The immense scale and scope of the recent cyber attack on Uber could be a smokescreen that reveals a rigorously executed plan, targeting high-profile users of the e-hailing giant.
This is according to security industry pundits reacting to the Uber data breach, which took place on Thursday afternoon, when an alleged 18-year-old hacker gained full access to many critical Uber IT systems. The systems include the company's internal security software, e-mail dashboard, Slack server and Windows domain.
According to BleepingComputer, the hacker gained access to the company's internal systems using stolen employee credentials. Other systems reportedly accessed by the hacker include the company's VMware vSphere/ESXi virtual machines, Amazon Web Services console and the Google Workspace admin dashboard for managing Uber e-mail accounts.
Dr Ilia Kolochenko, founder of application security company ImmuniWeb and member of the Europol Data Protection Experts Network, believes there is more to the security incident than meets the eye.
“It is possible that Uber fell victim to a sophisticated cyber threat actor looking to get sensitive information about locations and trips of VIP persons, journalists and politicians, whilst the disclosed version of the incident is just a smokescreen.
“The allegedly immense scale and scope of the data breach may evidence a carefully planned and rigorously executed attack by a sophisticated threat actor,” warns Kolochenko.
The reported social engineering attack vector – in isolation from other activities – seems to be highly improbable here, he adds.
“This is because many different and critical systems have been simultaneously compromised.”
It is believed the hacker initially downloaded vulnerability reports from bug bounty platform HackerOne, prior to sharing the screenshots of the company's internal systems with employees.
Potentially enormous losses
In a media statement released on Friday, Uber said while its investigation and response efforts are ongoing, there is no evidence the incident involved access to sensitive user data.
“We are currently responding to the cyber security incident. We are in touch with law enforcement and will post additional updates as they become available,” said the company.
John Shier, senior security advisor at Sophos, explains the incident could evidence a lack of adequate internal security controls.
“The Uber hack demonstrates how important identity management, backed by strong authentication, such as hardware security keys, are for privileged systems, and why today's organisations need the ability to detect when attackers exploit, misuse or steal credentials,” he asserts.
As seen in recent high-profile attacks against large organisations, persistent attackers can find a way around multi-factor authentication systems that rely solely on time-based one-time passwords or push-based authentication, adds Shier.
Szilveszter Szebeni, CISO at Tresorit, is of the view that similar incidents have historically caused enormous losses to organisations.
“Losses may even be the complete loss of all IT infrastructure from one day to the next. The extent of Uber’s losses will remain to be seen; a lot of IT systems may need to be reconfigured from scratch. Protection of credentials is the top priority,” states Szebeni.
Share