Late last week, news hit that tech giant Uber had a major compromise of their corporate environment. There have been so many corporate compromises in the last few years that there is almost fatigue in the news cycle, but this one stands out as the impact and depth of the hack go beyond any that we’ve seen so far. Did some genius hacker develop a magic technological bullet to penetrate their defenses? Absolutely not. Tried and true methods of social engineering allowed the hacker to open the door and help themself to the keys to the kingdom. In this case, the attacker allegedly even gave a play-by-play rundown to the some security researchers about how it all went down.
So how did they get access?
Every day we hear the term ‘phishing’ and for good reason. It’s the most common method to gain unauthorized access to corporate environments with legitimate credentials. By sending a convincing email that directs a user to a fake page and having them ‘sign in’, attackers have now collected a real user’s login. The addition of 2FA/MFA (Two-Factor or Multi Factor Authentication) has helped to alleviate a significant portion of risk by requiring logins from untrusted devices/browsers to be substantiated by a second, and sometimes third, method; most commonly OTP (One Time Password), SMS (Text Message) or a push notification from an Authenticator App. None of these methods is 100% secure, but the additional layer makes it far more difficult. The MFA said to be used during this breach was a push notification and the attacker started to ‘MFA bomb’ the user. This meant submitting hundreds of login requests so that the app would be constantly ringing with requests to approve a login. This can be incredibly aggravating and sometimes users will accept it out of frustration. If that’s the case, then the attacker now has access, will add their own device for 2FA/MFA and then the user won’t know if the attacker logs into their account again. In the case of Uber, the user was then allegedly contacted via WhatsApp by the attacker posing as Uber’s IT department telling the user to accept the MFA prompt so they could reset it and stop the flood of pop-ups to the user. Access was given, and the rest is history still being written.
Is that it? Did it get worse?
You bet. After the user was phished and socially engineered into handing over access, the discovery process started. Unfortunately, the user that was affected had some administrative privileges on the network. After some digging, powershell scripts were found that included administrative credentials for their PAM (Privileged Access Management) system. Think of this like a safe where you keep all your very important keys. Once you have access to that safe, you now have keys to all the other secure areas. In the case of the Uber breach, this included their AWS (Amazon Web Services), Slack (company communications), Google Workspace, and even the security platform used to monitor and mitigate attacks of other kinds. Now the attacker had admin control over the entire company’s resources, including some of their financial reporting.
Now what?
Uber has released a security update, but has been fairly tight-lipped otherwise. Understandable as they don’t want to report before all the information and post mortem has been done. Uber’s services are all up and running and it has been reported that end user private data (like route history and GPS data) haven’t been affected. The situation is currently evolving and some of the details are still being substantiated, but there have been reports from outside security firms that they have been in contact with the hacker. Keep an eye here for follow up information as the story unfolds.