Insights from the Uber Breach: Ways to Prevent Similar Attacks

Originally published by InsiderSecurity on December 9, 2022.

Uber Technologies disclosed it was investigating a cybersecurity incident after reports that hackers had breached the company’s network. An in-depth analysis of the attack reveals how the attack occurred and ways organizations can prevent similar incidents in the future. The security industry, however, is still abuzz following this incident, with experts concerned about how an allegedly 17-year-old attacker hacked Uber’s IT infrastructure and acquired sensitive data.

Experts at InsiderSecurity dissected the attack and came up with hackers' progression along Uber's killchain, starting from the initial access, discovery, lateral movement, and data exfiltration. This breach is a reminder that threats are always present and evolving, hence we must do our utmost to learn and adapt to the ever-changing threat landscape. Therefore, based on the Uber incident details, we provide a list of effective strategies organizations can use to identify and mitigate similar incidents in the future.

What and How Did the Attack Happen?

1. Initial Access

The hackers accessed Uber’s IT environment after accessing the company’s VPN infrastructure credentials. We got this information from Uber’s September 19 security update that names Lapsus$ as the potential threat actor.

“An Uber EXT contractor had their account compromised by an attacker,” reads Uber’s security update. “It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web after the contractor’s device had been infected with malware, exposing those credentials.”

It’s important to note that Uber has implemented multifactor access control for its systems. However, according to their update, the attacker successfully logged in after the contractor accepted one of the many attempted two-factor login approval requests.

2. Discovery

The contractor whose credentials were stolen did not have privileged access to critical systems. Nevertheless, the contractor had access to a network share. This access is authorized for most internal users. Furthermore, even with restricted access, the cyber actor located a PowerShell script containing hard-corded privileged credentials for Thycotic, the target’s Privileged Access Management (PAM) solution. The PAM user credentials granted access to Uber’s secret services, such as DA, DUO, AWS, GSuite, and Onelogin.

3. Privilege Escalation and Access to Critical Systems

The hacker stole the admin credentials needed for elevated permission to different critical systems and tools. This attack is unique and worthy of attention as it shows how credential theft can lead to a breach of multiple systems. For instance, the attacker in Uber’s case accessed Slack, Google Workspace Admin, AWS accounts, HackerOne admin, SentinelOne EDR, vSphere, and financial dashboard.

Besides, the hacker posted a message to a company-wide Slack channel and reconfigured OpenDNS to display a graphic image on internal sites.

4. Data Exfiltration

Uber divulged that the cyber actor accessed the company’s bugs and vulnerabilities reports, but the security team had remediated the bugs. However, the hacker stole crucial information from the Slack business messaging app.

An excerpt from the company’s security update reads, “it does appear that the attacker downloaded some internal Slack messages as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices.”

Uber responded by identifying and blocking compromised accounts to ensure the attacker had no further access to systems. In some cases, the company required a password reset to restore accounts. Uber also disabled affected tools, rotated keys to reset access to internal servers, locked down the codebase, and required employees to re-authenticate to regain access.

Lessons from the Breach and Ways to Mitigate Similar Attacks

Uber’s security incident involved both human users and systems. Therefore, it’s worth pointing out that a single technology solution could not avoid such a breach. Instead, cybersecurity professionals and companies require a set of controls and training to mitigate similar attacks in the future.

1. Strengthen Security Configuration

As pointed out above, Uber had MFA in place for user access. That is to say; multifactor authentication is not a silver bullet in today’s cybersecurity landscape. Today, hackers have developed various methods to circumvent access control mechanisms, including MFA.

A crucial step towards safeguarding your systems and information is to get rid of embedded credentials. Additionally, it is vital to remove standing access to sensitive infrastructure and cloud interfaces, which in turn can limit lateral movement.

2. Implement Cloud Security Monitor (CSM)

Organizations can enhance security by implementing a CSM solution that provides a clear view of their systems and networks for visibility of any unusual activity or behavior. CSM provides automated monitoring of cloud user logs. The solution uses automated cybersecurity analytics and machine learning, allowing you to discover threats early before serious data loss.

3. Social Engineering is Still a Serious Threat

The fact remains that end users are an organization’s biggest security risk. According to Dark Reading’s 2021 Strategic Security Survey, 48% of participants still perceive users breaking security policies as the biggest risk, while 15% believe social engineering attacks still cannot be anticipated or prevented by current technology. As staff members and other authorized users still remain the gatekeepers of your company data, it is essential to train them to detect and report social engineering attacks like phishing to avoid credential theft.

4. Detect Login Anomalies from Privileged Accounts

Certainly, privileged accounts remain attractive targets for cyber attackers due to their access to sensitive information and systems. In fact, data breaches and compromised privileged accounts go hand-in-hand. Therefore, you should secure your vital secrets and privileged credentials before extending the same to other data and information. Companies can monitor account use through continuous visibility and reporting that ties activities to specific users. Keep an open mind and look at admin accounts’ events from all angles to detect indicators of compromise.

5. Detect and Investigate Excessive Downloads

Excessive downloads can be categorized as risky because it indicates an insider or a compromised user who is trying to exfiltrate data. Implementing automated activity monitoring across the entire IT environment to identify unusual file download activity. For example, if a user is seen to have downloaded a large amount of data outside of their expected download behavior, an alert will be triggered. This behaviour can be learned via machine learning algorithms that capture the user's profile within the environment.

6. Detect Suspicious Email Transport Rule Activities and Other Privileged Activities

There are legitimate scenarios for using mailbox rules that either forward or delete all emails that match certain criteria. However, attackers are also known to add suspicious email transport rules in victims’ mailboxes so that any new email received will be forwarded elsewhere, typically to an attacker's email account. For example, a hacker might want to collect financial data from a company. In this case, they create an inbox rule on a compromised user mailbox to forward all emails containing finance and accounting keywords in the subject or the message body to an external mailbox.

Malicious inbox rules are widely common in phishing campaigns and business email compromise, making it important to monitor them consistently.

Certainly, unexpected rule changes could be a sign of a compromised email account. Therefore, it is important to verify with the user if the mailbox rules were added intentionally in the case of updated email transport rules.

Wrapping Up

An analysis of recent incidents reveals there is no foolproof against modern frequent and sophisticated data breaches. Fortunately, implementing layered and robust security measures along with training of employees as well as the use of cloud security solutions to monitor and report anomalous activities can help mitigate attacks. Unfortunately, some firms lack the resources and expertise to implement such controls. To make matters worse, they might not know if they are breached until months later, when it is too late.