On Thursday afternoon, a hacker launched a cyberattack against Uber by gaining access to vulnerability reports and sharing images of the company’s internal systems, email dashboard, and Slack server. Images from the hacker appear to show complete access to several essential Uber IT systems, including the company’s Windows domain and security software. The hacker also gained access to the organization’s Google Workspace email admin panel, VMware ESXi virtual machines, Amazon Web Services interface, and Slack server, where the hacker made posts. Since then, Uber has confirmed the attack and tweeted that it is in contact with law enforcement and will share more details as they become available.
“We’re dealing with a cybersecurity incident right now. Law enforcement is in contact with us, and we’ll update this page as soon as we have more information.” The Uber Communications account tweeted.
The eighteen-year-old threat actor, who claimed responsibility for the breach to The New York Times after speaking with him, claimed that he infiltrated Uber through a social engineering attack on an employee and the theft of their password. Using the stolen credentials, the threat actor gained access to the company’s internal systems. Recent attacks against well-known companies like Twitter, MailChimp, Robinhood, and Okta have used social engineering as a highly common approach.
HackerOne Vulnerability Reports Leaked
While it’s possible the threat actor took data and source code from Uber, they may also have had access to a more priceless resource. Sam Curry, a security specialist at Yuga Labs, claims that the hacker also had access to the organization’s HackerOne bug bounty program, where they left comments on all of the bug bounty tickets.
Curry said that the attacker’s comment on a vulnerability report he sent to Uber two years ago was how he first became aware of the incident. In exchange for a financial reward, security researchers may discreetly disclose vulnerabilities in Uber’s software and systems through the company’s HackerOne bug bounty program. It is intended to keep these vulnerability reports private until a remedy is available to stop attackers from using them as a weapon.
Curry added that a member of the Uber staff claimed that the threat actor had access to every private vulnerability report that the firm had made to HackerOne. The attacker reportedly downloaded all vulnerability reports, according to a source, before losing access to Uber’s bug reward program. This most certainly entails vulnerability reports that haven’t been patched, which poses a serious security risk to Uber. To prevent access to the reported vulnerabilities, HackerOne has since stopped the Uber bug reward program. The threat actor would likely sell the vulnerability reports to other threat actors to immediately profit from the attack, so it would not be unusual if they had already downloaded the words.
Remember…the tricks never go out of date as they are always updated.