers reported.

Lapsus$ typically uses similar techniques to target technology companies, and this year breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others.

 

  

Top Stories


Leave a Comment

Title: Uber hack not just a reputational damage but reveals basic security flaws



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.