September 15th, the day the Uber breach news broke and Uber notified everyone they had an incident. To dig into that, we of course turned to social media and what did we find? A smorgasboard of cyber-criminality that includes:
- social engineering
- remote access and via VPN
- social engineering to be able to get to that point
- scanning of an internal network
- and then eventually lateral movement
after compromising —what sounds like, based on what’s been put out so far—hard-coded passwords within the environment. The attacker then gained access to get to a larger privilege access management [PAM] system known as Thycotic.
This post walks through how Uber was breached, what the breach looks like and what it entails.
Let’s just say for instance, there is no on-prem infrastructure for uber.com. We know that Uber’s corporate environment was compromised based on what has come out. And we know that it started from a single individual who was social engineered. So how does an Uber breach happen?
Well, we have an individual, working for Uber and they are unfortunately taken advantage of. It looks like a bad guy did some social engineering on the Uber employee. The bad guy was able to send a number of MFA push notifications using SMS to this individual on a constant basis. And based on the graphic that was shared, the SMSs were sent over a time period of one hour.
An attacker can setup a fake domain that relays Uber’s real login page with tooling such as Evilginx. The only difference is the domain they are visiting, which is easy to miss. For most MFA, nothing stops the attacker from relaying the authentication process. 4/N pic.twitter.com/DPRbxXrS0d— Bill Demirkapi (@BillDemirkapi) September 16, 2022
The bad guy then called Uber employee on the phone, masquerading as a help desk employee. Bad guy said “Hey listen, if you want these SMS messages to stop, you need to accept this and then we will take care of everything.” Don’t know exactly what was said, but it seems like that’s the semblance of the idea.
The employee did in fact approve, the attacker was then able to add the bad-guy owned device to Uber’s MFA solution. Attacker logged into the VPN, and was able to gain access into Uber’s actual environment. This is just the start of this Uber breach breakdown. So now that the attacker has access into the environment and is sitting within Uber’s corporate environment structure. Attacker then begins looking for data within the organization and scanning for file repos, databases, whatever they could have accessed and started looking for these pieces of information or on file shares.
What the attacker was able to come up with was a PowerShell script that had hard coded passwords inside of this document. That then allowed the attacker to move and use this hard coded password supposedly to access a major system within the Uber environment called Thycotic.
Thycotic is what’s known as a PAM or a Privileged Access Management system. Essentially it’s a vault of all of your passwords and only a chosen few people inside of an organization should have access to this. Why? Because it literally has all the keys to the kingdom.
So now, the attacker is able to leapfrog into Thycotic and the PAM, they were then able to use Thycotic to be able to then access all other things within Uber’s controlled environment. That includes their AWS environment, their GCP, their Google environment, their Google Drive, their Slack, even some of their security platform such as Hacker One and Sentinel One.
And this is where all of the screenshots of the Uber breach are coming out and being shown. There was obviously reconnaissance done by the attacker to determine [what?], look at this individual that started it all. And then obviously being to leapfrog and using lateral movement after accessing the VPN into the actual Uber environment, was able to then move, gain more access, move, gain more access, and then eventually got to what looks like the target. Now who knows if this was the target, the end state, or if they just got lucky and just kind of kept trading up, and accessing and accessing and seeing what they could go do.
What are the breakdowns within the Uber hack based on what we know?
Limited Staff Education
1. The employee had limited training maybe on what to be looking for when getting a significant amount of SMS pushes to their phone or to their device that would’ve then enabled and allowed for MFA. Somehow the hacker had access to the username potentially, and then MFA was the second factor to then be able to log in. We’re unsure about how the hacker had access to the username and password right now, but what we do know that the SMS was pushed. The hacker did allude to that and put that out there as part of information that was found post-breach.
SMS Is A Weak MFA Method
2. Why are we using SMS? SMS is a valid form of MFA, albeit a weaker one. For most organizations SMS works fine. But for information or access into certain things or larger organizations, enterprises, perhaps SMS or push notifications are not the way to go. Something to reconsider in your MFA implementation if you are a growing enterprise.
Too Little Friction
3. Was there a second challenge of any sort on the VPN? Was MFA really the last line? There are technologies, there are ways to second and third challenge an individual. Fro example, a Hey, I’ve never seen you log in even though we’re using MFA, I’ve never seen you log in from this area before. Maybe I should challenge you again before I allow you access into the environment.
Poor Data Management Practice
4. The coup de gras really is hardcoded passwords inside of a PowerShell script that sat somewhere on a device or on a share that the attacker was able to find. That just seems like a horrible no-no because that led to the eventual compromise of the actual PAM; the Privileged Access Management system.
And that seems to be where it kind of all fell apart. If this was not found, what damage could have been done? Could other things? Maybe, who knows, it might have been harder. Maybe Sentinel One would’ve found more malicious activity, maybe other capabilities inside of Uber, who knows.
Uber Breach Explained
But this seems to be the piece that really unlocked it for the attacker. Once inside the master vault that is a PAM, they were able to leapfrog right into all the other systems. This is an area you must tighten up who has control, if you have a Privileged Access Management system. Where is the control? And please, don’t hard code passwords and write passwords down. This is the digital version of writing it on a sticky note and putting it either on your monitor.
Well, that’s a good breakdown, I think. If you have any questions, find me on LinkedIn or Twitter @brianhaugli. Hopefully you found this insightful. I’m Brian Haugli with CISOlife brought to you by SideChannel and I look forward to talking to you again. Be safe. Be good. I’ll talk to you next time.