After news of the cyberattack on Uber and its IT infrastructure and access to sensitive customer data, the human element in this story is gaining strength, with attention turning to multi-factor authentication (MFA) and other security issues. identity security best practices. Therefore, as more details of the story are known, it is inevitable to ask ourselves: “Does it really matter who the attacker was or how he got in?” Because once Uber took on this attack, what makes it so notorious is what happened next.
Based on available analysis and reports, CyberArk Red Team has deconstructed the cyber attack on Uber with a focus on the “hardcoded” credentials, the real pain point of the attack, as they were allegedly used to gain administrative access to the organization’s privileged access management (PAM), provided by another provider, which unlocked further access from high risk. In this sense, Shay Nahari, VP, CyberArk Red-Team Services, has commented. “Much of the analysis of the Uber cyberattack has focused on social engineering and multiple MFA attack vectors, but the real turning point for the attack occurred after the initial break-in. The presence of embedded credentials on a misconfigured network share is critical to deconstructing this attack. It was the access credentials to a PAM solution embedded in the PowerShell script that allowed the attacker to gain high-level access, escalate privileges, and gain access to Uber’s IT systems. Proactive protection relies on implementing multiple layers of security, but as this attack ramps up, the most important lesson is to embrace a security breach.”
Much of the analysis of the Uber cyberattack has focused on social engineering.
Deconstructing the Uber attack cyberattack, step by step: what we supposedly know
Phase 1: Initial Access. The attacker penetrated Uber’s IT environment by gaining access to the company’s VPN infrastructure credentials.
Phase 2: Discovery. The supplier most likely did not have special or elevated privileges to sensitive resources, but did have access to a shared network drive, just like other Uber workers. This network share was either open or misconfigured to allow a wide read ACL (access control list). Within the network share, the attacker discovered a PowerShell script containing embedded privileged credentials for Uber’s PAM solution.
In the Uber breach, hardcoded credentials granted administrative access to a privileged access management solution. Also, it appears that these credentials had not been changed in a while, making them much easier to exploit.
Phase 3: Escalation of Privileges, access the PAM System. By collecting the administrator credentials for the privileged access management solution, the attacker was able to further escalate privileges.
Phase 4: Access the secrets of the PAM system, reach the critical systems of the company. According to Uber’s latest update, the attacker obtained “elevated permissions for various tools.” By accessing the secrets of the privileged access management solution, the attacker allegedly compromised access to SSO and consoles, as well as the cloud management console where Uber stores sensitive data (financial and customer). .
Phase 5: Data exfiltration. uber follows investigating the incident, but has confirmed that the attacker “downloaded some internal Slack messages and accessed or downloaded information from an internal tool that our finance team uses to manage some invoices.”
Proactive protection requires defense in depth, a combination of complementary security layers that support a Zero Trust strategy that uses strong least privilege controls. Therefore, to reduce cyber risk, from Cyber Ark We recommend focusing on inventorying the environment to find and remove embedded credentials that exist in code, PaaS configurations, DevOps tools, and internally developed applications.
George is Digismak’s reported cum editor with 13 years of experience in Journalism