Uber Cyber-Attack: A Live Timeline

Date: 18 September 2022

Uber needs no introduction so we’ll skip that part and jump right into the big news - apparently it’s been compromised by an 18-year old hacker! 

As per media stories and numerous Tweets, it appears that a threat actor managed to get access to Uber’s vulnerability reports, the company’s internal systems, email dashboard, and Slack server. That’s not all, screenshots doing the rounds online also indicate that the hacker allegedly had access to critical Uber IT systems, security software and Windows domain, Amazon Web Services console, VMware ESXi virtual machines. 

The New York Times that first broke the news shared that it was in touch with the hacker who, apparently, claims that he managed to compromise Uber’s systems by performing a social engineering attack on an employee. 

As per other reports, the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets. If, as some stories allege, the attacker downloaded all vulnerability reports before losing access to Uber's bug bounty program, including vulnerability reports that have not been fixed, it’s a huge security risk to Uber even in the days to come. 

The idea is never to point a finger at any victim of a cyber-attack but simply to learn from their experience. The learning here is crystal clear -  if employees of a Fortune 500 company can fall prey to a social engineering attack that can have such massive repercussions, anyone who assumes that their non-IT staff won’t make such a mistake is in risky territory. The only lesson here is that no organisation should ever assume they are 100% safe. Investing in cyber security and awareness training for staff should be a never-ending process and a life-long commitment.

Quick reading guide:

About this Article

We, at Cyber Management Alliance, created this Google Doc on 16th September, 2022 and invite you to take part in sharing the intelligence and knowledge about this cyber-attack. 

We are determined to use the power of the crowds, the Wisdom of Crowds, to ensure that we all have a fighting chance to protect not only cyberspace, but the physical world that is now almost, if not fully, connected to cyberspace. 

This is a work in progress document and NOT final in any sense. Please feel free to contribute and/or make suggestions at info@cm-alliance.com

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

What & How it Happened 

1st January-2022: Uber ignored vulnerability disclosed by a bug bounty hunter SAFE (@0x21SAFEs). The threat hunter warned the company that the found vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach. But Uber, allegedly, didn’t take it seriously.

17th August-2022:
HackerOne shut down one of Uber's assets on HackerOne platform called ListStorageBuckets (a bug bounty program) as it was apparently compromised by the hackers.

15th September-2022: An 18-year old hacker hit Uber and accessed its third-party services as Uber disclosed this incident in its tweet: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” 

16th September-2022: Taking responsibility for the cyber attack, the hacker told The New York Times that he had been working on his cybersecurity skills for several years. He said he had broken into Uber’s systems because the company had weak security. In the Slack message that announced the breach, the threat actor raised the concern of Uber drivers. He said: “Uber drivers should receive higher pay.”

16th September-2022: According to various sources like The NY Times and Reuters, the 18-year old hacker said that he had sent a text message to an Uber employee claiming to be a corporate IT person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber's systems. 

16th September-2022: The hackers, apparently, told the NYT that they breached Uber for fun and are considering leaking the company’s source code. They also shared that they have gained access to Uber’s systems through login credentials obtained from an employee via social engineering, which allowed them to access an internal company VPN. From there, they found PowerShell scripts on Uber’s intranet containing access management credentials that allowed them to allegedly breach Uber’s AWS and G Suite accounts. 

16th September-2022: According to The Register, the screenshots leaked on Twitter show: “An intruder has compromised Uber's AWS cloud account and its resources at the administrative level; gained admin control over the corporate Slack workspace as well as its Google G Suite account that has over 1PB of storage in use; has control over Uber's VMware vSphere deployment and virtual machines; access to internal finance data, such as corporate expenses; and more.” The source claims: “If this is correct, Uber has been significantly compromised with data and infrastructure at multiple levels available to the intruder.” 

16th September-2022: The Register said there are many claims that show that hackers allegedly have access to a Confluence installation, private source code repositories, and a SentinelOne security dashboard used by the app developer. 

