Blog A3Sec

The Uber attack

Written by Israel Gutiérrez, Global CTO | 05 January, 2023

A hacker of barely 18 years old, according to what he has reported in the press, put the American mobility platform Uber in trouble by accessing multiple company systems and services after obtaining administrator privileges. Although in the first instance no direct effects on users or the service have been reported, the hack carried out on September 15 has been exposed on social networks.

To achieve these accesses, this cyber hacker resorted to techniques widely known in the world of cybersecurity such as social engineering, with which he managed to infiltrate the organization and move chips internally to persuade an Uber employee to give him his login credentials to the corporate network (VPN).

With this information, he gained access to the Uber network and infiltrated to enter a shared folder where text scripts with data from more privileged accounts are stored. Thus, he had access to multiple security systems and management of technological infrastructures.

Firstly, we can see that the exploitation of vulnerabilities through social engineering is still effective, which creates significant challenges in terms of the management of security platforms, not only from the scope of existing controls but also from education.

This once again demonstrates that no matter how many investments companies make and that they adopt technological barriers, it is not enough. If organizations have access to users and passwords stored in text files, nothing is useful and external agents gain access to corporate information.

When we refer to the fact that the most effective attacks are internal ones, we do not necessarily indicate that they are people who work within the organization, but rather external agents who manage to pass themselves off as internal personnel and that is where the great risk lies.

Prevention for this type of incident is clearly raising awareness among employees and better identity validation systems through double-factor authentication schemes that allow generating this additional shielding that companies require.

Other key solutions to prevent these attacks include behavioral login identification systems, as well as validating the geographic location of employees when entering the network, although the global rise of hybrid work brings new challenges. However, the solutions that cybersecurity companies offer today provide clear patterns to establish anomalous behaviors and be able to react faster to these situations from anywhere.

The attack that occurred with the technology company calls companies to reflect on the fact that none of them is exempt from this, so it is important to consider these risks. If we analyze the information we have available from Uber, we can see that there are no attack simulation exercises or clear communication protocols in the event of a security incident. For example, how do we know that whoever starts typing is or is not an attacker? And how have we structured the reaction protocols?

Uber issued a statement in which it stated that it was investigating an incident, but this reaction was only known when information began to be disclosed on social networks about this event by the attacker himself. Anticipation is key in these situations and obviously management is essential to avoid further damage that can only be quantified by how much the image of an organization was damaged.

A more preventive than a reactive approach could help companies to better manage these situations, since, as was clearly evidenced in this case, communication to the general public takes place a few minutes after their information begins to be exposed through some Twitter feed.

Having effective cybersecurity teams should provide us with the necessary action protocols in the event of an incident of this type so that all areas of the organization are aligned and not only the Technology or Cybersecurity departments.

Reacting on time and effectively to these situations is crucial, not only because of the information that can be lost, but also because of productivity and the impact on operations. The reputational effect must also be discounted, since despite the fact that the attack on Uber does not seem to have compromised the company's operation or income, the mere fact of exposing this situation could have had an effect on the actions of the American firm.

 

Due to the size of Uber and its global dimension, it could be considered that the recovery will be faster; however, the scars of this event could be marked on your reputation and the same could happen with organizations of many types.

Perhaps our organizations are not in the financial markets; However, what would happen if an external agent sends an email to our clients and suppliers indicating that our information has been compromised? Depending on the magnitude of the leak, will the suppliers continue to give us credits, will our customers continue to buy? The impacts with this type of attack could be measured in the operations that we could not carry out or in the profits that would stop entering the organization. In this sense, CEOs must ask themselves how much money they would be willing to lose instead of investing not only in security controls but also in allies that deal with similar situations.

The detail of what happened on September 15

Through its Uber Commons account, the company officially begins to mention a cybersecurity incident and indicates that they were reviewing it.

 

Through various messages, the person who gains unauthorized access notifies Uber employees that they have been perpetrated.

Some even take it as a joke and don't give it much attention.

Use systems like HackerOne, the Bugbounty platform, and Slack to broadcast that they have a security incident.

Uber transmits an official statement (https://www.uber.com/newsroom/security-update/) in which it comments that there is no evidence that sensitive user information has been accessed; however, different administration screens and financial data were exposed.

This person claims to have knowledge in cybersecurity for some years and that he did this since Uber does not have good protection systems.

 

He even shares his Telegram in such a way that we can see that he is looking to be contacted, so we could say that he wants Uber to strengthen his security systems.