Uber’s Internal Network Breach and Business-Critical SaaS Data Compromise
Originally published by DoControl on September 16, 2022.
Written by Corey O'Connor, DoControl.
Multiple sources have reported that Uber has become the next victim to a man-in-the-middle attack with social engineering and Multi-factor Authentication (MFA) compromise at its core. In this example, the attacker purchased an Uber contractor's corporate password on the dark web, and then was successful in sending authentication pushes until the contractor approved one. After establishing persistence, the attacker was able to lift admin credentials which were present in a powershell script, and from there they were able to pull secrets from Duo, OneLogin, GSuite and other critical services.
Obviously, this is a less than ideal situation for Uber. Details are still emerging but initial reports are indicating the attacker is a teenager. A few years ago, another teenager was successful in breaching Twitter, compromising a number of high-profile accounts such as Barack Obama, Joe Biden, Jeff Bezos and Elon Musk in an attempt to manipulate their network to donate crypto currency to the attacker’s digital wallet. Similarly, social engineering and credential theft were involved in providing unauthorized access into the environment. These examples are proof that it doesn't necessarily require advanced techniques, tactics, and procedures (TTPs) – or a big nation state effort to bring some of the world's largest corporations to its knees.
The attacker has since brazenly shared images of Uber’s internal environment including AWS, HackerOne, vSphere, Google Workspace, as well as sensitive financial data. In addition they posted the following to Uber’s internal Slack channel:
I announce i am a hacker and uber has suffered a data breach.
Slack has been stolen, confidential data with Confluence, stash and 2 monrepos from phabricator have also been stolen, along with secrets from sneakers.
Uh oh. This news comes nearly five years after 57 million driver and rider account information was stolen from Uber. The company decided to remain hush about it and paid a six figure sum to have the data wiped from the attackers, which ultimately led to serious backlash for obstruction of justice and not being forthcoming with regulators. Pivoting back to Slack, the attacker now had access to a number of internal and external channels, where users commonly are sharing sensitive content (i.e. credentials and secrets, proprietary information, and more) with a wide range of different identities and entities.
In addition, one of the shared images of Uber’s environment shows over a petabyte of data, of which GDrive files contributed to over 600 terabytes. This is a significant amount of data – which a considerable percentage of it is likely to be sensitive – that has now fallen into the wrong hands. These content collaboration and communication apps are so critical for business users to be productive. However, not putting in place the appropriate controls and access policies increases the likelihood of data overexposure and exfiltration. That’s exactly what has taken place in this breach.
The attacker gained privileged access to the Google admin console, and other critical services.
The New York Times stated that Uber had suffered a “total compromise,” which undoubtedly will impact their brand and cause severe business disruption while they recover. This security event is another example of how important a defense-in-depth approach is to prevent and detect unauthorized access to critical systems and applications. Human error is still very much an issue through both social engineering methods as well as MFA fatigue and bombing techniques. Modern businesses need to do more to strengthen their security defenses from both advanced, as well as lesser-advanced methods such as the ones present in this breach to protect themselves from sensitive data compromise.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.