Cyber-security researchers have revealed there were basic flaws in Uber’s security gateways as social engineering was employed as an initial attack vector, making the hack “a classic case of failure on multiple levels”.

Social engineering encompasses a broad spectrum of malicious activities via online human interactions, like phishing, pretexting, and baiting.

This hack had a tremendous impact on Uber, starting from the obfuscation of the application code, hindering the usability of the application, leaked credentials, and access that could facilitate multiple account takeovers and leaking of sensitive and critical information of the entity, according to AI-driven cyber-security firm CloudSEK.

“Equipping malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence, not to mention the reputational damage for Uber,” the researchers from the firm emphasized.

The ride-hailing major Uber last week blamed the infamous Lapsus$ hacking group for the cyber attack on its internal systems. The company reiterated that no customer or user data was compromised during the breach.

“The Uber Hack is a classic case of failure on multiple levels where Over privilege or privilege mismanagement plays a pivotal role. Eliminating privilege escalation paths or monitoring for access changes in accounts can be initial answers for mitigation, apart from Darkweb and surface web monitoring,” said Abhinav Pandey, Cyber Threat Researcher, CloudSEK.

Buy Me A Coffee

The threat actor was able to compromise an employee’s HackerOne account to access vulnerability reports associated with Uber.

READ
AI-Driven Cyber Attacks Top Risk for Enterprises, Says Report

To demonstrate the legitimacy of the claims, the actor posted unauthorized messages on the HackerOne page of the company.

“Moreover, the attacker has also shared several screenshots of Uber’s internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal,” said cyber-security researchers.

The actor plausibly employed social engineering techniques as an initial attack vector to compromise Uber’s infrastructure. After attaining access to multiple credentials, the actor exploited the compromised victim’s VPN access.

Subsequently, the actor gained access to an internal network (Intranet), where the actor got access to a directory, plausibly with the name “share”, which provided the actor with numerous PowerShell scripts that contained admin credentials to the privileged access management system (Thycotic).

“This enabled the actor with complete access to multiple services of the entity such as Uber’s Duo, OneLogin, AWS, GSuite Workspace, etc,” the researchers reported.

Lapsus$ typically uses similar techniques to target technology companies, and this year breached Microsoft, Cisco, Samsung, Nvidia, and Okta, among others.