Uber breach: What is social engineering; how do hackers use it?

SAN FRANCISCO — The ride-hailing service Uber mentioned Friday that every one its providers have been operational following what safety professionals are calling a significant information breach, claiming there was no proof the hacker acquired entry to delicate consumer information.

But the breach, apparently by a lone hacker, put the highlight on an more and more efficient break-in routine involving social engineering: The hacker apparently gained entry posing as a colleague, convincing an Uber worker to give up their credentials.

They have been then capable of find passwords on the community that acquired them the extent of privileged entry reserved for system directors.

The potential injury was severe: Screenshots the hacker shared with safety researchers point out they obtained full entry to the cloud-based techniques the place Uber shops delicate buyer and monetary information.

RELATED: Yes, the Credit Karma settlement is actual, however not all customers will likely be eligible for a refund

It is not identified how a lot information the hacker stole or how lengthy they have been inside Uber’s community. Two researchers who communicated instantly with the individual — who self-identified as an 18-year-old to considered one of them — mentioned they appeared thinking about publicity. There was no indication they destroyed information.

But recordsdata shared with the researchers and posted extensively on Twitter and different social media indicated the hacker was capable of entry Uber’s most vital inside techniques.

“It was really bad the access he had. It’s awful,” mentioned Corben Leo, one of many researchers who chatted with the hacker on-line.

The cybersecurity neighborhood’s on-line response — Uber additionally suffered a severe 2016 breach — was harsh.

RELATED: Disneyland Instagram account hacked, displaying express posts

The hack “wasn’t sophisticated or complicated and clearly hinged on multiple big systemic security culture and engineering failures,” tweeted Lesley Carhart, incident response director of Dragos Inc., which makes a speciality of an industrial-control techniques.

Leo mentioned screenshots the hacker shared confirmed the intruder acquired entry to techniques saved on Amazon and Google cloud-based servers the place Uber retains supply code, monetary information and buyer information comparable to driver’s licenses.

“If he had keys to the kingdom he could start stopping services. He could delete stuff. He could download customer data, change people’s passwords,” mentioned Leo, a researcher and head of enterprise growth on the safety firm Zellic.

Screenshots the hacker shared — lots of which discovered their manner on-line — confirmed delicate monetary information and inside databases accessed. Also extensively circulating on-line: The hacker asserting the breach Thursday on Uber’s inside Slack collaboration system.

Leo, together with Sam Curry, an engineer with Yuga Labs who additionally communicated with the hacker, mentioned there was no indication that the hacker had performed any injury or was thinking about something greater than publicity.

“It’s pretty clear he’s a young hacker because he wants what 99% of what young hackers want, which is fame,” Leo mentioned.

Curry mentioned he spoke to a number of Uber workers Thursday who mentioned they have been “working to lock down everything internally” to limit the hacker’s entry. That included the San Francisco firm’s Slack community, he mentioned.

In a statement posted online Friday, Uber mentioned “internal software tools that we took down as a precaution yesterday are coming back online.”

It mentioned all its providers — together with Uber Eats and Uber Freight — have been operational and that it had notified regulation enforcement. The FBI mentioned through electronic mail that it is “conscious of the cyber incident involving Uber, and our help to the corporate is ongoing.”

Uber mentioned there was no proof that the intruder accessed “sensitive user data” comparable to journey historical past however didn’t reply to questions from The Associated Press together with about whether or not information was saved encrypted.

Curry and Leo mentioned the hacker didn’t point out how a lot information was copied. Uber didn’t suggest any particular actions for its customers, comparable to altering passwords.

The hacker alerted the researchers to the intrusion Thursday by utilizing an inside Uber account on the corporate’s community used to post vulnerabilities identified through its bug-bounty program, which pays moral hackers to ferret out community weaknesses.

After commenting on these posts, the hacker offered a Telegram account deal with. Curry and different researchers then engaged them in a separate dialog, the place the intruder offered the screenshots as proof.

The AP tried to contact the hacker on the Telegram account, however obtained no response.

Screenshots posted on-line appeared to verify what the researchers mentioned the hacker claimed: That they obtained privileged entry to Uber’s most important techniques by social engineering.

The hacker first obtained the password of an Uber worker, doubtless by phishing. The hacker then bombarded the worker with push notifications asking they affirm a distant log-in to their account. When the worker didn’t reply, the hacker reached out through WhatsApp, posing as a fellow employee from the IT division and expressing urgency. Ultimately, the worker caved and confirmed with a mouse click on.

Social engineering is a well-liked hacking technique, as people are usually the weakest link in any community. Teenagers used it in 2020 to hack Twitter and it has extra lately been utilized in hacks of the tech firms Twilio and Cloudflare, mentioned Rachel Tobac, CEO of SocialProof Security, which makes a speciality of coaching employees to not fall sufferer to social engineering.

“The hard truth is that most orgs in the world could be hacked in the exact way Uber was just hacked,” Tobac tweeted. In an interview, she mentioned “even super tech savvy people fall for social engineering methods every day.”

“Attackers are getting better at by-passing or hi-jacking MFA (multi-factor authentication),” mentioned Ryan Sherstobitoff, a senior menace analyst at SecurityScorecard.

That’s why many safety professionals advocate the use of so-called FIDO bodily safety keys for consumer authentication. Adoption of such {hardware} has been spotty amongst tech firms, nevertheless.

The hack additionally highlighted the necessity for real-time monitoring in cloud-based techniques to raised detect intruders, mentioned Tom Kellermann of Contrast Security. “Much more attention must be paid to protecting clouds from within” as a result of a single grasp key can usually unlock all their doorways.

Some consultants questioned how a lot cybersecurity has improved at Uber since it was hacked in 2016.

Its former chief safety officer, Joseph Sullivan, is at the moment on trial for allegedly arranging to pay hackers $100,000 to cowl up that high-tech heist, when the private information of about 57 million prospects and drivers was stolen.