www.wired.com
Open in
urlscan Pro
151.101.66.194
Public Scan
Submitted URL: https://t.co/OHnBzTHzFL
Effective URL: https://www.wired.com/story/uber-hack-mfa-phishing/
Submission: On September 19 via api from CA — Scanned from CA
Effective URL: https://www.wired.com/story/uber-hack-mfa-phishing/
Submission: On September 19 via api from CA — Scanned from CA
Form analysis
0 forms found in the DOMText Content
Skip to main content Open Navigation Menu Menu Story Saved To revist this article, visit My Profile, then View saved stories. Close Alert Close The Uber Hack’s Devastation Is Just Starting to Reveal Itself * Backchannel * Business * Culture * Gear * Ideas * Science * Security Story Saved To revist this article, visit My Profile, then View saved stories. Close Alert Close Sign In SUBSCRIBE GET WIRED + A FREE TOTE SUBSCRIBE Search Search * Backchannel * Business * Culture * Gear * Ideas * Science * Security * Podcasts * Video * Artificial Intelligence * Climate * Games * Newsletters * Magazine * Events * Wired Insider * Coupons Get WIRED for just $29.99 $10. Plus, get a free tote! Get WIRED for just $29.99 $10. Subscribe now. Subscribe now. Subscribe now. Get 1 year of WIRED for just $29.99 $10. Get WIRED for just $29.99 $10. Enjoy unlimited access to WIRED.com and the print edition of the magazine for less than $1 per month. Plus, get a free tote! Plus, get a free tote! SUBSCRIBE SUBSCRIBE SUBSCRIBE Already a subscriber? Sign-In Lily Hay Newman Security Sep 16, 2022 5:35 PM THE UBER HACK’S DEVASTATION IS JUST STARTING TO REVEAL ITSELF An alleged teen hacker claims to have gained deep access to the company’s systems, but the full picture of the breach is still coming into focus. * Facebook * Twitter * Email * Save Story To revist this article, visit My Profile, then View saved stories. Photograph: David Paul Morris/Bloomberg/Getty Images * Facebook * Twitter * Email * Save Story To revist this article, visit My Profile, then View saved stories. On Thursday evening, ride-share giant Uber confirmed that it was responding to “a cybersecurity incident” and was contacting law enforcement about the breach. An entity that claims to be an individual 18-year-old hacker took responsibility for the attack, bragging to multiple security researchers about the steps they took to breach the company. The attacker reportedly posted, “Hi @here I announce I am a hacker and Uber has suffered a data breach,” in a channel on Uber's Slack on Thursday night. The Slack post also listed a number of Uber databases and cloud services that the hacker claimed to have breached. The message reportedly concluded with the sign-off, “uberunderpaisdrives.” The company temporarily took down access on Thursday evening to Slack and some other internal services, according to The New York Times, which first reported the breach. In a midday update on Friday, the company said that “internal software tools that we took down as a precaution yesterday are coming back online.” Invoking time-honored breach-notification language, Uber also said on Friday that it has “no evidence that the incident involved access to sensitive user data (like trip history).” Screenshots leaked by the attacker, though, indicate that Uber's systems may have been deeply and thoroughly compromised and that anything the attacker didn't access may have been the result of limited time rather than limited opportunity. “It’s disheartening, and Uber is definitely not the only company that this approach would work against,” says offensive security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this hack so far are pretty similar to what a lot of red teamers, myself included, have used in the past. So, unfortunately, these types of breaches no longer surprise me.” The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login. Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code. MFA-prompt phishes have become more and more popular with attackers. And in general, hackers have increasingly developed phishing attacks to work around two-factor authentication as more companies deploy it. The recent Twilio breach, for example, illustrated how dire the consequences can be when a company that provides multifactor authentication services is itself compromised. Organizations that require physical authentication keys for logins have had success defending themselves against such remote social engineering attacks. The phrase "zero trust" has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to at least show an example of what zero trust is not. Once the attacker had initial access inside the company, they claim they were able to access resources shared on the network that included scripts for Microsoft's automation and management program PowerShell. The attackers said that one of the scripts contained hard-coded credentials for an administrator account of the access management system Thycotic. With control of this account, the attacker claimed, they were able to gain access tokens for Uber's cloud infrastructure, including Amazon Web Services, Google's GSuite, VMware's vSphere dashboard, the authentication manager Duo, and the critical identity and access management service OneLogin. Featured Video Internet Expert Debunks