By Paul Baird, CTSO UK at Qualys
Uber was the victim of a hacking attack on the night of Friday 16 September, according to its own statement on Twitter. According to media reports, the attacker gained access to several systems of the mobility service provider.
So far, there is only conjecture about the exact details of the incident. To get an accurate picture of the potential security breach, we must first wait for Uber’s full RCA (Root Cause Analysis) – if it is ever released. If the reporting so far is true, then there were several flaws in Uber’s IT and cybersecurity arrangements.
The original social engineering attack vector is still difficult to defend against, especially if it came via a text message. But there was obviously no MFA on the corporate VPN either, and leaving a PowerShell script with access management permissions on an intranet system is inexcusable.
Hackers who penetrate corporate networks for “fun” are the most dangerous. Since the hackers’ only goal is usually to gain access to internal systems, cause damage and steal data, there is very little Uber can do now to minimise the impact of the security breach. However, when dealing with financially motivated actors, there is at least the option of paying a ransom to mitigate the extent of the damage.
I am surprised that the internal security systems did not intercept the East-West traffic while the attacker traversed the network in search of rich pickings (which he apparently got in the form of confidential company information and source code).
Uber needs to learn from this security breach, strengthen its IT and cybersecurity programmes, implement or expand MFA, and conduct a clean-up of its systems to ensure that scripts and documents residing on internal systems do not contain information that opens the door wide to attackers.