Last week, yet another data breach hit UBER, the mobile mobility master—just 3 months after the media flooded with reports on the lone teenage hacker who infiltrated the company’s data banks in September. At the time, the Washington Post said the company saw no evidence of sensitive user data access, but admits that phishing was at the bottom of the plot. This didn’t stop shares from tanking another 5%.
This time, the culprit was the Lasus$ extortion group, a 2022 ransomware crime world star. The cost, 77000 UBER employee records, management reports, data destruction reports, source code, Windows domain login names, and more.
In September, it was an employee who was phished for his credentials by a hacker posing as a work colleague—not an overly sophisticated attack, according to Dragos Inc.’s Lesley Carter. His fake MFA notifications ignored, the hacker simply asked for account details through a WhatsApp message purportedly from the company’s head of Enterprise Security, thereby gaining access to the employee’s VPN and bypassing the multi-factor authentication safeguard.
Once in the system, the hacker managed to gain admin access into UBER’s cloud-based storage, where client and financial data was stored. Worse, one internal file held the credentials to UBER’s entire system. Luckily the teen was merely bent on publicity, sharing screenshots of his wares on social media and, in fact, alerting UBER security to the vulnerabilities through its own network and publishing his exploits on Telegram.
Unluckily, his announcements to the company through their internal Slack account were met with derision (Silicon Republic is now revealing that employees are being instructed not to use Slack…) .
Multi-Factor Authentication—Not foolproof!
MFA has become a part of our lives; suddenly, all your existing mobile devices display push messages requiring your permission for the new device each time you activate an app.
It seems foolproof: you provide Google with your phone number, for example, and then, each time you log in from a new device with your username and password, Google sends your phone a push notification asking if it was indeed you who attempted to enter your account. Banks send out push messages whenever you initiate a major online transaction; and your employer’s IT department will require MFA for many mobile device actions.
But the MFA enrolment process is itself flawed. Anyone with your username and password can simply add a new MFA device to the MFA process. To do this, all the attacker needs to do is create a fake phishing login site identical to the usual one, into which the victim enters his credentials. He only needs to convince you once to enable access through his phone, then adds that to the MFA queue of authentication devices; and he can then enter your account without you being any the wiser.
Once past the MFA hurdle, a hacker can gain access to a company’s deepest realms through its VPN. Consequently, many companies are now introducing physical security keys and bio-metrics to log in.
UBER’s MaaS concept includes personal transport (book a car & ride), food transport (Uber-Eats deliveries), packages and freight, and even i-scooters and bikes. 118 million active users per month book an average of 19 million trips each day, and 2021 revenues were $17.5 bn.
For UBER, this isn’t the first time the inventor of the MaaS (Mobility-as-a-Service) concept has been infiltrated: a 2016 attack was covered up by its then security chief, and this year documents were leaked to The Guardian illustrating how the company broke into markets using questionable means. In France, for example, President Emmanuel Macron—then economy minister—cozied up to the company by facilitating their entry to the country; in another, former company head Travis Kalanick somehow convinced then-vice US President Joe Biden to amend his Davos speech in favor of UBER. Ireland’s Enda Kenny and Israel’s Bejamin Netanyahu were also allegedly UBER targets, while in Russia, Italy and Germany, state heads were actually offered financial incentives.
Violence was traditionally treated by UBER executives as part of the market-infiltration playbook, but the Guardian explains that this was mainly in retaliation to attacks by enraged taxi drivers threatened with the source of their livelihood. On the other hand, the fact that in many countries UBER operated without legal permission was also treated with dismissal.
In short, considering the number of enemies UBER has made along the way—political and with transport industry troops—if you thought the once friendly hacker was saving them a lot of grief by exposing their underbelly, you were wrong.
Last September they may have been taken for a ride. Now it seems they’re in it for the long haul!