On September 15, Uber officially confirmed an attack resulting in an organization-wide cybersecurity breach. According to the security investigation, the organization’s system was severely hacked, with attackers moving laterally to gain access to the company’s critical infrastructure. The cybersecurity incident was brought to the limelight after a young hacker, who claimed to have breached Uber’s systems, shared vulnerability reports and screenshots of the organization’s critical assets, including an email dashboard and the Slack server. This sensitive information was publicly disclosed on the bug bounty platform HackerOne.
The HackerOne vulnerability reports confirm that the adversary breached the system’s internal network, impacting the Amazon Web Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard.
Sigma rules developed by SOC Prime developers help security professionals to ensure that their system can withstand attacks involving MFA-related failures.
Okta Possible MFA/2FA Flooding/Spamming/Phishing (via user_auth)
Azure Possible MFA/2FA Flooding/Spamming/Phishing (via azuread)
The detection content pieces above are aligned with the MITRE ATT&CK® framework. Security practitioners can easily switch between multiple SIEM, EDR, and XDR formats to get the rule source code applicable to 26 security solutions.
SOC Prime’s Detection as Code platform curates a set of Sigma rules to identify the malicious behavior related to this latest Uber breach. Click the Explore Detections button below to instantly reach dedicated detections and dive into relevant cyber threat context without registration directly from the Cyber Threats Search Engine.
Based on news reports regarding the breach of Uber’s systems, the attacker manipulated one of the company’s employees into sharing their password, which allowed for the initial access of the target. The criminal hacker then proceeded with launching MFA fatigue attacks and compromising a worker’s Slack account to send out a message announcing to other employees that their company had suffered a data breach. In response, Uber has restricted access to Slack for internal communication. Among other compromised services are Google Cloud Platform, OneLogin, SentinelOne incident response portal, and AWS.
Several security researchers have already claimed the breach to be a “total security compromise” that might also result in the attacker posting the company’s source code online despite the tech giant’s representatives trying to “put out the fire” that started across media channels. The San Francisco-based ride-hailing company’s stance on the matter is different from the narrative voiced by non-Uber security analysts, mainly claiming that there is no evidence suggesting that the threat actor accessed sensitive data.
Prior to the incident, logs gathered from infostealers were put up for sale in the underground market. The infostealers that were used in these attacks against Uber employees were Raccoon and Vidar. The evidence suggests that the attacker used the acquired data to move laterally inside Uber’s network.
The motives of the threat actor are yet to be revealed, but his message shared in a channel on Uber’s Slack includes a demand for better pay for drivers. Uber representatives have not released any more updates publicly, claiming that the incident is currently under investigation.
Social engineering techniques are on the rise. This attack only mirrors the recent trend toward criminal hackers’ accumulating more sophisticated approaches to leveraging the human factor in their attacks. Drastic times call for drastic measures! Join forces with SOC Prime to enhance your threat detection capabilities and security posture with the power of a global community of cybersecurity experts. You can also enrich the collaborative expertise by contributing to SOC Prime’s crowdsourcing initiative. Develop and submit your Sigma and YARA rules, get them published to a platform, and receive recurring rewards for your input.