The hacking of ride-hailing app Uber’s systems has thrown open a number of issues in cyber security arena, as the hacker was able to access high-level privileged areas and internal company tools.
CyberArk, a cyber and identity security firm, has analysed the hacking to enable better understanding of the incident and how to avert it in future.
Uber had revealed that the attacker bought an Uber contractor’s password on the dark web after the contractor’s personal device had been infected with malware. The attacker then sent several requests for a two-factor login approval, which the contractor initially refused, but accepted later unknowingly. From there, the intruder was able to get into several employee accounts and had security permissions for Uber’s G-Suite and Slack, among other internal tools.
Honestly kind of a classy way to hack someone 😂😂😂@Uber pic.twitter.com/fFUA5xb3wv
— Colton (@ColtonSeal) September 16, 2022
Uber however said the attacker was not able to get into production systems that manage the operations, nor the area where they store customers’ personal and financial information. It had blamed Lapsus$ as the potential hacker group for the attack.
CyberArk Red Team’s analysis deconstructed that the attacker initially got inside Uber’s IT environment by gaining access to credentials to Uber’s VPN infrastructure.
While it was likely that the contractor did not have special privileges, they are likely to have had access to a corporate network as did other Uber workers. CyberArk believes this network share was either open or misconfigured to allow broad read ACL.
Also read: Uber admits to data breach, blames extortion group Lapsus$ for hacking
“Within the network share, the attacker discovered a PowerShell script containing hard-coded privileged credentials to Uber’s PAM solution,” it said in a statement.
IT teams and developers often automate tasks that need some form of credentials to perform authentication. These credentials could be anything from SSH keys and API tokens to other types of passwords and privileged tokens. To save time and help ensure automation, it’s common for developers to embed (or hard code) these credentials into the code. This leaves the credentials exposed to everyone with access to the code and makes them difficult to manage and rotate, CyberArk said.
In the Uber breach, hard-coded credentials granted administrative access to a privileged access management solution. These credentials appear not to have been rotated in some time — making them much easier to exploit, it said.
By harvesting the hard-coded admin credentials for the privileged access management solution, the attacker was able to further escalate privileges.
By accessing secrets from the privileged access management solution, the potential for damage was significant: The attacker reportedly compromised access to the SSO and consoles as well as to the cloud management console where Uber stores sensitive customer and financial data, it said.
This enabled the hacker to access and download “some internal Slack messages”, and other information from an internal tool which the “finance team uses to manage some invoices.”
Also read: ‘Absolute rubbish’: Bhavish Aggarwal on Uber’s merger with Ola
CyberArk noted that it the most important thing in this case is to not have embedded credentials in the first place.
“To reduce cyber risk in your own organization, we recommend focusing on eliminating this practice, and taking inventory of your environment to find and remove hard-coded credentials that exist in code, PaaS configurations, DevOps tools and internally developed applications,” it said in a statement.
“We know this is easier said than done, so focus on your organization’s most critical and powerful credentials and secrets first and then expand these secrets management best practices to measurably reduce risk over time,” the security specialist added.
CyberArk also gave a few suggestions so as to enable high level of security.
As attackers are getting better at bypassing MFA, it is necessary to train employees regularly to spot and report phishing to help prevent identity compromise.
It stressed on the need to consistently enforce the principle of least privilege. Employees need to be given least privilege and access to high-impact areas, or very few people need to be given such access, and these should be given when it is only absolutely necessary for their jobs. All access using privileged accounts should be isolated and authenticated.
Also read: Uber admits to past mistakes; says it is a different company now
Ensuring multiple and additional security measures at different levels are necessary so as not to let access to the main admin credentials which hold all other credential details.
This was not a breach for which a single individual or vendor was at fault, nor was it a breach that a single technology solution could have prevented. That’s why defense-in-depth is so important: It makes it harder for attackers to work, move and, ultimately, accomplish their goals.
“Much of the Uber cyber-attack analysis has focused on social engineering and multiple MFA attack vectors, but the real turning point for the attack happened post initial access. The presence of embedded credentials, in a misconfigured network share is critical to deconstructing this attack. It was the harvesting credentials for a PAM solution embedded in PowerShell script that allowed the attacker to gain high-level access, escalate privileges and set off on a veritable field day inside Uber’s IT environment. Proactive protection relies on implementing multiple security layers but most importantly, as this attack reinforces, the biggest takeaway is assume breach,” said Shay Nahari, vice-president, Red Team Services, CyberArk.