16th September-2022: Tagging the tweet of Colton (@ColtonSeal) in which he shared a screenshot of the hacker claiming that he hacked Uber (I announce I am a hacker and Uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives), the infosec analyst payloadartist (@payloadartist) said: “Apparently, the attacker even posted a message on Slack informing the Uber employees of the breach but everyone thought it was a joke.” 

16th September-2022: Payloadartist (@payloadartist) posted the impact details. He tweeted: “Uber apparently got grandly hacked. Attacker basically got access to almost everything (allegedly)

  • - Slack
  • - Google Workspace Admin
  • - AWS Accounts
  • - HackerOne Admin
  • - SentinelOne EDR
  • - vSphere
  • - Financial Dashboards”

 

16th September-2022: Sam Curry, the cybersecurity expert and threat hunter told NYT: “It seems like maybe they’re this kid who got into Uber and doesn’t know what to do with it, and is having the time of his life.” 

16th September-2022: Sam Curry(@samwcyo) also highlighted this incident and the impact in his tweet: “Someone hacked an Uber employee's HackerOne account and is commenting on all of the tickets. They likely have access to all of the Uber HackerOne reports.” 

16th September-2022: Sam Curry (@samwcyo) posted a tweet in which the Uber employee shared some details and urged to keep his identity hidden: “Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.” 

16th September-2022: Sam Curry (@samwcyo) tweeted another employee’s statement: “From another Uber employee:

Instead of doing anything, a good portion of the staff was interacting and mocking the hacker thinking someone was playing a joke. After being told to stop going on slack, people kept going on for the jokes. Lmao.” 

16th September-2022: While Uber employees were, apparently, taking the hacker's communication as a joke, one unnamed Uber employee, allegedly, told Sam Curry that staff were interacting with the hacker thinking they were playing a joke. He shared a communication screenshot saying: “Sorry to be a stick in the mud, but I think IT would appreciate less memes while they handle the breach.” 

16th September-2022: The malware librarians at VX Underground tweeted: 

“More Uber information data disclosed: vSphere, Google workplace data, and more AWS data.” 

“A Threat Actor claims to have completely compromised Uber - they have posted screenshots of their AWS instance, HackerOne administration panel, and more. They are openly taunting and mocking @Uber.” 

16th September-2022: Sam Curry (@samwcyo) tweeted: “The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP.” 

16th September-2022: The malware librarians at VX Underground tweeted that hackers accessed Uber’s financial data:They disclosed Uber's financial data”. 

16th September-2022: Sharing a hint on the tactics used in the Uber data breach incident, the cybersecurity expert Corben Leo (@hacker_) tweeted: “Uber was hacked. The hacker social engineered an employee -> logged into the VPN and scanned their intranet.” 

16th September-2022: Corben Leo also shared the information of an internal network TeaPot. He tweeted: “The infosec researcher Apparently there was an internal network share that contained powershell scripts.” "One of the powershell scripts contained the username and password for an admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, GSuite." 

16th September-2022: Security researcher Bill Demirkapi (@BillDemirkapi) explained how hackers compromised Uber’s MFA as he tweeted this thread: 

Let's talk about how they were compromised. The attacker has been quite upfront about how they compromised Uber's corporate infrastructure. Uber appears to use push notification MFA (Duo) for their employees. How can an attacker get around MFA?” 

“An extremely common misconception people have with standard forms of MFA (push/touch/mobile) is that it prevents social engineering. Although MFA can protect against an attacker who only has the victim's credentials, it is commonly still vulnerable to MiTM attacks.” 

“An attacker can setup a fake domain that relays Uber's real login page with tooling such as Evilginx. The only difference is the domain they are visiting, which is easy to miss. For most MFA, nothing stops the attacker from relaying the authentication process.” 

“Once the attacker compromised an employee, they appear to have used that victim's existing VPN access to pivot to the internal network. Internal infrastructure is often significantly less audited and evaluated compared to external infrastructure.” 

