Uber Investigating ongoing Cyber Incident
Introduction
Cyble Research & Intelligence Labs (CRIL) observed social media posts on Twitter on September 15, 2022, indicating multiple network breaches of mobility-as-a-service giant Uber Technologies Inc. The company confirmed the cybersecurity incident in their network in a tweet.
This is not the first time Uber has been hit by a cyberattack, in October 2016, another cyberattack aimed at Uber exposed 57 million customers’ and drivers’ data.
Amorçage
CRIL observed that the first instance of the breach was highlighted in the company’s communication channels. The Threat Actor (TA) Tea Pot allegedly compromised the HackerOne and Slack accounts of one of the employees and posted claims of compromise in their internal channels.
Our investigation to understand the source of the breach led us to identify the account of an Uber employee apparently working as a Lead in their App Engineering Team.
From the screenshots of the Slack accounts below, the TA used a Slack account with the username ‘Nwave’ to announce the compromise of Uber networks on September 15, 2022, at about 3:00 PM (EDT).
Apparently, a conversation on Telegram between the TA and a researcher-led us to understand that the attack may have been initiated via social engineering – targeting an Uber employee to intercept Multi-Factor Authentication (MFA) and lure the targeted employee to gain VPN access.
Gaining VPN access further may have allowed the attacker to launch a Man-in-the-Middle attack into Uber’s internal network (*[.]corp[.]uber[.]com). The conversation also suggests that the internal network contained PowerShell scripts with admin credentials to Thycotic’s PAM (Private Access Management) used by the company. This may have allowed the attacker to gain complete control over the Google Cloud Platform (GCP) and Amazon Web Services (AWS) used by Uber.
Related Observations And Analysis
The screenshot below indicates the TA’s alleged access to Uber’s Intranet portal. The TA claimed to gain access to the VPN and used Uber’s intranet to scan through their internal networks.
Another image, allegedly from the internal Finance Management Portal of Uber, reflects “Budget v/s Actual Expenses” incurred concerning Travel & Entertainment (T&E) expenses in August 2022. This leaked information pertains to Uber employees worldwide.
The names reflected in the screenshot are attributed to Uber’s senior leadership via open-source intelligence. Thus, we can safely confirm that the internal portal belongs to Uber.
The image also suggested the TA’s access to the active directory domain controller in the impacted network.
The images in Figure 7 and 8 indicates that the TA demonstrated having administrative access to Google Cloud Platform (GCP) and Amazon Web Services (AWS). One of the users mentioned in the GCP instance belongs to the Global Head of Creative Production at Uber.
Furthermore, we also found evidence of compromise from Twitter sources, which indicate the TA’s access to the management panel of Slack Workspaces. From the open tabs of the TA’s system, we can infer, with a reasonable degree of certainty, that the TA could have also attempted access to the affected employee’s Microsoft Outlook and Teams accounts to further expand their own privileges.
One of the leaked screenshots (Figure 10) shows the EDR panel of SentinelOne, utilized by Uber. The timestamp in the window suggests that the TA might have gained access to the portal on September 15, 2022, at about 5:40 PM (EDT).
Conclusion
The information gathered thus far from open sources by CRIL ascertains that Uber Technologies Inc. has indeed suffered a cyberattack on September 15, 2022.
At this point, the claims by TA’ Tea Pot’ and the alleged sequence of events leading to compromise and exploitation seem to be genuine.
Cyble Research and Intelligence Labs will continue to monitor and cover this incident and keep our readers informed.
Tactics, Techniques, And Procedures (TTPs)
Based on the available information on the breach, the TA’s preliminary MITRE ATT&CK® TTPs are identified as:
| Tactics | ID |
| Initial Access Tactics | TA0001 |
| Credential Access | TA0006 |
| Discovery | TA0007 |
| Lateral Movement | TA0008 |
| Reconnaissance | TA0043 |
| Techniques | ID |
| Phishing | T1566 |
| Multi-Factor Authentication Interception | T1111 |
| Active Scanning | T1595 |
| Valid Accounts Techniques | T1078 |
| External Remote Services | T1133 |
| Exploitation of Remote Services | T1210 |
| Remote Services | T1021 |
| Cloud Infrastructure Discovery | T1580 |
| Adversary-in-the-Middle | T1557 |
References
https://twitter.com/vxunderground/status/1570626503947485188
https://twitter.com/ColtonSeal/status/1570596125924794368
https://twitter.com/samwcyo/status/1570577801790783493
https://twitter.com/praise_terryd/status/1570583105123258369
https://twitter.com/NahamSec/status/1570581906160496640
https://twitter.com/hacker_/status/1570582547415068672
https://twitter.com/akita_zen/status/1570580604777005057
