Internal Systems At Uber Have Been Compromised, And Vulnerability Report Data Has Been Taken.

by | Mar 7, 2024

Uber Technologies Inc. announced on Thursday that it was looking into a cybersecurity problem following news of a network breach that forced the business to shut down numerous internal engineering and communications systems.

A hacker who gained access to vulnerability reports and shared screenshots of Uber’s internal systems, email dashboard, and Slack server on Thursday afternoon launched a cyberattack against the firm.

According to the screenshots the hacker released and those obtained by BleepingComputer, numerous crucial Uber IT services, including the business’ Windows domain and security software, appear to be fully accessible.

The hacker also gained access to the organization’s Google Workspace email admin panel, VMware ESXi virtual machines, Amazon Web Services interface, and Slack server, where the hacker made posts.

Since then, Uber has verified the attack and tweeted that it is in contact with law authorities and will share more details as they become available.

“We’re dealing with a cybersecurity problem right now. Law enforcement is in contact with us, and we’ll update this page as soon as we have more information “the Uber Communications account tweeted.”

The threat actor, who claimed responsibility for the breach to The New York Times after speaking with him, said that he infiltrated Uber through a social engineering assault on an employee and the theft of their password.

Using the stolen credentials, the threat actor subsequently got access to the company’s internal systems.

Recent assaults on well-known firms like Twitter, MailChimp, Robinhood, and Okta have used social engineering as a highly common approach.

Hackerone Vulnerability Reports Exposed :

While it’s conceivable that the threat actor who carried out this attack took data and source code from Uber, they may also have had access to a more priceless resource.

Sam Curry, a security specialist at Yuga Labs, claims that the hacker also had access to the organization’s HackerOne bug bounty programme, where they left comments on all of the bug bounty tickets.

Curry told BleepingComputer that the attacker’s comment on a vulnerability report he sent to Uber two years ago led him to discover the issue.

Security experts may discreetly reveal flaws in Uber’s software and applications in return for a monetary reward through the company’s HackerOne bug bounty programme. These vulnerability reports should be kept private until a remedy is available to stop attackers from using them as a weapon.

Curry said that a member of the Uber staff claimed that the threat actor had access to all of the business’s confidential vulnerability reports on HackerOne.

The attacker downloaded all vulnerability reports prior to being denied access to Uber’s bug reward programme, a source also informed BleepingComputer. This probably contains complaints of vulnerabilities that have not been patched, which poses a serious security risk to Uber.

Since then, HackerOne has blocked the Uber bug reward programme, preventing users from using the publicly known vulnerabilities.

To immediately profit from the attack, it would not be strange if the threat actor had already acquired the vulnerability reports and was planning to sell them to other threat actors.