“In this case, the attacker appears to have found an internal network share that contained scripts with privileged credentials, giving them the keys to the kingdom. They claim to have compromised Uber's Duo, OneLogin, AWS, and GSuite environments.”

16th September-2022: After Uber took its internal software tools offline due to the cyber attack, it gradually started bringing them online. In a statement, the company stated: “Internal software tools that we took down as a precaution yesterday are coming back online this morning.” 

18th September-2022: Michael (@LegacyKillaHD) a famous video gaming expert gave a clue on who could be behind the Uber hack as he tweeted: “Just an FYI. Person behind this GTA 6 leak is allegedly behind the recent hack of Uber a few days ago. At least he claims to be & used a similar method to steal Rockstar's secrets. Essentially, this isn't an angry employee or fan. A hacker that will be difficult to track down.”

New call-to-action

Business Impact

16th September-2022: In its official update, Uber said: “We have no evidence that the incident involved access to sensitive user data (like trip history). All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.” 

16th September-2022: According to Bloomberg, Uber shares fell 5.2% in pre-market trading in New York Friday. 

16th September-2022: According to BleepingComputer, “The attacker downloaded all vulnerability reports before they lost access to Uber's bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber. HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities. However, it would not be surprising if the threat actor had already downloaded the vulnerability reports and would likely sell them to other threat actors to cash out on the attack quickly.”

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

References: 

  1. https://www.linkedin.com/posts/chiefinfosec_leadership-informationsecurity-incidentresponse-activity-6976415560624439296-OWgb?
  2. https://twitter.com/Uber_Comms/status/1570584747071639552
  3. https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell 
  4. https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html  
  5. https://twitter.com/samwcyo/status/1570581007044317184 
  6. https://twitter.com/vxunderground/status/1570611979169202179 
  7. https://twitter.com/ColtonSeal/status/1570596125924794368 
  8. https://twitter.com/hacker_/status/1570582547415068672 
  9. https://twitter.com/vxunderground/status/1570597582417821703 
  10. https://www.theregister.com/2022/09/16/uber_security_incident/ 
  11. https://www.washingtonpost.com/technology/2022/09/15/uber-hack/ 
  12. https://hackerone.com/uber/updates?type=team 
  13. https://twitter.com/hacker_/status/1570582202697809920 
  14. https://twitter.com/payloadartist/status/1570631734861111296 
  15. https://www.reuters.com/business/autos-transportation/uber-investigating-computer-network-breach-nyt-2022-09-16/ 
  16. https://twitter.com/0x21SAFE/status/1476991015395471364 
  17. https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ 
  18. https://www.cnbc.com/2022/09/16/uber-investigates-cybersecurity-incident-after-reports-of-a-hack.html 
  19. https://www.bloomberg.com/news/articles/2022-09-16/uber-says-it-s-investigating-extent-of-cybersecurity-incident 
  20. https://www.uber.com/en-CA/newsroom/security-update/ 
  21. https://twitter.com/LegacyKillaHD/status/1571439441482235904 

Legal & Disclaimers

Every contributor has made an effort to ensure that the information in this document is accurate. Cyber Management Alliance Ltd (herein referred to as CMA) hereby disclaims any liability to any party for any loss, damage or disruption caused by this information in this document or errors or omissions, whether such errors or omissions result from negligence, accident or any other cause. 

The reader must understand that this document is not intended to replace professional consultancy, advice and guidance. The reader must ensure that he/she seeks professional consultation and/or refers to other material and/or consultants in matters relating to, but not limited to, cyber attacks or data breaches. Cybersecurity, information security and data privacy are a complex set of topics and the authors and CMA advise the reader to take full responsibility and precaution to protect their personal information and not to take risks beyond the level of experience, aptitude, training and comfort level.


New call-to-action

Cyber Incident Response Plan Template

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422
Our YouTube Channel