Gartner®: Avoid Mobile Application Security Pitfalls


Gartner®: Avoid Mobile Application Security Pitfalls


The Uber Hack - A step by step breakdown of the 2022 Uber data breach

On September 15th Uber suffered a significant breach. In this video, we will break down exactly how Uber was breached from initial access to how the attacker moved laterally into different internal systems of Uber.

Video Transcript

Hello everyone. Welcome to another video. Today we are talking about the Uber breach and oh boy this is a big one. In this video we're gonna look at exactly what happened play-by-play. How the attacker gained access into Uber's internal systems. We're going to look at what we know based on evidence from the attacker of what they say they've gained access to and then we're going to compare this with the latest statements from Uber of what they're saying essentially has happened and see if the two Stack Up.

What happened during the 2022 Uber Breach?

So let's get straight into it what exactly happened. Well, the first news of this came from the New York's Times on September 15th and we believe that they may have had a heads up from the attacker themselves and what all avenues point to is that this attacker wasn't really after the destruction of Uber or ransoming information. They were really after publicity and making lots of noise which may have been attached to different motivations that we'll talk about.

So let's just go into exactly what happened while an Uber employee's account or perhaps contractor was compromised the attacker claims through a social engineering campaign.

Social engineering just means that when the attacker is basically deceiving someone an employee or someone connected to Uber to either disclose sensitive information to them or inadvertently grant them access to different things. In this case they got access to Uber's VPN which granted them access to Uber's internal Networks.

Once the attacker was inside Uber's internal networks they started searching for sensitive information essentially they wanted to move from the internal Network into some administrative or production assets and infrastructure so that they could persist the attack.

They achieved this through some Powershell Scripts. Powershell scripts are basically lists of instructions that execute administrative tasks on a machine that these can really be about anything but there was one Powershell script that was of particular interest and this is because it contained hard-coded Secrets or plain text credentials.

This was to a PAM system. A privileged access management system, this essentially controls all the passwords, all the secrets for Uber's internal systems. Their access management. From here the attacker was essentially able to compromise, what appears to be a huge number of systems because they had admin access to the central Network that controlled it.

From there they looks like that's where their attack ended because they made a huge amount of noise and published a lot of information and Uber was able to try and limit further escalation of this.

What did these attackers ultimately actually compromise?

Well there is a number of different systems that were breached in this attack and we can quickly run through a few of them.

So the first one that we know of is Thycotic. What is Thycotic? Thycotic is a PAM, a Privileged Access Management system and this is basically one of the most critical pieces of infrastructure in any company's systems. This is what controls access to different internal and external Services you can think of this like a secret manager like AWS Secrets or Hashicorp vault combined with a password manager like Onepassword or Dashlane but company-wide.

Potentially the attacker could have had access to everything because they had critical admin access to Thycotic. Pretty much a worst case scenario and this is as critical as any system gets. Now based on screenshots from the attacker we know that they also had access to lots of other systems which gives credibility to the concept that they had access to the PAM system Thycotic in the first place.

We know they had access to AWS. AWS is a cloud a service provider. Now depending on the infrastructure depending on the Privileges which we don't fully understand yet but the attacker could have had access to databases. Could have access to Production Services. Could have been able to shut down areas. Could have been able to create accounts for them to squat in these systems for extended periods of times. We don't know enough to know what this system could have done because a lot will depend on setup. But we know that this is critical and we know that there's definitely areas of attack here. From AWS we also know that they had access to VMware Vsphere.

Vsphere is an interesting tool that can visualize between Cloud infrastructure and on-premise infrastructure. This would have given the attacker great access into the blueprint of how Uber's infrastructure would have been set up and using what they've already compromised could have launched sophisticated attacks using this visualization tool. But they all also could have severed connections between on-premise service and Cloud servers and really being able to escalate an attack using VMware Vsphere.

