Uber Investigating Breach of Its Computer Systems

Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack. From a report: The breach appeared to have compromised many of Uber's internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times. "They pretty much have full access to Uber," said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. "This is a total compromise, from what it looks like."

An Uber spokesman said the company was investigating the breach and contacting law enforcement officials. Uber employees were instructed not to use the company's internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly. Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach." The message went on to list several internal databases that the hacker claimed had been compromised. BleepingComputers adds: According Curry, the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets. Curry told BleepingComputer that he first learned of the breach after the attacker left the above comment on a vulnerability report he submitted to Uber two years ago. Uber runs a HackerOne bug bounty program that allows security researchers to privately disclose vulnerabilities in their systems and apps in exchange for a monetary bug bounty reward. These vulnerability reports are meant to be kept confidential until a fix can be released to prevent attackers from exploiting them in attacks.

Curry further shared that an Uber employee said the threat actor had access to all of the company's private vulnerability submissions on HackerOne. BleepingComputer was also told by a source that the attacker downloaded all vulnerability reports before they lost access to Uber's bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber. HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities.

Wow

[mrex]

Socially engineered credentials to the VPN, then found PowerShell scripts with hardcoded admin credentials to their Thycotic secrets manager. Ooof, if true.

I see a lot more organizations mandating signed scripts only, going forward.

Wrong Question - Stock Exchange disclosures

[Canberra1]

Ok, you run a bug bounty program. But if you have a huge list - a rapsheet as long as your arm, unfixed, you need to disclose this to your investors in a timely manner. Annual report and Stock exchange disclosures. Lets hope CFD traders take appropriate actions.

Re:

[mrex]

Ok, you run a bug bounty program.

What's that going to do? A bug bounty program won't fix employees being socially engineered out of their credentials - that's a training issue, and also a weak MFA issue. A bug bounty program won't fix employees coding credentials into scripts that remain internal to the company - that's an application security issue, and also a training issue.

Re:

[Cool Hands Leia]

Trust me. They do PLENTY of security training. Like the fake phishing emails where if you click it you have to go into training. The problem is that despite this, you can't fix stupid!

Re: Wrong Question - Stock Exchange disclosures

[mrex]

Stupidity isnâ(TM)t the issue, ignorance is. And you can fix that with training.

Most people arenâ(TM)t security oriented, theyâ(TM)re trusting. People who trust each other work together much more easily and efficiently. The trick is balancing that against awareness of the practical attacks, without overwhelming people with so much security concern that trust devolves.

The adversary copied all the vulnerability reports

[PackMan97]

This should shed a little light on the bug bounty issue. The hacker downloaded all the vulnerability reports and as such would presumably know all of Uber's vulnerabilities. ------------- "Uber runs a HackerOne bug bounty program that allows security researchers to privately disclose vulnerabilities in their systems and apps in exchange for a monetary bug bounty reward. These vulnerability reports are meant to be kept confidential until a fix can be released to prevent attackers from exploiting them in att

Re:

[Local ID10T]

The issue with bug bounty programs is you have to actually fix the bugs once they are reported... not just pay people hush money to keep quiet about the bugs.

Re:

[Errol backfiring]

I see a lot more organizations mandating signed scripts only, going forward.

I mainly see organizations demanding the work finished a day before the assignment is given. And when things go wrong, they blame the developers.

Re:

[mrex]

I don't see how that's going to help anything with the hardcoded credentials lying around.

Presumably because you're going to do basic code analysis or maybe even SAST before you sign the thing...

it deprives you of quickly bashing together a script to get things moving again. It basically sets your scripts in concrete. Need to change anything? Here's your sledgehammer.

Tell me you've never used a halfway decent CI/CD, without saying that specific thing.

Re: Wow

[FiatBro]

What makes you believe they wouldn't sign the scripts with the credentials then?

Re:

[mrex]

Indefatigable hope in humanity. ;D

Re:

[Miles_O'Toole]

"So when you say, 'tied over a barrel, with your pants around your ankles, you mean...' "

"Yes. That's exactly what I mean."

Re:

[phantomfive]

I see a lot more organizations mandating signed scripts only, going forward.

Not likely. Most people don't know how to do that.

Re:

[ksw_92]

Signed Powershell scripts are still clear-text but with a signature blob at the end. Signing won't protect against leaked credentials if they're hard-coded in the script. It's hard (but not impossible) to do good security when you have to automate against interfaces that only do basic auth still.

Re:

[mrex]

The idea is to do some code quality analysis on anything before signing it, though.

slight difference in meaning

[argStyopa]

"HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities."

Cutting off access to the DESCRIPTIONS of the vulnerabilities, not (as it seems) the vulnerabilities themselves.

Zing!

[douglasfir77]

All your base are belong to us! j/k Rather sad a modern tech company is getting caught with its proverbial pants down.

That's okay though, no harm done

[Rosco P. Coltrane]

The baddies were looking for the list of employee drivers who enjoyed employee benefits and found an empty file.

OK, OK

[Latent Heat]

You convinced me.

I will order the veal, and I will tip my waiter.

Round up the usual suspects

[Miles_O'Toole]

No doubt Uber will deal with this problem the way they deal with all their problems: pick a driver or two at random, blame everything on them, then claim the situation has been dealt with.

Whoa, second time

[stabiesoft]

Article says this is the 2nd time uber has been compromised. And does the latest include user account info? Seems it would based on the report. Pretty bad. Does it include CC's. Does it include ride data, which could be used to figure out your address. Like I said, pretty bad.

Shit security

[gosso920]

from a shit company.

Uber data was used to locate a streamer

[rsilvergun]

named Keffals and swat her. She was in Ireland at the time and their police aren't as batshit crazy as Americans so it didn't work (she's alive) but Uber's security is extremely lax/bad.

If you use Uber take it for granted that all your personal information is just a phone call to their support away.