Qualys comments on the hacking attack on Uber

October 11, 2022

By Paul Baird, CTSO UK at Qualys

Uber was the victim of a hacking attack on the night of Friday 16 September, according to its own statement on Twitter. According to media reports, the attacker gained access to several systems of the mobility service provider.

So far, there is only conjecture about the exact details of the incident. To get an accurate picture of the potential security breach, we must first wait for Uber’s full RCA (Root Cause Analysis) – if it is ever released. If the reporting so far is true, then there were several flaws in Uber’s IT and cybersecurity arrangements.

The original social engineering attack vector is still difficult to defend against, especially if it came via a text message. But there was obviously no MFA on the corporate VPN either, and leaving a PowerShell script with access management permissions on an intranet system is inexcusable.

Hackers who penetrate corporate networks for “fun” are the most dangerous. Since the hackers’ only goal is usually to gain access to internal systems, cause damage and steal data, there is very little Uber can do now to minimise the impact of the security breach. However, when dealing with financially motivated actors, there is at least the option of paying a ransom to mitigate the extent of the damage.

I am surprised that the internal security systems did not intercept the East-West traffic while the attacker traversed the network in search of rich pickings (which he apparently got in the form of confidential company information and source code).

Uber needs to learn from this security breach, strengthen its IT and cybersecurity programmes, implement or expand MFA, and conduct a clean-up of its systems to ensure that scripts and documents residing on internal systems do not contain information that opens the door wide to attackers.

Related Articles

Four ATM burglars arrested

Four ATM burglars arrested

Bavaria's Interior Minister Joachim Herrmann congratulates the successful investigation by the public prosecutor's office and the police: Heavy blow against Dutch gang - Number of ATM burglaries in Bavaria declining - Better security of ATMs necessary +++ Four arrests...

VdS draft guideline for gluing systems for banknote neutralization

VdS draft guideline for gluing systems for banknote neutralization

VdS Schadenverhütung GmbH has released the draft of VdS 6040-1 "VdS Guidelines for Banknote Security Systems - Gluing Systems for Banknote Neutralization" for public consultation These guidelines contain requirements for gluing systems with active application of the...

Share This