Cybersecurity Myths Most Popular * gear Android’s New Notification Feature Is a Decade Overdue Eric Ravenscraft * gear The Best Sex Toys for Every Body Jaina Grey * gear The Best iPhone 14 Cases and Accessories Julian Chokkattu * science The World Has Reached Peak Attenborough Matt Reynolds * Screenshots leaked by the attacker support the claims of this deep access, including to OneLogin. In an analysis on Friday, researchers from the cybersecurity firm Group IB suggested that the attacker may have first breached Uber earlier this week and only made their presence known on Thursday. Advertisement One independent security engineer described the OneLogin account access the Uber hacker seems to have had access to as “the golden ticket jackpot.” “That’s God—they own that there’s nothing they can’t access," the security engineer added. "It’s Disneyland. It’s a blank check at the candy shop and Christmas morning all rolled up together. But sure, customer ride data wasn’t impacted. OK.” The situation at Uber comes on the heels of congressional testimony on Wednesday from Twitter’s former security chief Peiter “Mudge” Zatko, who has invoked whistleblower protections as part of accusations alleging deplorable security practices within the social media giant. Zatko's testimony this week got senators fired up about the importance of security within Big Tech. But in the past, even the direst and rattling hacks have led only to incremental progress on the most basic best practices. Zatko's testimony did not seem to impact Twitter's stock price at all on Wednesday. Uber's stock had a small dip Friday morning, but it had partly recovered by the closing bell. For now, the full scope of the situation inside the ride-sharing giant remains unknown. "I think there are a lot of opportunities to work on detections and preventions proactively," offensive security engineer Owens says. “This can be difficult to execute in practice, though, when you have lots of other fires to put out, political challenges inside of an organization, et cetera. Maybe I’m slowly becoming jaded since I’ve been around in this space for a while.” MORE GREAT WIRED STORIES * 📩 The latest on tech, science, and more: Get our newsletters! * My 4 days in fake gay-conversion therapy * How to buy and use a burner phone * A new approach to batteries is about to transform EVs * Greenland's glaciers spew a complicated treasure * Who pays for an act of cyberwar? * 👁️ Explore AI like never before with our new database * ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate magazine and was the staff writer for Future Tense, a publication and project of Slate, the New America Foundation, and Arizona State University. Additionally... Read more Senior Writer * Twitter TopicssecurityhackingvulnerabilitiesUber More from WIRED iOS Can Stop VPNs From Working as Expected—and Expose Your Data A security researcher claims that Apple mobile devices keep connections open if they are created before a VPN is activated. Kevin Purdy, Ars Technica A Single Flaw Broke Every Layer of Security in MacOS An injection flaw allowed a researcher to access all files on a Mac. Apple issued a fix, but some machines may still be vulnerable. Matt Burgess You Need a Password Manager. Here Are the Best Ones Keep your logins locked down with our favorite apps for PC, Mac, Android, iPhone, and web browsers. Scott Gilbertson Apple Just Killed the Password—for Real This Time Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning. Matt Burgess How to Use Signal Encrypted Messaging The best end-to-end encrypted messaging app has a host of security features. Here are the ones you should care about. Brian Barrett A New Tractor Jailbreak Rides the Right-to-Repair Wave A hacker has formulated an exploit that provides root access to two popular models of the company’s farm equipment. Lily Hay Newman The Hacking of Starlink Terminals Has Begun It cost a researcher only $25 worth of parts to create a tool that allows custom code to run on the satellite dishes. Matt Burgess Here’s What Trump’s ‘Nuclear Documents’ Could Be FBI agents reportedly searched Mar-a-Lago for “nuclear documents.” That can fall into one of these four categories. Garrett M. Graff ONE YEAR FOR $29.99 $10 Get WIRED SUBSCRIBE WIRED is where tomorrow is realized. It is the essential source of information and ideas that make sense of a world in constant transformation. The WIRED conversation illuminates how technology is changing every aspect of our lives—from culture to business, science to design. The breakthroughs and innovations that we uncover lead to new ways of thinking, new connections, and new industries. * Facebook * Twitter * Pinterest * YouTube * Instagram * Tiktok More From WIRED * Subscribe * Newsletters * FAQ * Wired Staff * Press Center * Coupons * Editorial Standards Contact * Advertise * Contact Us * Customer Care * Jobs * RSS * Site Map * Accessibility Help * Condé Nast Store * Condé Nast Spotlight * Cookies Settings © 2022 Condé Nast. All rights reserved. Use of this site constitutes acceptance of our User Agreement and Privacy Policy and Cookie Statement and Your California Privacy Rights. WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices