Power Of Social Engineering: Uber Hack 2022

  • Home
  • Power Of Social Engineering: Uber Hack 2022
Power Of Social Engineering: Uber Hack 2022
Power Of Social Engineering: Uber Hack 2022
Power Of Social Engineering: Uber Hack 2022
Power Of Social Engineering: Uber Hack 2022
Power Of Social Engineering: Uber Hack 2022

Hello World! They say security is never enough, no matter how well-protected your systems are! Despite the best efforts, no system is totally immune to attacks. There have been so many cases across the world when tech giants had stunning end-to-end security solutions but still failed to prevent attacks. This time, it was Uber. There is no doubt that this is one of the most embarrassing hacks of all time. Uber faced a devastating hack on September 16th, 2022. The 18-year-old hacker showed screenshots of gaining access to all Uber systems.

There are so many questions raised about this hack, such as How did this anonymous 18-year-old hack a tech giant like Uber? Is our personal data safe? What kind of access does a hacker gain? Take a look at the complete picture!

What actually happened with uber?

The sole hacker behind the beach, who claims to be 18 years old, sent a notification to UBER’s bug bounty program over HackerOne that he has compromised Uber because the company had weak security. According to reports, an attacker used social engineering to compromise uber’s VPN which further lead to breach of hardcoded credentials of uber’s pam through poweshell scripts. After accessing thycotic pam, he joined uber’s slack and let employees know that uber has been compromised.This has become a popular tactic in recent attacks against well-known companies, including Twilio, Mailchimp, and Okta.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach” Then UBER also responded on their Twitter handle saying :

Uber’s Update

Social engineering is a big reason behind it. But what is social engineering and how it is done? Let’s understand it.

What is social engineering?

The term “social engineering” is used in computing to describe the methods used by cybercriminals to get victims to make a mistake, often by breaching security, sending money, or divulging personal information. These actions tend to go against our better judgment and defy common sense. By manipulating our emotions, including anger, fear, and love, scammers can get us to stop thinking rationally and act on impulse without considering what we’re actually doing.

To put it simply, cybercriminals compromise our computers using malware and viruses, but they compromise our minds through social engineering.

Using social engineering is always part of a larger con because the perpetrators and their victims never meet in person. Most of the time, the main objective is to get the victims to :

  • Give usernames and passwords.
  • Install malicious software on the device
  • Send money via electronic fund transfer
  • Authorize the malicious third-party plugin

Stages of attack on uber

Total Attack Scenario
  1. The attack began with a social engineering campaign targeting Uber employees, which granted access to a VPN, allowing access to Uber’s corporate(Intranet) network.
  2. As soon as the attacker entered the network, he discovered PowerShell scripts containing hardcoded credentials for the domain administrator account for Thycotic, Uber’s PAM solution.
  3. Using admin access, the attacker was able to log in and take over multiple services and internal tools used at Uber: AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, Uber’s internal employee dashboards, and a few code repositories.

What is thycotic?

Thycotic is a privileged access management (PAM) system used to manage secrets (such as passwords). Unfortunately for Uber, the admin user the hacker gained access to was able to extract secrets (passwords) for ALL OF UBER’s SERVICES. In other words, the hacker logged in to Uber’s systems using this admin account and stole the passwords for their services.

So, More Specifically :

1)In order to compromise Uber’s infrastructure, the actor used social engineering techniques.

2)In addition to gaining access to multiple credentials, the actor exploited the victim’s VPN access to:

  • Internally pivot and escalate privileges
  • Scan the internal network(Intranet) for access

3)Following this, the actor gained access to the internal network (Intranet) of Uber Corporation, where he found a directory with the name “share”, where he found a number of PowerShell scripts that contained administrator credentials for the privilege access management system (Thycotic).

4)It enabled the actor to access multiple services of the entity, including Uber’s Duo, OneLogin, AWS, Gsuite Workspace, etc.

Severity of attack

This breach’s magnitude can be understood by looking at what some of these services do. OneLogin provides Single-Sign-On functionality for Uber employees through its Identity and Access Management System (IAM). With SSO, an employee can use one set of credentials (username and password) to access all of their applications. In Amazon Web Services (AWS), an IAM service controls which users have access to which (Uber) services. As a result, the hacker was free to manipulate Uber’s systems as it pleased.

Due to the exposure of Uber’s admin credentials, Uber’s Privileged Access Management (PAM) platform was compromised. The concept of privileged access management (PAM) involves securing, controlling, and monitoring employee access to critical information and resources within an organization.

Now, Let’s see the impact on basis of the proof recieved :

1)Uber’s Instance on Amazon Web Services – Severity = Critical

Cloud infrastructure for Uber’s applications is controlled by an AWS instance. There are a number of things an attacker can potentially do depending on configuration, privileges, and architecture, which can include shutting down services, abusing computing resources, gaining access to sensitive user data, deleting or ransoming data, changing access to user data, and changing user passwords.

2)Uber’s SentinelOne – Severity = High

The SentinelOne platform is an XDR (eXtended Detection and Response) platform. In a nutshell, this platform monitors your mission-critical systems to alert you to security issues. This system gives attackers privileged access to obfuscate their activities and prolong their attacks. Incident Response (IR) teams can use XDRs to “shell into” employee computers, potentially allowing attackers to access their machines.

3)Uber’s VMware vSphere – Severity = Critical

The VMware vSphere virtualization platform is used for cloud computing. A platform such as this may give attackers access to controlled on-premise servers as well as many administrative functions that can help them move deeper into the system since it interfaces with both cloud computing and on-premise servers.

4)Uber’s GSuite Admin – Severity = Critical

uber hack

In addition to managing users and storing data, GSuite is used by many companies for many other administrative functions. A hacker with admin access can create and delete accounts, but would also likely have access to employee data and other sensitive company information.

5)Uber’s Slack workspace – Severity = High

uber hack

Slack is very sensitive, it can contain internal chats about upcoming features, sensitive credentials, and employee data. It is usually considered very critical if the attacker joins companies internal slack channel. Phishing campaigns can be launched with great effect using Slack’s internal messaging system. Since the attacker has instant trust from other users, they can send malicious links, try to elevate privileges, and access sensitive information.

6)HackerOne – Severity = High

uber hack
Hacker’s Comment From Hackerone Account

HackerOne is a platform that pays and communicates with security researchers that find vulnerabilities within systems. Logging in with UBER’s account on the HackerOne platform can be treated as high severity in a general scenario cause it will definitely contain reports of high-rated issues with detailed location and POCs.

Anyone with access to the HackerOne tenant will have detailed instructions on how to exploit (likely unpatched) vulnerabilities in their IT systems, given the level of detail bounty hunters usually provide. The likelihood of persistence is high in this case.

Previous Case of uber

It’s not the first time Uber has been hacked. Joseph Sullivan, Uber’s former chief security officer, is on trial for allegedly paying hackers to cover up a previous hack. In the October 2016 attack, 50 million Uber riders’ names, emails, and phone numbers were compromised. Additionally, 600,000 U.S. driver’s license numbers were accessed, including the personal information of 7 million drivers. According to Uber, no Social Security numbers, credit card information, or trip location details were taken.

uber hack

At the time of the incident, Uber was being investigated by U.S. regulators for privacy violations. According to Uber, it was legally obligated to notify regulators about the hack and to notify drivers whose license numbers were stolen. Rather than disclose the breach, the company paid hackers to delete the data. However, Uber declined to identify the attackers, saying it believes the information was never used.

What can be done to prevent such attacks in the future?

Comparing the number of money companies invest in cybersecurity with one teenager who has a mobile phone. There is no question that humans are an organization’s biggest security vulnerability. There is always someone who is disgruntled, blackmailed, or doesn’t have a good understanding of security awareness. As far as security postures go, humans are usually the weakest link.

uber hack

So making sure that your employees are well aware of cyber security best practices and arranging security campaigns frequently can reduce your chances to become the next UBER. Also making sure that no device of yours has a default password can save you from big loss.

How Securityboat protects you?

In today’s world, cybercrime knows no borders, and its technological capabilities are improving rapidly: we’re seeing more and more sophisticated attacks. Through our broad cybersecurity expertise and deep industry knowledge, we offer end-to-end cybersecurity services to protect your business. Our end-to-end security includes all types of penetration testing, secure code training, code reviews, infrastructure review, and many more! Cybersecurity and resilience is everyone’s responsibility, at Securityboat we aim to be your trusted partner in your quest to secure your business from modern world cyber-attacks. For more information, contact us today!

Conclusion

There is a risk of cyberattacks for all companies, no matter how large or small they are. It is important for companies to never underestimate the power of social engineering and train their employees to deal with it strongly.  Additionally, it should be checked constantly for passwords that are hardcoded and they should be removed. The combination of all the above techniques may not guarantee your organization’s safety but it will certainly reduce the probability of an attack happening in this age of the internet!

References

1) THE HACKER NEWS ARTICLE

2)MALWAREBYTES BLOG

3)BLOOMBERG NEWS ARTICLE

4)GITGUARDIAN’S BLOG

For more of such blogs please check out our page!