Another platform of a very high severity is Sentinel one. Sentinel one is an extended detection response platform. Essentially this is the alarm system to find out if an attacker has gained access into any external services or any of your services. By having access to this, the attacker critically has access to be able to shut off some of the alarms systems. This could have been critical had there been additional malicious intent. What we know about this attacker is that they announce themselves very quickly right they were trolling Uber by publishing in their slack forum. For example publishing on their HackerOne account. So it was very obvious that Uber were suffering from some kind of breach. Had they wanted to be a little bit more sophisticated then they could have actually used Sentinel one to kind of go undetected to enable them to squat, move literally through systems without trigging any alarm. I already mentioned that they were trolling Uber.

They had access to the Slack accounts. This has a pretty medium severity because you can't shut down any services using Slack and potentially you shouldn't be able to access sensitive information but depending on privileges you may be able to access private chats which could contain additional sensitive information. But what I find really interesting about internal messaging systems is the ability to be able to launch spearfishing campaigns internally. They could have gained access to additional employees accounts from using Slack. So, still a severe, still a severity of medium for Slack.

Another system that has a high or medium severity is the G Suite admin. This can be very critical depending on the setup but we don't have enough information on the type of account that they had and what they could have done. That G Suite basically controls amongst many other things emails and access to different administrative services and access to office tools. By gaining access to them they could have created an account. They could have removed access to certain people. They could have potentially done takeovers of email accounts and then from there moved into lots of different systems. Lots of different attack paths from G Suite but we don't know exactly the privilege that they had in there and what they were able to do.

Finally, the last one that we know of at this moment is HackerOne. HackerOne is a bug Bounty platform. This is external to Uber but this is basically the platform that researchers use to publish security vulnerabilities and then get a bug bounty to get paid for it. This indicates some motivation of the attacker. It's been hypothesized that the attacker was really upset with Uber's bug bounty policies.

Essentially not being able to pay enough money for disclosing vulnerabilities and that this was the motivation to basically humiliate Uber in this way. But we don't know enough information about that. We do know that Hacker One was compromised by the attacker because they published internal systems.

What has Uber said?

Well, Uber has had lots of breaches in the past and critically one such breach Uber was really criticized because they tried to keep this from the public without disclosing that actually some users information were disclosed. With that in mind Uber is definitely not trying to hide that and there's no reason to not believe that they're going to be forefront. But you have to be cautious when you read information disclosed by a company because there's obviously motivations to limit the severity of what has happened. But what they have said is that an Uber external contractor had their account compromised by the attacker. So, this will go back to their initial social engineering campaign. However, Uber has said that it's possible that Uber's corporate password was actually leaked on the dark web and the attacker bought it. Uber goes on to say that the attacker made several attempts to log into this contractor's account. Was stopped by multi-factor authentication however at one point the contractor actually accepted multi-factor authentication. This seems strange on the surface but certainly could have been true.

Uber have said that from there the attacker ultimately gained access to a number of tools including G suite and Slack. They've stopped at just G suite and Slack. This is kind of in direct contrast to what we've seen. The attacker post access to. I think out of the two that Uber has named there they're probably some of the least severe which potentially has been compromised. We'll need to see more information come out from Uber about what actually has been compromised and see if we get any response from the attacker at this point. In Uber's response they've said that they've essentially taken access to stop the attack and basically identify employees accounts that may be compromised or potentially compromised. They've disabled many effective or potentially affected internal tools. So the fact that they've used the word many affected here but only listed two before may suggest that there is actually a whole lot more than just G suite and Slack that have been affected. They've said they've rotated their keys which obviously you would hope. They've locked down their code base to prevent new changes and of course they're adding additional multi-factor authentication policies and and locking down internal tools.

They have said that their investigation is still ongoing but it doesn't appear that the attacker had access to production systems that power out their application or any user accounts or the database that were used to store sensitive information like credit card numbers and bank accounts or trip history. So we can see there that they've actually kind of limited. That they haven't had access to databases of these types but they haven't blankly said that they haven't had access to databases so we'll see how that unfolds and whether or not there's something to read into there. They've said they've reviewed the code base and that there isn't any malicious code in there so hopefully this all being said that the attacker has been stopped and there aren't any backdoors or potential access points that have been injected by the attacker into their code or by creating different user accounts or compromising other user accounts.

What is really interesting here is that Uber have assigned responsibility loosely but still named the group Lapsus$. We know that Lapsus$ is kind of a group of teenagers or at least that's what we've been led to believe. They're responsible for lots of different attacks like Microsoft and Nvidia. I have a whole videos of those attacks on this channel that you can check out and this does actually fit into to the kind of Lapsus$ group ethos which is that they gain access to all the sensitive stuff but they kind of stop short of worst case scenarios of what they could have done and make a whole bunch of noise. Almost kind of wanting that publicity, wanting that recognition of the attack as  the main thing. To our knowledge, they didn't try and extort Uber for any money yet although there have been suggestions of that . 

They don't appear to have been backed up by Uber or anyone else critical credible at this stage.

What Uber hasn't made mention of is the Powershell scripts and the hard-coded credentials to their privilege access management system. They've stopped short at that and they've kind of said that the once the attacker was able to gain access to the compromised account they gained access to further Uber employees accounts. You can't go from one account to another without discovering additional vulnerabilities so that at some point there's something on the network that the attackers used to transition into different accounts. This would suggest that perhaps a  Thycotic takeover is actually real and that was what was used but we can't be 100% certain because Uber hasn't clarified that. 

We do know in the past that Uber has had other breaches. In 2014 an employee leaked credentials to their database on public git repository. In 2016 we know that attackers were able to gain access to private code repositories of employees due to bad password hygiene and inside their code repositories there was other hard-coded Secrets. Other credentials and it appears that in this attack there was credentials inside a Powershell script as well. This would follow the kind of like the trend. A very concerning Trend that Uber has of having hard-coded credentials hard-coded secrets and lots of other areas so it does fit the trend although you really would hope that there wouldn't be an admin hard-coded credential. But at the moment with the evidence that we have it does appear that there certainly was  some kind of credentials that the attacker was able to use to elevate privileges and move laterally into different accounts.

How bad was this on Uber's perspective?

I don't want to speculate more than what I have of exactly what's happened and lay blame to Uber .

Uber is certainly not alone in these types of attacks we've seen them in other areas although this one appears to be particularly critical yes definitely bad practices uh were had there although Uber is claiming that multi-factor authentication was installed and it was a user's, 

it was a contractor's fault for allowing that but there does have to have been additional vulnerabilities for that user to be able to move laterally into different systems. It appears that there is some security policies that aren't being enforced on Uber's end. Does this mean that Uber is a terrible company? Absolutely not. 

Security vulnerabilities happen everywhere. Ot just appears at this point. It's been a very critical mistake of hard-coding credentials in a Powershell script. Why exactly you would hard code admin credentials to a password and secret manager, a Privileged Access Management platform in a Powershell script ? I'm not exactly sure. Perhaps that script was being used to create different accounts. To grant access to stuff. That does appear to be a pretty fundamental error if it is true. We're just going to have to wait and find out.

What should you do to protect yourself if you're an Uber customer?

Well, at this point it doesn't appear to be any indications from the information that has been disclosed from both the attacker and the Uber that personal in information in particular passwords and credit card details have been affected. we do know that this is encrypted on Uber's end. Critical information is encrypted like credit cards so therefore even if the attacker was able to gain access to those databases hopefully the encryption is adequate enough that the attacker won't be able to reverse that and be able to gain access to those numbers.  There doesn't appear to be any immediate action that you need to take as a customer apart from be cautious at the moment and making sure that you don't reuse passwords on different areas because there is the potential that password hashes or usernames have been leaked. But we have no verification of this it's just a potential so we want to implement good practices ever anyway and don't reuse passwords. That's it from what we have today. I'll provide an update if we get any more critical information about this breach but from now we're just going to have to hold our breath. Then it appears definitely that Uber has been breached and that there has been a lot of escalation from the time that the attacker compromised an employee or contractor's account to where they've ended up.

We're going to have to wait and find out more information but I hope you enjoyed this video give it a thumbs up or add any comments down below and if you have any information that I haven't covered be sure to let me know. You can tag me on Twitter or you can let me know in the comment section below. Thanks for watching and I hope you have a great day and remember secure code is good code.