Qualys comments on the hacking attack on Uber

October 11, 2022

By Paul Baird, CTSO UK at Qualys

Uber was the victim of a hacking attack on the night of Friday 16 September, according to its own statement on Twitter. According to media reports, the attacker gained access to several systems of the mobility service provider.

So far, there is only conjecture about the exact details of the incident. To get an accurate picture of the potential security breach, we must first wait for Uber’s full RCA (Root Cause Analysis) – if it is ever released. If the reporting so far is true, then there were several flaws in Uber’s IT and cybersecurity arrangements.

The original social engineering attack vector is still difficult to defend against, especially if it came via a text message. But there was obviously no MFA on the corporate VPN either, and leaving a PowerShell script with access management permissions on an intranet system is inexcusable.

Hackers who penetrate corporate networks for “fun” are the most dangerous. Since the hackers’ only goal is usually to gain access to internal systems, cause damage and steal data, there is very little Uber can do now to minimise the impact of the security breach. However, when dealing with financially motivated actors, there is at least the option of paying a ransom to mitigate the extent of the damage.

I am surprised that the internal security systems did not intercept the East-West traffic while the attacker traversed the network in search of rich pickings (which he apparently got in the form of confidential company information and source code).

Uber needs to learn from this security breach, strengthen its IT and cybersecurity programmes, implement or expand MFA, and conduct a clean-up of its systems to ensure that scripts and documents residing on internal systems do not contain information that opens the door wide to attackers.

Related Articles

Bitkom awards 15 new smart schools

Bitkom awards 15 new smart schools

Total network grows to 116 pioneering schools for digital education Green Smart Schools also awarded for digitalisation and sustainability for the first time Digital school and teaching concepts, a fast and reliable digital infrastructure, teachers with digital...

One in two fears misuse of their personal data

One in two fears misuse of their personal data

ESET survey sheds light on internet users' biggest concerns and their protective measures Identity theft and misuse of personal data are the biggest concerns for almost half of internet users, according to a representative ESET survey. In second and third place come...

100 Years of Hyperinflation: the 100,000,000,000 Mark Banknote

100 Years of Hyperinflation: the 100,000,000,000 Mark Banknote

Extreme devaluation of money 100 years ago in the German Reich Highest banknote put into circulation was worth 100 trillion marks Fourfold increase in staff at the Reichsdruckerei, the predecessor of the Bundesdruckerei Additional land and buildings rented for the...

Share This