Unless you were off planet or on a remote uninhabited island mid Pacific with no Internet access, it would have been hard to miss the Uber hack which was disclosed in September. An obvious question that came to everyone’s mind is “what exactly went wrong with Uber?” and “What could they have done better to prevent this breach from happening?”. If you are also curious about this and searching for the answer to these questions, then this blog post gives you good insight into what went wrong and the aftermath of the attack.
In this blog post, we will break down the Uber security breach into “what” and “how”. Then we will try to address some measures which Uber could have taken to prevent this breach from happening ending with a summary of important lessons learnt from this incident.
This article has referred to multiple Internet sources to build a timeline of the execution of the breach and predominantly covers the technical aspects of what (potentially) happened.
On 15th September 2022, Uber made an official announcement acknowledging the security breach. Soon enough Twitter users started tweeting about this. Some users even started tweeting about this even before the official announcement was made from the company side. The hacker after getting access to Uber’s AWS, Slack and SentinelOne accounts started posting insider information and screenshots of evidence to announce the hack.
On 19th September 2022, Uber completed their initial stage of investigation and released an official note emphasising on “What did happen” and their response to this security breach.
The image below shows the life-cycle of the breach and all the events that possibly could have happened.
Initial foothold
The hacker was able to get an initial foothold using a set of credentials purchased from the dark web. Two of the Uber contractor employees VPN credentials were compromised after their personal devices were infected with a malware. The attacker then utilised these credentials and performed the MFA fatigue attack (aka MFA Prompt Spamming/MFA bombing). This is a simple technique in which attackers flood user’s authentication app with push notifications in the hope they will accept, enabling the attacker to gain entry to an account or device. Eventually, the contractor employee accepted the push request once, and the attacker successfully logged in.
Post Pandemic, it has become very normal for the organisations to allow users to work from home using VPN or similar technologies. One of the main challenges with work from home setup is to ensure that people are well trained and have good awareness about information security practices. Especially, when they are using their personal laptop to connect to the corporate network. According to Uber, the contractor employee password was compromised after their personal laptop was infected with the malware resulting in allowing the attacker to get initial access to the Uber internal environment.
Lack of Security Awareness and Training
Clearly, the contractor employee lacked general security awareness. The employee might have either ignored or neglected the information security training and sessions conducted withing the organisation, if any. Allowing use of personal devices and not ensuring sufficient security training for all employees seems like the first mistake which Uber did resulting into this breach.
It is very important for all the organisations to conduct proper security awareness sessions for all employees on a periodic basis to strengthen their security posture. That too should be conducted in a fun and interactive manner so that employees actively participate and learn from the training. Not just for compliance reasons wherein employees often tend to get bored and could not learn anything from it. After all, humans are the weakest link of an organisation's security and requires most attention, constant training and periodic reminders.
Network Enumeration
Once the hacker penetrated Uber’s internal network by using compromised VPN credentials, he/she scanned for internal resources and eventually found a network share to which they had at least read permissions. The hacker may have used common network discovery and enumeration tools like Nmap, sharesniffer, SMB-Data-Discovery, etc for enumerating the internal network and discovering the network shares. They then found a folder inside an accessible network share which contained a few windows PowerShell scripts. These PowerShell scripts that the attacker stumbled upon contained credentials of an admin user of Thycotic (a popular Privileged Access Management software). Windows PowerShell scripts are written in an English like language that can easily be read using simple text editors like notepad
Not all users were likely supposed to have access to this folder. Failure to implement sufficient access control played a vital role in this context allowing the attacker to further penetrate the Uber internal network. In another universe, regardless of whether the attacker came in from the Internet or was an insider, the fact that a privileged credential was lying around in an accessible network share could have allowed any user to gain privileged access to additional Uber resources.
Privilege Escalation
These admin credentials were then utilised by the attacker to login to the Thycotic PAM solution in use. A PAM solution is used by the big organisations to secure identities with special privileges and log the usage for auditing purpose. Once the attacker got access to Thycotic, they were able to get access to all the other infrastructure and tools used within the organisation including Uber’s AWS account, Google Workspace, slack, etc.
Lessons learned
To close, here are some of the things we have learnt while examining the timeline and the attacker workflow. We all need to learn from this security breach and use the learning to strengthen the security posture of both infrastructure and human resources.