Social engineering attack compromises internal networks and Uber’s bug bounty reports

Uber is investigating claims its systems have been compromised by an attacker.

The attacker offered evidence that they had successfully breached many of the ride-sharing app firm’s internal networks by posting various screenshots and commenting on their exploits in interactions with the media and security experts.

The miscreant claimed that they socially engineered an employee before gaining access to their VPN credentials. This compromised access subsequentially allowed them to hack into its network and scan Uber’s intranet.


Catch up with the latest data breach news


Uber is purported to rely on multi-factor authentication (MFA). Third-party experts have commented that an attacker may have been able to circumvent these controls by establishing a fake domain and any relaying authentication codes submitted to the genuine domain using a manipulator-in-the-middle (MitM) attack.

According to the attacker, the hack was set up by spamming an Uber employee with push authentication requests for more than an hour before using another channel to trick them into authorizing one of the requests.

The attacker claims they went on to locate a network share containing powershell scripts that included the username and password of a system administrator.

Using this information, the cybercrook was purportedly able to extract passwords and access Uber’s AWS (Amazon Web Services), Onelogin, and GSuite environments, among others).

They also hacked into an Uber employee’s HackerOne account before commenting on multiple tickets, evidence that the miscreant likely has compromised highly sensitive bug bounty reports related to security vulnerabilities in Uber products and infrastructure.

As a result of the hack, Uber workers have been left unable to access Slack and some other tools. In addition, the hacker posted NSFW (Not Safe For Work) images on internal employee resource pages.

In an update to its official Twitter account, Uber said: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

The Daily Swig asked for early access to comment on the results of this ongoing data breach investigation. No word back as yet but we’ll update this story as and when more information comes to hand.


DON’T FORGET TO READ ManageEngine flaw posed code injection risk for password management software