Cyble-Uber-Hacked

Uber Network Compromised by Hackers

Uber Investigating ongoing Cyber Incident

Introduction

Cyble Research & Intelligence Labs (CRIL) observed social media posts on Twitter on September 15, 2022, indicating multiple network breaches of mobility-as-a-service giant Uber Technologies Inc. The company confirmed the cybersecurity incident in their network in a tweet.

Figure 1: Uber Technologies Inc.’s official statement on Twitter confirming a cybersecurity incident

This is not the first time Uber has been hit by a cyberattack, in October 2016, another cyberattack aimed at Uber exposed 57 million customers’ and drivers’ data.

Amorçage

CRIL observed that the first instance of the breach was highlighted in the company’s communication channels. The Threat Actor (TA) Tea Pot allegedly compromised the HackerOne and Slack accounts of one of the employees and posted claims of compromise in their internal channels.

Our investigation to understand the source of the breach led us to identify the account of an Uber employee apparently working as a Lead in their App Engineering Team.

From the screenshots of the Slack accounts below, the TA used a Slack account with the username ‘Nwave’ to announce the compromise of Uber networks on September 15, 2022, at about 3:00 PM (EDT).

Figure 2: Hacker’s post from the compromised Slack account

Figure 3: Hacker’s message from compromised HackerOne account of one of Uber’s employees (Source: Twitter)

Apparently, a conversation on Telegram between the TA and a researcher-led us to understand that the attack may have been initiated via social engineering – targeting an Uber employee to intercept Multi-Factor Authentication (MFA) and lure the targeted employee to gain VPN access.

Gaining VPN access further may have allowed the attacker to launch a Man-in-the-Middle attack into Uber’s internal network (*[.]corp[.]uber[.]com). The conversation also suggests that the internal network contained PowerShell scripts with admin credentials to Thycotic’s PAM (Private Access Management) used by the company. This may have allowed the attacker to gain complete control over the Google Cloud Platform (GCP) and Amazon Web Services (AWS) used by Uber.

Figure 4: TA’s conversation with a security researcher

The screenshot below indicates the TA’s alleged access to Uber’s Intranet portal. The TA claimed to gain access to the VPN and used Uber’s intranet to scan through their internal networks.

Figure 5: Screenshot of the Uber Intranet portal

Another image, allegedly from the internal Finance Management Portal of Uber, reflects “Budget v/s Actual Expenses” incurred concerning Travel & Entertainment (T&E) expenses in August 2022. This leaked information pertains to Uber employees worldwide.

The names reflected in the screenshot are attributed to Uber’s senior leadership via open-source intelligence. Thus, we can safely confirm that the internal portal belongs to Uber.

The image also suggested the TA’s access to the active directory domain controller in the impacted network.

Figure 6: TA demonstrating access to alleged Internal Finance Management portal: Excerpt from Uber’s internal tool

The images in Figure 7 and 8 indicates that the TA demonstrated having administrative access to Google Cloud Platform (GCP) and Amazon Web Services (AWS). One of the users mentioned in the GCP instance belongs to the Global Head of Creative Production at Uber.

Figure 7: Alleged access to GCP shared via Twitter

Figure 8: Alleged access to the AWS instance

Furthermore, we also found evidence of compromise from Twitter sources, which indicate the TA’s access to the management panel of Slack Workspaces. From the open tabs of the TA’s system, we can infer, with a reasonable degree of certainty, that the TA could have also attempted access to the affected employee’s Microsoft Outlook and Teams accounts to further expand their own privileges.

Figure 9: Screenshot of alleged access to Uber’s Slack Workspaces

One of the leaked screenshots (Figure 10) shows the EDR panel of SentinelOne, utilized by Uber. The timestamp in the window suggests that the TA might have gained access to the portal on September 15, 2022, at about 5:40 PM (EDT).

Figure 10: Alleged access to SentinelOne’s Dashboard

Conclusion

The information gathered thus far from open sources by CRIL ascertains that Uber Technologies Inc. has indeed suffered a cyberattack on September 15, 2022.

At this point, the claims by TA’ Tea Pot’ and the alleged sequence of events leading to compromise and exploitation seem to be genuine.

Cyble Research and Intelligence Labs will continue to monitor and cover this incident and keep our readers informed.

Tactics, Techniques, And Procedures (TTPs)

Based on the available information on the breach, the TA’s preliminary MITRE ATT&CK® TTPs are identified as:

TacticsID
Initial Access TacticsTA0001
Credential AccessTA0006
DiscoveryTA0007
Lateral MovementTA0008
ReconnaissanceTA0043
TechniquesID
PhishingT1566
Multi-Factor Authentication InterceptionT1111
Active ScanningT1595
Valid Accounts TechniquesT1078
External Remote ServicesT1133
Exploitation of Remote ServicesT1210
Remote ServicesT1021
Cloud Infrastructure DiscoveryT1580
Adversary-in-the-MiddleT1557

References

https://twitter.com/vxunderground/status/1570626503947485188
https://twitter.com/ColtonSeal/status/1570596125924794368
https://twitter.com/samwcyo/status/1570577801790783493
https://twitter.com/praise_terryd/status/1570583105123258369
https://twitter.com/NahamSec/status/1570581906160496640
https://twitter.com/hacker_/status/1570582547415068672
https://twitter.com/akita_zen/status/1570580604777005057

Scroll to Top