#Uber #Systems #Breached #Full #Access #Claimed #VMblog
News broke overnight that Uber has been hacked and its
internal systems breached. A hacker gained access to its vulnerability reports
and shared screenshots of the company’s internal systems, email dashboard and
Slack server. Screenshots shared by the hacker show what appears to be full
access to many critical Uber IT systems, including the company’s security
software and Windows domain.
The alleged 18-year-old hacker has even shared that they breached Uber through a social engineering attack on an employee, in which they were able to steal their password.
the attack, tweeting- “We
are currently responding to a cybersecurity incident. We are in touch with law
enforcement and will post additional updates here as they become available.”
This cyberattack is a perfect example of the evolution of cyberattacks. Industry experts weigh in.
Vaughan, AVP of Technical Account Management, EMEA, Tanium:
“Big digital businesses like Uber are valuable targets for cyber attacks because of the vast amount of sensitive customer data that they hold which hackers can monetize. Whilst not confirmed, there’s a high chance that hackers have extracted data such as credit card details and payroll information. From initial analysis, it looks like the data of both drivers and customers has been compromised.
This is another example of a relatively simple attack causing a big incident and potentially huge reputational damage for the victim organisation. The attacker social engineered an employee to gain access to the network via VPN. Once in, they were able to find hard coded passwords in scripts and then used them to infiltrate several parts of the network. This includes gaining access to their admin management tools as well as several databases. This raises some red flags. One is that a single hard coded password has been used to access their privileged access management (PAM) system, giving access to any area of the IT environment that links to it. Another issue is that multi-factor authentication (MFA) was bypassed by the attacker simply spamming users with push notifications until one was eventually approved. This method has been successful in other security incidents recently, so organisations should consider alternative ways to operate MFA such as only using PINs. Attackers entering a network in this seemingly legitimate way can be particularly dangerous because it’s difficult to distinguish their movements from regular user activity.
This should serve as a reminder that having high levels of cyber hygiene can help prevent the more straightforward attack methods from being successful. As part of this effort, IT teams need to know where their most sensitive data sits at all times in order to effectively protect it. Having full visibility of the corporate network to identify devices that may have been compromised and then fix them quickly is also vital.”
Omer Yaron, Head of Research, Enso Security:
“Regardless of the attacker’s entry point, in Uber’s case the social engineering vector, it’s absolutely key to have different controls over applications to reduce the overall risk. Uber’s case shows how bad things can be, at least from what we know. Events escalate quickly and critical assets can be accessed without proper controls in place. Also, Uber is not out of the ongoing event. There are still mitigations they need to perform in real time. And it all comes down to the controls and measures they’ve put in place that will determine the outcome of this attack.”
Jerrod Piker, Competitive Intelligence Analyst, Deep Instinct:
“Over the last several years, we’ve learned that the bigger the brand name, the larger the target on their back for cybercrime. From hacktivism to corporate espionage, there’s always somebody with the motive and means to carry out an attack against large organizations across all verticals. The Uber breach is yet another wake-up call that nobody is truly safe from cyber crime.
This breach involved a self-proclaimed 18-year-old hacker socially engineering an employee, logging into their VPN, and scanning their shared network resources. This scan turned up powershell scripts that had admin credentials for the Privileged Access Management (PAM) system, which then granted the attacker access to many internal resources, including AWS and G-suite. His final flourish included sending a message on one of Uber’s internal Slack channels taking credit for the breach.
The key lessons we can learn from this particular breach are:
- Humans are still the weakest link, and Zero Trust is a necessity, not just a suggestion anymore
- Leaving scripts with embedded privileged account credentials stored on widely accessible network shares is bad practice”
“This is really just testament to the fact that almost every multi-million dollar security program is worth nothing without employee awareness, clean data hygiene practices, and constant validation of security controls through testing. We’ve seen way too many examples of credentialed attacks still being the #1 utilized attack vector for attackers.
The layman walks around thinking, “why would they hack me? I’m a nobody!” without realizing that they’re the perfect foothold into an organization. The irony is not lost on me that following a social engineering attack which led to the stealing of a password, that the attacker posted messages on Uber’s Slack in an attempt to capture more credentials.
Without looking through the eyes of an attacker, enterprise IT groups miss the most obvious routes to data breach, instead focusing on the high hanging fruit of the latest vulnerabilities discussed in the news. Especially without verified data segmentations in place, it only takes one bad password and two skipping stones to get to the crown jewels. The Uber attack is the perfect example of this–a single password led to the compromise of Uber IT systems, security software, Windows domain, SaaS products, VMs, and even vulnerability reports from their HackerOne account.”
“Well, looks like Uber’s been taken for a ride – and this is a ride they will pay for dearly. All it takes is one successful compromise to circumvent most preventive controls and this attacker used the most accessible and simple technique of social engineering to take over a valid Uber user account.
What is required is a stronger detection program that also monitors for and identifies risky access controls, entitlements and user behaviors, and associated abnormal or deviant activity. This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks.”