Questions are swirling round Uber’s inner safety practices after an 18-year-old hacker gained what seems to have been full administrative entry to important components of the corporate’s IT infrastructure utilizing an worker’s VPN credentials as an preliminary entry vector.
Quite a few screenshots that the alleged attacker posted on-line counsel the intruder didn’t need to breach a single inner system to basically pwn the ride-sharing large’s IT area nearly totally.
Up to now, Uber has not disclosed particulars of the incident past saying that the corporate is responding to it and dealing with regulation enforcement to analyze the breach. So, a minimum of some of what’s being is reported in regards to the incident relies on a New York Instances report from Sept. 15 through which the teenager claimed to have gained entry to Uber’s inner networks utilizing credentials obtained from an worker by way of social engineering. The attacker used that entry to maneuver laterally throughout Uber’s inner area to different important methods, together with its electronic mail, cloud storage, and code repository environments.
Since then, he has posted quite a few display photographs of inner methods at Uber to substantiate the entry he had obtained on it and the way it was obtained.
The screenshots present the hacker gained full administrative entry to Uber’s AWS, Google Cloud, VMware vSphere, and Home windows environments — in addition to to a full database of vulnerabilities in its platform that safety researchers have found and disclosed to the corporate by way of a bug bounty program managed by HackerOne. The inner knowledge the attacker accessed seems to incorporate Uber gross sales metrics, data on Slack, and even data from the corporate’s endpoint detection and response (EDR) platform.
In a tweet thread that some safety researchers reposted, Twitter person Corben Leo posted claims from the alleged hacker that he used the socially engineered credentials to entry Uber’s VPN and scan the corporate’s intranet. The hacker described discovering an Uber community share that contained PowerShell scripts with privileged admin credentials. “One of many PowerShell scripts contained the username and password for an admin person in Thycotic (PAM). Utilizing this I used to be capable of extract secrets and techniques for all providers, DA, Duo, OneLogin, AWS, GSuite,” the attacker claimed.
For now, the attacker’s motivations usually are not very clear. Usually, it is fairly obvious, however the one factor that hacker has performed to this point is make quite a lot of noise, famous that Uber drivers ought to be paid extra, and shared screenshots proving entry.
“They appeared actually younger and perhaps even just a little sloppy. A few of their screenshots had open chat home windows and a ton of metadata,” says Sam Curry, a safety engineer at Yuga Labs who has reviewed the screenshots,
Pure-Play Social Engineering
Invincible Safety Group (ISG), a Dubai-based safety providers agency, claimed that its researchers had obtained an inventory of administrative credentials that the menace actor had gathered. “They appear to be robust passwords, which confirms that it was certainly a social-engineering assault that acquired him entry to Uber’s inner community,” ISG tweeted.
Curry tells Darkish Studying that the attacker seems to have gained preliminary entry from compromising one worker’s login data and social engineering that individual’s VPN two-factor authentication 2FA immediate.
“As soon as they’d VPN entry, they found a community drive with ‘keys to the dominion,’ which allowed them to entry [Uber’s] cloud internet hosting as root on each Google Cloud Platform and Amazon Internet Companies,” Curry notes. “This implies they in all probability had entry to each cloud deployment, which is probably going nearly all of Uber’s working functions and cloud storage.”
One vital reality is that the worker who was initially compromised labored in incident response, he notes, including that usually such staff have entry to many extra instruments inside Uber’s atmosphere than common staff.Â
“Having this degree of entry, and moreover the entry they discovered within the PowerShell script, implies that they in all probability didn’t have too many limitations to do no matter they wished inside Uber,” Curry says.
In a sequence of tweets, impartial safety researcher Invoice Demirkapi stated the attacker seems to have gained persistent MFA entry to the compromised account at Uber “by socially engineering the sufferer into accepting a immediate that allowed the attacker to register their very own system for MFA.”
“The truth that the attackers seem to have compromised an IR crew member’s account is worrisome,” Demirkapi tweeted. “EDRs can bake in ‘backdoors’ for IR, akin to permitting IR groups to ‘shell into’ worker machines (if enabled), probably widening the attacker’s entry.”
Bug Bounty Knowledge Entry is “Problematic”
The obvious indisputable fact that the attacker gained entry to Uber vulnerability knowledge submitted by way of its bug bounty program can also be problematic, safety specialists say.Â
Curry says he discovered of the entry after the hacker posted a remark about Uber being hacked on the corporate’s bug bounty tickets. Curry had beforehand found and submitted a vulnerability to Uber, which if exploited would have permitted entry to its code repositories. That bug was addressed, nevertheless it’s unclear how lots of the different vulnerabilities which were disclosed to the corporate have been mounted, what number of of them had been unpatched, and what degree of entry these vulnerabilities may present if exploited. The state of affairs may change into considerably worse if the hacker sells the vulnerability knowledge to others.
“Bug bounty applications are an necessary layer in mature safety applications,” says Shira Shamban, CEO at Solvo. “A primary implication right here is that the hacker now is aware of about different vulnerabilities throughout the Uber IT atmosphere and may use them to arrange backdoors for future use, which is unsettling.”
Vulnerability and pen-testing instruments are necessary in enabling firms to raised assess and enhance the safety postures, says Amit Bareket, CEO and co-founder of Perimeter 81. “Nevertheless, if the proper safety measures aren’t put in place, these instruments can flip into double-sided swords, enabling unhealthy actors to make the most of the delicate data they could include,” he says.Â
Firms ought to concentrate on this and ensure such stories are protected and saved in encrypted kind to keep away from being misused for malicious intent, Bareket notes.
The most recent incident is unlikely to do a lot to enhance Uber’s already considerably dinged fame for safety. In October 2016, the corporate skilled a knowledge breach that uncovered delicate data on some 57 million riders. However as a substitute of exposing the breach because it was required to, the firm paid $100,000 to the safety researchers that reported the breach in what was seen as an try and pay them off. In 2018, the corporate settled a lawsuit over the incident for $148 million. It arrived at comparable however a lot smaller settlements in lawsuits over the incidents within the UK and the Netherlands.
