Key Lessons from The Uber breach

Budiman Tsjin, Solutions Engineering Manager for ASEAN from CyberArk.

On 15 September, Uber Technologies said that it was investigating a cybersecurity incident, after a report that its network had been breached, and the company had to shut down several internal communications and engineering systems.

Based on CyberArk Red Team and Labs analysis, there are several interesting elements that cybersecurity professionals can be aware of to prevent similar attacks in the future. 

While much of the analysis so far has focused on the human element – social engineering and multi-factor authentication (MFA) fatigue – what happened post-initial access is the key here. It is also crucial to note that there is no single technology solution, person or provider that could have prevented the breach.  

What happened during the Uber attack

Step 1 – Initial access: Through gaining access to credentials for Uber’s VPN infrastructure, the hacker successfully entered Uber’s IT environment.

Step 2 – Discovery: The contractor whose account was hacked probably did not have elevated or unique access rights to critical resources, but they did have access to a network share, just like other Uber employees. Within the network share, the attacker located a PowerShell script with hard-coded privileged credentials for Uber’s Privileged Access Management (PAM) solution.

Step 3 – Access PAM system and privilege escalation: The attacker then stole the PAM solution’s hard-coded admin credentials.

Step 4 – Access PAM system secrets and get to critical company systems: According to an Uber update, the attacker ultimately obtained “elevated permissions to a number of tools“. 

Step 5 – Data exfiltration: Uber confirmed that the attacker “downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices.” 

Mitigating a similar attach: Tips for securing embedded credentials and more

Getting rid of any embedded credentials is the first step to preventing similar attacks. Organisations should focus on securing their organisation’s most vital credentials and secrets before extending these best practices across other data and information to reduce risk.

After IT and security teams have developed a strategy for dealing with hard-coded credentials, consider taking the following additional measures to strengthen your organisation’s defences: 

Preventing credential theft: Attackers are getting better at circumventing MFA security by using a wide range of vectors and methods. In fact, the Uber story features multiple MFA compromises. Staff members are the gatekeepers of data. Thus it is essential to train them to recognise and report phishing to avoid identity theft. 

Organisations should also adopt the principle of least privilege and ensure workers and external contractors have the least number of permissions necessary to perform their responsibilities. Access to privileged accounts for administrators should only be granted when it is necessary with a time limit. All privileged account access needs to be separated and validated. As identity compromise through credential theft is one of the most common initial attack vectors today, organisations should also adopt endpoint security tools to limit such attacks (i.e. stealing of browser passwords, session cookies, etc.

“What happens if someone obtains the key that safeguards all other keys?” this data breach demonstrated what could happen. Because of this reason, strong defence-in-depth controls that are both proactive and reactive are needed to make sure other systems are in place to detect and stop threats even if MFA is compromised. 

Organisations should also remove standing access to sensitive infrastructure and online or cloud interfaces which is also known as limiting lateral movement. Just-in-time elevation of privileges can significantly minimise the access of any compromised identity especially when combined with robust authentication.

Final thoughts

There is no foolproof solution against cyberattacks, and certainly not in Uber’s case, just as the tools and people they have in place are not at fault. However, it can be mitigated by robust, layered cyber security defences, supported by the training of staff to recognise potential sources of danger. Having these aspects in place makes it more difficult for attackers to strike and enable organisations to resume operations as soon as possible in the most secure manner.