Persistent social engineering--pestering, really, that softened employees up for a bogus call from "IT"--appears to have gained a hacker "deep access" to Uber's systems.
Developments in the case of the Uber breach.
Uber's initial disclosure of the breach, on September 15th, was terse. "We are currently responding to a cybersecurity incident," the company tweeted. "We are in touch with law enforcement and will post additional updates here as they become available." On the 16th it offered the following amplification. "While our investigation and response efforts are ongoing, here is a further update on yesterday's incident:
- "We have no evidence that the incident involved access to sensitive user data (like trip history).
- "All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.
- "As we shared yesterday, we have notified law enforcement.
- "Internal software tools that we took down as a precaution yesterday are coming back online this morning."
Someone claiming to be the threat actor responsible for the intrusion (and the claims are generally being taken at face value as authentic) counted coup in the company's Slack channels. "Hi @here," the hacker posted, "I announce i am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and 2 monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrivers [sic]." Employees who saw the post thought it was a goof, the Verge reports, and many cheerfully played along until it became clear that in fact the breach was real, and potentially serious.
Ars Technica thinks that the story the hacker tells is plausible, and that, while it's still not clear what the hacker gained access to, potentially at least it's quite a bit. WIRED reports that screenshots provided by the hacker suggest "deep access," including access to OneLogin accounts. Uber has said there's "no evidence" that customer data were compromised, but as the Hacker News suggests, this may be a case in which absence of evidence isn't evidence of absence. As Uber itself has said, the investigation is ongoing.
Persistence pays (for good or, in this case, for ill).
Apparently the self-identified eighteen-year-old who compromised Uber just kept at it, made himself or herself such a pest that people eventually caved in and MFA push-prompts in the hope that it would get him off their back. It’s like a hacker’s inversion of the parable of the persistent widow (Luke 18:1-8).
The Jerusalem Post describes the pestering: "The hacker reportedly claimed that he had spammed an Uber employee with push notification login requests for over an hour before contacting him on WhatsApp while claiming to be from Uber IT and telling him that he would need to accept the request if he wants them to stop. The employee then accepted the request, allowing the hacker to log in to the employee's account and access the company's internal servers."
Deep Instinct's Jerrod Piker summarizes the attacker's actions against the target. “This breach involved a self-proclaimed 18-year-old hacker socially engineering an employee, logging into their VPN, and scanning their shared network resources. This scan turned up powershell scripts that had admin credentials for the Privileged Access Management (PAM) system, which then granted the attacker access to many internal resources, including AWS and G-suite. His final flourish included sending a message on one of Uber's internal Slack channels taking credit for the breach.”
As Francisco Donoso, Vice President, Security Strategy and Platforms at Kudelski Security, points out, once someone’s got access to your Privileged Access Management system, it’s pretty much game over:
“The threat actor in last night’s Uber hack seemed to gain initial access via employee VPN and seemed to be able to bypass MFA by abusing the push mechanism to ‘annoy’ users into accepting MFA push prompts. This method is becoming increasingly more common, even being used in the recent Twilio and Cisco attacks. Organizations should consider training their employees about these MFA constant request tricks and tell them to notify InfoSec immediately in the event of suspicious activity. The single most effective way to prevent these types of bypasses altogether, however, is to leverage MFA number matching to authenticate requests.
“Once the attacker gained access to Uber’s servers, it seems like they scanned the internal network and found a PowerShell or automation script with hard-coded credentials that provided the attacker with access to Uber’s Privileged Access Management (PAM) system. Once an attacker has full access to an organization's PAM, they likely will have full access to your entire IT environment including cloud, SaaS, and on-premises systems.
“Attacks of this kind are not going away any time soon; in fact, they will likely grow in frequency. Organizations should consider conducting a tabletop exercise with this exact scenario so they can plan how they’d respond, communicate with employees, and recover if a threat actor had full admin access to all their infrastructure, cloud, and SaaS providers– including those used for employee chat and email.”
How the Uber hacker got in.
Tim Callan, the Chief Compliance Officer at Sectigo, wrote that the incident shows up the risks inherent in traditional credential systems. “Attacks like this are all too common. In this case, the compromise was largely enabled by a combination of social engineering (including the defeat of MFA through a spoofed relay site) and the discovery of privileged credentials hard-coded in scripts. These techniques can be defeated through modern strategies such as PKI-based access. No matter how vigilant a company’s security culture is, these fundamental vulnerabilities will remain so long as traditional username-password credentials control access.”
