On September 15th, Uber confirmed rumors of a major cybersecurity breach. The network of the organization had been significantly compromised, according to the security investigation, attackers had gained lateral access to the company's critical infrastructure.
Background:
To draw attention to the cybersecurity situation, a young hacker claiming to have gained access to Uber's systems shared vulnerability reports and screenshots of the company's vital assets, such as the Slack server and email dashboard. The public was able to access this confidential information on the bug bounty website HackerOne.
The HackerOne vulnerability reports demonstrate that the attacker gained access to the system’s internal network, compromising the Google Workspace admin dashboard, VMware vSphere/ESXi virtual machines, and Amazon Web Services console.
Attack Cycle:
Attackers gained access to a VPN and Uber’s internal network *.corp.uber.com using a social engineering attack against Uber employees.
Once they got inside the network, the hacker discovered a few PowerShell scripts, one of which had hard coded login information of the domain admin account for Thycotic, Uber’s Privileged Access Management (PAM) solution.
The attacker utilized admin access to gain access to and control over a number of internal tools and services, including Uber's internal employee dashboards, AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, and a few code repositories.
Breach Analysis:
As per news reports describing the Uber system hack, the hacker tricked a staff member into disclosing their password, thus allowing the target initial access. Researchers believe an employee's login credentials may have been stolen using password-stealing malware like RedLine that was installed on the employee's computer. Lapsus$ has previously obtained employee credentials via Redline as well. Uber said that it's possible the hacker bought the stolen passwords from a dark web marketplace.
Bypassing MFA: The attacker used an MFA fatigue attack in which he bombarded the victim with repeated MFA push/deny messages in order to confuse him; and then pretended as the "IT" staff over WhatsApp in order to get the victim to accept and visit his generated Phishing page. After that, the victim went to the fictitious Uber login page and provided their details.
Initial Access: After gaining access to the employee’s account the attacker utilized that person’s pre-existing VPN access to the intranet network.
Lateral Movement: A major weakness that allowed the attacker to have so broad access was that a PowerShell script's hardcoded credentials. These login credentials allowed the administrator to access the PAM system Thycotic. Multiple systems' access is controlled using the PAM system. As a result, the attacker now seemed to have complete access to all of Uber's internal systems.
Impact: The attacker got access to Uber’s internal network environment including Gsuite Vcenter, Slack, AWS, and their EDR portal.
Lessons Learnt:
Lesson learnt from this incident are as follows:-
Implemented Zero-Trust Network Access (ZTNA).
Organizations should start using phishing-resistant MFA like hardware security keys, which require employees to physically plug in a USB device to their computers after entering their credentials – specifically for privileged users.
Use advanced risk-based authentication and authorization approach with conditional access that looks at device fingerprint, device that is managed and connected to the domain, geo-ip, location, device X.509 certificate authentication and so on.
SSO is a double-edge sword – once credentials are compromised you have access to all integrated platforms. Use with case!
Ensure VPN is built around SSL VPN with endpost host check and ensure the above aspects are enforced and baselines from monitoring perspective.
Performing regular security awareness training and simulated phishing tests for employees that target compromising MFA and simulate context bypass to ensure risk-based and conditional access is working as expected.
Ensure your secrets, master passwords, tokens and private keys are enclaved and high segmented into different vaults, with access governed through strict access policies where only specific workloads are accessible.
Ensure Powershell and Automation Scripts do not contain hardcoded passwords
Resources: