Preliminary lessons from the Uber breach

Industry reaction to the Uber breach continued over the weekend. A selection of what we've heard appears below, an early hot wash off an incident that remains under investigation.

Script kiddies pose a threat, too. It’s not just the nation-states and the gangs.

Ismael Valenzuela Espejo, Vice President Threat Research & Intelligence at BlackBerry, cautions that we should take this as a capability demonstration.

Many times we only talk about APTs, like nation states, and we forget about other threat actors including disgruntled employees, insiders and like in this case, hacktivists. Organizations should include these as part of their threat modeling exercises to determine who may have a MOTIVATION to attack the company, their skill level and capabilities, what the impact could be according to that analysis. This is all part of what contextual threat intelligence means and how it should affect a company’s risk management activities. If a teenager can pop Uber, I can’t help think what a sophisticated nation-state could have done using the same initial vector (social engineering). 

It’s not just the incompetent, the inattentive, or the bereft who can be hit.

Jai Dargan, Chief of Staff at Axio, points out that Uber is fundamentally a tech company, and a large and capable one at that. 

“What the Uber breach shows us is that these types of attacks can happen to ANY company - regardless of size, industry, location. Uber is one of the largest tech companies on the planet. They have access to the best technologies and top talent in the security field. Assuming that the existing reporting holds up — and again, I’d caution that we don’t know all the facts, and it will be weeks, if not months, before this situation gets fully handled — this demonstrates why cyber resiliency is absolutely so key. Hackers have an edge against defenders. Their techniques are evolving quickly. And security teams need to ensure that their entire organizations aren’t taken offline just because a single person was phished through a social engineering attack.

“It looks like Uber had all the defensive controls they needed, but this incident still happened. Security matters in the margins. We need to be continuously testing, validating, and evolving defenses to defend against cyber adversaries (whether they are teenagers or nation-states).”

Jerrod Piker, Competitive Intelligence Analyst, Deep Instinct, says that the bigger the brand, the more attractive it is to a certain kind of hacker, “Over the last several years, we've learned that the bigger the brand name, the larger the target on their back for cybercrime. From hacktivism to corporate espionage, there's always somebody with the motive and means to carry out an attack against large organizations across all verticals. The Uber breach is yet another wake-up call that nobody is truly safe from cyber crime.

Chris Vaughan, AVP of Technical Account Management, EMEA, at Tanium, also notes that large organizations are attractive to criminals, and that’s to a great extent due to the large quantities of customer data they hold:

“Big digital businesses like Uber are valuable targets for cyber attacks because of the vast amount of sensitive customer data that they hold which hackers can monetize. Whilst not confirmed, there’s a high chance that hackers have extracted data such as credit card details and payroll information. From initial analysis, it looks like the data of both drivers and customers has been compromised.

“This is another example of a relatively simple attack causing a big incident and potentially huge reputational damage for the victim organisation. The attacker social engineered an employee to gain access to the network via VPN. Once in, they were able to find hard coded passwords in scripts and then used them to infiltrate several parts of the network. This includes gaining access to their admin management tools as well as several databases. This raises some red flags. One is that a single hard coded password has been used to access their privileged access management (PAM) system, giving access to any area of the IT environment that links to it. Another issue is that multi-factor authentication (MFA) was bypassed by the attacker simply spamming users with push notifications until one was eventually approved. This method has been successful in other security incidents recently, so organisations should consider alternative ways to operate MFA such as only using PINs. Attackers entering a network in this seemingly legitimate way can be particularly dangerous because it’s difficult to distinguish their movements from regular user activity.

“This should serve as a reminder that having high levels of cyber hygiene can help prevent the more straightforward attack methods from being successful. As part of this effort, IT teams need to know where their most sensitive data sits at all times in order to effectively protect it. Having full visibility of the corporate network to identify devices that may have been compromised and then fix them quickly is also vital.”

Arti Raman, CEO & Founder, Titaniam, describes the environment that makes such social engineering attacks possible, and successful:

"Uber is the latest in a string of social engineering attack victims. Employees are only human, and eventually mistakes with dire consequences will be made. As this incident proved, despite security protocols put in place, information can be accessed using privileged credentials, allowing hackers to steal underlying data and share them with the world.

“The gig economy provides people the opportunity to be their own boss, and choose how and when they want to work in a way that fits their lifestyles. It has also revolutionized the way we use public transportation and has allowed for unprecedented mobility and convenience. We use these apps and trust them with our personally identifiable information. What has become an alarming reality is that these data-intensive apps are a perfect target for hacker groups because of the rich environment of valuable data that is out in the open, ripe for attack.

“Gig economy enterprises, as well as other data intensive enterprises can now take comfort knowing that the modern security toolbox contains encryption-in-use. Encryption-in-use, also known as data-in-use encryption, makes it possible for valuable data to be sliced and diced without decryption. This means that even if attackers get in via privileged credentials and access treasure troves of data, they cannot leave with unencrypted data. This makes encryption-in-use among the most effective solutions for keeping customer and company information safe and minimizing the risk of extortion. Encryption-in-use provides enterprises with unmatched immunity to data-focused cyberattacks. Should adversaries gain access to data by any means, data-in-use encryption keeps the sensitive information encrypted and protected even when it is actively being utilized. This helps neutralize all possible data-related leverage and dramatically limits the impact of a data breach.” 

What organizations can learn from the Uber breach.

Deep Instinct’s Jerrod Piker sees two “key lessons:”

• “Humans are still the weakest link, and Zero Trust is a necessity, not just a suggestion anymore,” and
• “Leaving scripts with embedded privileged account credentials stored on widely accessible network shares is bad practice.”

Neil Jones, Director of Cybersecurity Evangelism at Egnyte, sees a lesson for the safe conduct of bug bounty programs.

"The cyberattack on Uber is a stark reminder that we need to employ a consistent ‘Trust but Verify’ approach to IT security, and that organizations' cybersecurity programs are only as strong as their weakest links. Here, we see how advanced social engineering and spear-phishing tactics can lead to exfiltration of sensitive documents and ultimately impact a brand's reputation. We also see the critical importance of vetting bug bounty hunters' backgrounds carefully, and keeping vulnerability findings from bug bounty programs isolated and private, since a disgruntled bounty partner can be a worthy adversary.

“In addition to general cybersecurity awareness training, penetration testing and anti-phishing education are powerful deterrents to such attacks. We can anticipate that organizations which collect the trifecta of private information - Personally Identifiable Information (PII), credit card data and user's behavioral patterns like ride history - will become the epicenter of future cyberattacks. You need to have a plan in place for that inevitability." 

Tom Kellermann, CISM, Senior Vice President of Cyber Strategy at Contrast Security, observes that cloud users can still tend to lose sight of data security. “This was bound to happen as attention to cloud security is often an afterthought. Cybersecurity is still perceived as an expense rather than a functionality of conducting business. Continuous monitoring of cloud native environments is imperative in 2023.” 

Erfan Shadabi, Cybersecurity Expert at comforte AG, recommends taking note that its corporate data too, not just customer data, that attract criminal attention.

“Most businesses are rightly concerned first and foremost with maintaining data privacy and security with regards to their customers’ data. Yet, hackers want to know more about the targeted companies themselves, knowledge such as trade secrets, corporate strategies, inventions, and any other bits of sensitive information which would create leverage in future. So, while companies look to protect their customers’ data in the best ways possible, with data-centric methods such as tokenization or format-preserving encryption, they also need to apply those controls to sensitive data about themselves. With a data-centric security approach, organizations can obfuscate their sensitive data and render it incomprehensible and useless to hackers, even if they gain access to their systems.”

Jyoti Bansal, Co-founder and CEO at Traceable AI, points out the limitations of legacy security measures against a social engineer who knows what sensitive information to look for and how to use it.

"The days of preventing malicious activity with preventative measures like firewalls are long gone. Bad actors will find a way to get to what is not accessible. This was apparent on the recent attack on Uber - where a hacker gained access to vulnerability reports and took screenshots of internal systems which were confidential. Until a remedy is available - malicious actors will not stop in using private information as a weapon. 

“Companies like Uber can combat this by keeping an eye on system activity. Utilizing adaptive techniques that create a baseline of how users interact with a network and can identify odd behavior, which might be a sign of a malicious attack. Today, prevention has a place, but in order to reduce the impact of breach attempts, it must be backed up by threat detection and action. API observability, monitoring, and rate-limiting are crucial for enterprises since APIs play a significant part in giving attackers an access route.

“We need to stop relying on 20th century technologies to fight 21st century problems.”

Tim Prendergast, CEO of strongDM, argues that being too generous with infrastructure credentials is shooting dice with enterprise security. "If the increased frequency of malicious hacks and breaches teaches us anything, it's that no company or individual is immune from becoming a victim, he writes. The incident at Uber is just another illustration of how dangerous it is to put infrastructure credentials into the hands of your staff. Valid credentials are essentially VIP passes into databases, servers, and anything else that companies don't want shared publicly. Organizations must adopt modern security and access practices, such as removing credentials completely from the equation. That's the only way to prevent these types of breaches in the future."

Raj Dasgupta, Director of Fraud Strategy at BioCatch, explains some of the signs that might tip an organization off to a social engineering attack in progress.

“Social engineering is a phenomenon of exploiting the psychological and sensitive qualities of the person that may lead him to obey the requests of an impostor or thief. If in the past emails were used extensively to reach victims, today due to various filtering software, imposters return to the telephone channel, and address victims in a simple phone call, which is also inexpensive to perform.

“When the stolen data entered [from Uber] is verified successfully, devices look clean and step-up authentication is ineffective against clever social engineering attempts; user behavior provides unique signals for assessing fraud risk. How the data is entered, how fast the user interaction takes place and whether the user is behaving like they usually do or are showing signs of duress are valuable data points that can accurately assess these newer forms of fraud.” 

According to Joe Garber, CMO at Axiad, sees an object lesson in the failure of multifactor authentication.

“The Uber breach is a sobering example of the risk companies take when they continue to rely on passwords. Multi-factor authentication (MFA) is an important step to help protect the organization, as it’s the next-logical step in strengthening your cybersecurity posture vs. relying just on passwords that can easily be breached. But MFA still has the potential to be socially engineered. A higher-order level of security is Phishing-Resistant Authentication. 

“This emerging approach to authentication, which was specifically called out more than a dozen times in the January 2022 U.S. White House Office of Management and Budget (OMB) memorandum on advancing security measures to reduce the risk of successful cyberattacks against the federal government, includes additional measures to ensure you’re authenticating what you believe you’re authenticating. Why aren’t companies like Uber leading the way? This incident should be a wake-up call to every organization’s security team: move away from passwords, implement phishing-resistant MFA, establish least-privileged access to corporate resources, and above all else, train your employees!” 

Darryl Athans, Vice President, North America, at senhasegura, also argues that organizations should move beyond simple reliance on multifactor authentication. As valuable as it is, it’s no longer sufficient. 

"Social engineering and privileged credentials are the two most popular avenues for successful cyberattacks. Security teams need to address both of these issues, starting with training employees on proper cybersecurity awareness as people, as seen by the Uber breach, are usually the weakest link.

“At the same time, privileged credentials, often called the "keys to the kingdom", are sought after by cyberattackers because they allow users to access and perform critical activities within a company’s environment. According to the Verizon Breach Incident Report, almost half of cyberattacks occur through these leaked credentials. Companies need to adopt Privileged Access Management that limits access to only those employees who need it, as well as User and Entity Behavior Analytics that can detect malicious users and behavior in the environment. Companies should also invest in the proper detection and response to those attacks, as they can often be undetected for long periods of time, allowing attackers to steal data and cause more damage.”

Additional comments received 9.19.22.

Former NSA Director Admiral Michael S. Rogers, currently Operating Partner at Team8, warned that threat actors now focus on machine identities, and that therefore secrets management is growing in importance for development of effective defenses. “We have seen a shift in recent years where machine identities, as opposed to humans, are now a focus for malicious actors," he said at KeyConf. "Uber’s security incident and many other breaches are a clear testament that we, as protectors, need to focus more on protecting the secrets that validate machine identities, hence credentials and keys.” 

Akeyless CEO and Co-founder Oded Hareven commented, “We’re constantly amazed to face the gigantic magnitude of this phenomena. Every enterprise has a computerized and automated environment that may contain millions of unmanaged sprawled Secrets. Companies today have a better choice to lower the risk of breaches by seamlessly plugging a Secrets Orchestration system into the organization's IT infrastructure.”

John Dasher, VP of Product Marketing at Banyan Security, sees this incident as another reason to take user security awareness seriously:

"Given the nature of how this attack occurred, the need for stronger user education around social engineering attacks and better identity and more robust deployment of MFA with device trust is clear. For years, many organizations have believed that MFA is the magic bullet to conquer all security issues, however we saw here how simple it was for this hacker to bypass Uber’s security systems once he gained an employee’s credentials. 

"Organizations need to look at this event and learn from it. They need to implement stronger security controls, use the principle of least privilege access, and employ device trust. Had these been utilized properly, even employee credentials wouldn’t have been enough for this hacker to get into Uber’s system, because they would have needed the user's computer in addition to their credentials. 

"The more difficulties we can create for attackers, the better. If workers are only given access to what they need, are continuously authorized, and policies are in place that require users access resources from registered devices, it creates barriers for threat actors who will no longer move laterally throughout an organization’s network by accessing one weak vector.”