Lior Yaari, CEO of Grip Security, thinks it likely that there were gaps in Uber’s security layers.
“The extent of this breach and the access the hackers [obtained] means there is a high probability that one or more employees inadvertently exposed their logins and passwords to key internal systems. You can conclude that these credentials were probably not secured properly through identity and access management security layers. This is more common than people may think because employees use so much SaaS to do their jobs, and most of them are actually unknown to IT. This breach seems especially severe, and it’s a wakeup call to the industry that we need a better way to secure critical systems. Though Uber as a company may suffer from this breach, the real victims will be the drivers who rely on Uber for their livelihood. Access to Uber’s systems dealing with the funds flowing in and out of the driver accounts could be catastrophic to its 200,000+ drivers around the world.”
Samantha Humphries, Head of Security Strategy EMEA at Exabeam, discusses the implications of a credentials-based attack:
“This coordinated social engineering attack - on such a large and established organisation - is sadly not the surprise that it may have been a few years ago. What seems to be clear at this stage is it’s a credentials-based attack - malicious use of an employee’s legitimate password. This is far from rare; in fact, a 2022 report found that insider threat incidents have risen 44% over the past two years.
“Almost all of the high-profile breaches we see in the news involve attackers leveraging stolen user credentials to gain access to sensitive data. Insiders with access to privileged information represent the greatest risk to a company’s security. This kind of threat can be much harder to detect. After all, an attacker with valid credentials looks just like a regular user. This presents one of the most significant challenges for security teams.
“Sadly, this is unlikely to be the last time we’ll see this type of breach. Failure to adapt security operations to detect and mitigate credential-based attacks will continue to have serious consequences.
“Whilst there are already many details being shared by the purported attacker, the wider implications of this breach are still unknown. However, for Uber’s incident responders, it is certain that they have had better days in the office, and my heart absolutely goes out to them.”
Oz Alashe, CEO of cybersecurity behavior firm CybSafe, also notes that the human can be exploited to work around any technical security measure. “The social engineering component of this attack sheds light on the fact that even companies with the most sophisticated cybersecurity postures can be taken by attackers looking to prey on the human element of the business. Despite regulations and requirements around cybersecurity awareness training, social engineering attacks, like the one we are seeing with Uber, is a prime example that companies need to do more to change and inform employee behavior around security.
Additional comment received, 9.19.22.
CEO and co-founder Alon Jackson at Astrix, commented on the success and access the hacker seems to have achieved. They're troubling. "While the ease of access to get into Uber's IT domain is concerning, it's the level of access that the alleged hacker has now gained that is even more daunting," he said. "The interconnected web of access to Uber's AWS, Google Cloud, VMware Vsphere and Windows environments unleashes a vast amount of sensitive data. A situation like this emphasizes just how imperative it is for hyper-connected organizations to be mindful of third-party integrations, as one domino falling can unfortunately set off a much longer and more dangerous line of dominoes."
We also heard from Ofer Maor, CTO and co-founder of Mitiga, who sets the breach into the context of a trend in which privileges are obtained through social engineering. “The Uber breach is just another example of a phishing campaign that successfully obtained high-level privileges and used them to compromise multiple assets and environments," he said, observing as others have that in this case the victim is a capable, well-established technology company. "It is a reminder that no company is immune — even mature companies, like Uber, with the best security teams can be affected by social engineering attacks. As IR and forensic teams investigate the breach, it is clear that such an incident is not trivial because the data required to investigate goes beyond any singular audit log. We certainly understand that the challenge ahead for the Uber security team isn’t an easy one to contend with." The products for which privileges may have been obtained (and these are Uber's instances of the products, and don't represent a global compromise of those services) are many. "The hacker claims to have gotten permissions from multiple services from which they were able to log on and perform actions upon, including the Thycotic PAM platform, AWS, CloudTrail, Google Workspace, HackerOne, and Slack. Only through the combination of all audit logs and activity and usage reports can investigators truly understand what happened. While there is no solution that could guarantee it could prevent a breach like this, there are a few measures organizations can consider to prepare for potential attacks. They can adopt a holistic breach readiness approach, which includes proactive forensic data collection and storage to accelerate investigation and response.”