Uber suffers a data breach.

Uber is investigating a breach of its systems, the New York Times reports. Yesterday, the company said in a tweet from its @/Uber_Comms account, “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

The Times reports that the breach looks to have compromised a multitude of Uber’s systems, with the hacker sending the Times images of “email, cloud storage and code repositories.” Sam Curry, a security engineer at Yuga Labs who was in contact with the hacker, says “They pretty much have full access to Uber. This is a total compromise, from what it looks like.” The threat actor reportedly compromised a worker’s account on the company’s internal messaging service, Slack, saying, “I announce I am a hacker and Uber has suffered a data breach.” Two employees who weren’t authorized to speak on the situation publicly have said that they were told not to use Slack, and that other internal systems were inaccessible. The breach utilized phishing and social engineering, through sending a text to a worker convincing them to send a password that would gain the hacker access. 

An Uber spokesperson says that the breach is under investigation by the company and that law enforcement officials are being contacted.

A case of social engineering.

Industry leaders were quick to offer comment on the incident. Omer Yaron, Head of Research at Enso Security, thinks it’s important to recognize that this is a case of social engineering:

“Regardless of the attacker’s entry point, in Uber’s case the social engineering vector, it’s absolutely key to have different controls over applications to reduce the overall risk. Uber’s case shows how bad things can be, at least from what we know. Events escalate quickly and critical assets can be accessed without proper controls in place. Also, Uber is not out of the ongoing event. There are still mitigations they need to perform in real time. And it all comes down to the controls and measures they’ve put in place that will determine the outcome of this attack.”

Omer Yaron, Head of Research at Enso Security, also singles out the importance of understanding social engineering:

“Regardless of the attacker’s entry point, in Uber’s case the social engineering vector, it’s absolutely key to have different controls over applications to reduce the overall risk. Uber’s case shows how bad things can be, at least from what we know. Events escalate quickly and critical assets can be accessed without proper controls in place. Also, Uber is not out of the ongoing event. There are still mitigations they need to perform in real time. And it all comes down to the controls and measures they’ve put in place that will determine the outcome of this attack.”

The attack may have been long in preparation.

Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, thinks it not improbable that the attack was long in preparation:

“The allegedly immense scale and scope of the data breach may evidence a carefully planned and rigorously executed attack by a sophisticated threat actor. The reported social engineering attack vector – in isolation from other activities – seems to be highly improbable here, as many different and critical systems have been simultaneously compromised. One may, of course, hypothesize a total lack of internal security controls (e.g. MFA) and massive password reuse at Uber, however, this version currently seems to be unpersuasive. We should wait for the official statement from Uber once the investigation is over: it is possible that Uber fell victim to a sophisticated cyber threat actor looking to get sensitive information about locations and trips of VIP persons, journalists and politicians, whilst the disclosed version of the incident is just a smoke screen.”

What makes a target attractive (Uber was attractive).

Yoni Shohet, CEO of Valence Security, points out that business applications are prime targets for attack, the combination of accessibility and access to sensistive data are irresistible:

"This is another case where attackers identified business-critical SaaS applications like Google Workspace and Slack as prime attack targets. The sensitive data held within these platforms combined with the distributed ownership with multiple administrative accounts, makes it a lucrative target for hackers. Organizations must ensure they have the proper security controls to ensure their SaaS data, identities and third-party integrations are properly secure with least privilege access to reduce the SaaS attack surface and blast radius of attacks targeting their business-critical SaaS."

Liat Hayun, CEO of Eureka Security, notes the attractiveness of cloud access: “Bad actors continue to gain access to valuable customer data in the cloud. In this case, a simple social engineering compromise allowed the attacker access to sensitive data residing inside Uber's public cloud environments. It's becoming more important than ever for companies to be ‘uber’ proactive in protecting this data."

Even capable organizations can fall victim to social engineering.

Ian McShane, Vice President, Strategy, Arctic Wolf, notes that Uber is no pushover, and that other businesses should learn from the ride-provider’s experience:

"Uber is renowned for having some of the best cybersecurity in the business so the fact they have been compromised points to what we should all know, nobody’s perfect and even the best managed security organizations can be compromised. The key is how quickly you respond and mitigate the issue which they appear to have done here.

"While no official explanation has been provided yet, someone claiming to be the attacker explains that initial access was gained through social engineering - contacting an unwitting Uber staff member, pretending to be tech support and resetting their password. Then the intruder was able to connect to Corporate VPN to gain access to the wider Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share. 

"This is a pretty low-bar to entry attack and is something akin to the consumer-focused attackers calling people claiming to be MSFT and having the end user install keyloggers or remote access tools. Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort, it looks like they did it “for the lulz”. 

"Attacks that make use of insider threats and compromised user credentials continue to grow – by 47% according to the 2022 Ponemon Institute report and it’s proof once again that often the weakest link in your security defenses is the human. It is therefore critical that you manage that risk by running regular training and security awareness sessions while running around-the-clock monitoring, detection, and response, as well as other security operations solutions to reduce risk and keep your organization protected."