Popular ride-hailing platform Uber has reportedly been targeted by a cyber-attack, prompting the company to launch an investigation in coordination with authorities.
The cybersecurity incident forced the company to shut several internal communications and engineering systems as a precaution, the company said in a statement.
However, Uber emphasised that there had been no evidence that the incident involved access to sensitive user data such as trip histories. It also noted that internal software tools that the company had taken after the hack were coming back online.
According to a report by the New York Times, the breach started when a hacker compromised an employee’s account on the workplace messaging app Slack and used it to send a message to Uber employees announcing that the company had suffered a data breach.
The incident sparked concerns from the cybersecurity community with experts calling on enterprises to rethink and amp up their cybersecurity strategies.
“Attacks, like the one apparently launched on Uber, highlight some key points about a successful cybersecurity strategy,” BeyondTrust’s chief security strategist, EMEA & APAC, Brian Chappell to ITP.net.
“The first is that it’s important that cybersecurity is woven into the fabric of the organisation; it’s a starting point and not an afterthought. It’s also important to accept that technology alone doesn’t solve problems and that poor implementation of technology is likely to return little or, more likely, no value.”
Chappell then remarked on how “astonishing” it is that a single breach can have vast implications.
“The breach began from a successful phishing attack on an Uber employee,” he explained.
“The attacker claimed to have found a single machine identity used to retrieve credentials from a Privileged Access and Session Management system. Those credentials are used by processes and applications within Uber to access the Application Programming Interfaces (APIs) of various services both internal and external to their operation.”
The BeyondTrust chief then noted that the incident should be considered as “a salutary lesson” by all organisations in just how important the basics of cybersecurity are.
“You can have the best monitoring tools in the world but they won’t stop a breach, just tell you that it’s happening/happened. Getting the basics right offers the best chance of stopping a breach before it can cause any significant damage. Technology alone as a solution is papering over the cracks. To fix the cracks you need people and processes to change as well. People need training in new processes that complement the technology and deliver maximum return on the investment made,” he said.
The Uber hacker, who reportedly claims to be 18 years old, told the Times that he compromised Uber because the company had weak security. The attacker purportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems.
Paul Baird, chief technical security officer UK, Qualys, noted that today hackers that are breaching corporate networks for ‘fun’ are some of the more dangerous adversaries to come across. “As the only goal normally is to gain access to internal systems, cause havoc and steal data, there is very little Uber can do to minimise the impact of the breach. Whereas at least when you are dealing with bad actors that are financially incentivised, there is the possibility of paying a ransom to lessen the pain,” he explained.
He added, “Uber needs to learn from this breach, bolster their IT and cyber security education and awareness programs, have or extend MFA and run a sanitisation exercise of systems to make sure scripts and documents sitting on internal systems don’t carry keys to the kingdom.”
This is not the first time that Uber was subjected to a cybersecurity incident. In 2016, the company fell victim to a hacking incident, which compromised the data of 57 million customers and about 600,000 drivers. The incident resulted in the resignation of the company’s then security unit.
The breach also comes as Uber’s former security chief stands trial for charges related to his handling of the 2016 hacking incident. The company paid the hackers $100,000 and had them sign nondisclosure agreements. It was not publicly disclosed to the FTC nor to the public until Dara Khosrowshahi took over as chief executive in 2017.
“The timing is interesting, though from the shared messages the motivation seems unrelated to the trial. Regardless of the trial outcome, the ability for an individual to gain the level of apparent access they did via well know social engineering techniques which allowed them to access an internal company VPN is alarming. This is the type of access story infosec professionals explain to people who don’t understand the level of damage unauthorised access can really do, to promote better security practices. We tell people about these sort of situations hypothetically or share things we have seen in the field, but we also promote responsible disclosure. It’s not a good look to publicly attempt to embarrass a company by doing something illegal,” said Danielle Jablanski, OT Cybersecurity Strategist, Nozomi Networks.
With this latest incident coming to light, security experts are urging enterprises to take stock to improve systems such as privileged access management to thwart potential social engineering and identity-based attacks.
“The Uber hack demonstrates how important identity management backed by strong authentication, such as hardware security keys, are for privileged systems, and why today’s organisations need the ability to detect when attackers exploit, misuse or steal credentials,” explained John Shier, senior security advisor, Sophos.
“As we’ve seen in recent high-profile attacks against large organisations, persistent attackers can and will find a way around multi-factor authentication systems that rely solely on time-based one-time passwords (TOTP) or push-based authentication. The need for compartmentalised access to critical resources, strong authentication and detection of identity-based activity is an important part of an organisation’s layered defences.”
Cybereason’s director for security strategy, Ken Westin, noted that in today’s heavily distributed enterprise architectures where you have traditional networks, multiple cloud providers and an exponential number of SaaS applications, the attack surface has increased which puts hackers at an advantage.
“As Defenders, we hope it is minimal and that Uber was able to limit the damage and risk to its employees, customers and partners,” said Westin.
He added, “This latest data breach disclosure reinforces the importance of reducing the time to detection across an ever-increasing attack surface, consisting of an increasing number of disparate systems, cloud providers and SasS tools. Defenders need tools that leverage automation and machine learning, to help sort through massive amounts of data being generated today, to quickly remediate threats before they escalate to severe incidents.”
