On Thursday night, the ride-share giant confirmed that it was responding to a cyber incident and was contacting law enforcement. An entity that claimed to be an individual hacker took responsibility for the attack and bragged to security researchers about their actions. The attacker posted on Thursday night that he was a hacker and that the company had been hit by a data hack. A number of the hacker's claims were listed in the post. The sign-off was reported to be, "uberunder Paisdrives."
According to The New York Times, the company temporarily took down access to some internal services on Thursday, after it was discovered that they had been hacked. The company said that internal software tools that were taken down as a precautionary measure are coming back online. The company said on Friday that there was no evidence that the incident involved access to sensitive user data. Screenshots leaked by the attacker show that the systems may have been deeply and thoroughly compromised and that anything the attacker didn't access may have been the result of limited time.
The approach the hacker used to break into the company is not the only one that would work against it. A lot of red teamers have used similar techniques in the past. These types of breeches are not new to me.
According to the attacker, they gained access to the company's systems by targeting an individual employee and sending them multifactor login notifications. After more than an hour, the attacker claims, they contacted the same target on the messaging service pretending to be an IT person from the ride sharing company.
MFA fatigue is a type of attack in which account owners have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code. More and more attackers are using MFA-prompt phishes. Phishing attacks have become more sophisticated as more companies use two-factor authentication. When a company that provides multifactorAuthentication is itself compromised, the consequences can be dire. Organizations that require physical keys for logins have been able to defend themselves.
Zero trust has become a meaningless term in the security industry, but it seems to at least show an example of what it isn't. The attackers claim to have been able to access resources shared on the network that included script for Microsoft's automation and management program. One of the scripts contained credentials for an administrator of the access management system. The attacker claimed that they were able to gain access to critical identity and access management services by controlling this account.