blog

Security Vulnerability of the Week 12/09/22 – Application Security – Uber Hack Timeline

Uber Hack Vulnerability Timeline

Previous Issues of vulnerability Weekly



https://youtu.be/gO6oAJD3wC4

INTRO

Disclaimer: The hack timeline seems still to be verified. The information that we have collected here is speculative, and we await some additional information.

What can you do

An organization like Uber are big, and sometimes a hack like this makes you reflect. Complexity vs simplicity and how several processes and the security-sponsored paranoia can be overlooked.

The uber employee took a message from the attacker as another exercise. There is the fact that rarely a hacker declares themselves on a slack channel, but this is a first

No matter how small or big your organization is, some, if not all, of the processes, can be overlooked.

Assessment
– be wary and suspicious of someone who claims to be an IT admin
– Don’t ever store the credentials of a password manager
– use principals and other authentication methods in the script
– Monitor alerting
– Don’t let vulnerability be unpatched above SLA 1 day two days and four days
– Focus on the vulnerabilities that matter

– if is sensitive encrypt it

Note for vendors:

Going to uber and claiming that you have a solution for their problem is like going to a wildfire with a small bucket of water. Even if your solution might solve the exact problem, there is doubt as this was a break in process + Social engineering, don’t go there right now

ambulance chasing vendor
don’t sell solution being an ambulance chaser

Uber Hack Timeline

The attacker entered the system through a system administrator attack (SMS phishing). 

Uber Hack Timeline

We are not going to cover the uber hack extensively but a brief mention and what we know so far. 

The attacker simply bombarded the employee with credentials verification and authentication request and finally called the target playing on his fatigue. 

Hackers claim to have used an MFA Fatigue attack

Hackers claim to have used an MFA Fatigue attack

Source: Kevin Beaumont

attack and pretended to be Uber IT support to convince the employee to accept the MFA request.

After that attempt, there was no knowledge of how he gained access to credentials. 

This social engineering tactic has become very popular in recent attacks against well-known companies, including Twitter, MailChimp, Robinhood, and Okta.

The hacker progressed accessing VPN credentials (no known path on how he got them). 

The VPN access was protected by MFA, and the threat actor managed to authorize an authentication request from one user pretending to be a IT support. 

Organizations like Uber MFA fatigue and authentication fatigue can get those processes often overlooked. 

—-

In a conversation between the threat actor and security researcher Corben Leo, the hacker said they were able to gain access to Uber’s Intranet after conducting a social engineering attack on an employee.

As the Uber account was protected with multi-factor authentication, the attacker allegedly used an MFA Fatigue attack and pretended to be Uber IT support to convince the employee to accept the MFA request.

Hackers claim to have used an MFA Fatigue attack

Hackers claim to have used an MFA Fatigue attack

Source: Kevin Beaumont

—-

After gaining access, the actor started scanning the network for juicy treasures. 

As part of these scans, the hacker says they found a PowerShell script containing admin credentials for the company’s Thycotic privileged access management (PAM) platform, which was used to access the login secrets for the company’s other internal services.

“ok so basically uber had a network share \[redacted]pts. The share contained some PowerShell scripts.

One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM) Using this I was able to extract secrets for all services, DA, DUO, Onelogin, AWS, Gsuite”

As full disclaimer all those information is speculation from articles and research, no information has been verified by uber, we still await the full report.

Once access the credentials the attacker got hold

  • Internal Systems for vulnerability Like Hacker One
  • Slack access
  • Vulnerability reporting like Sentinel One 

According to Yuga Labs security engineer Sam Curry, the hacker also had access to the company’s HackerOne bug bounty program, where they commented on all of the company’s bug bounty tickets.

Comment left by the hacker on HackerOne submissions

Source: Curry

Sentinel One internal System

The attacker revealed himself to the network with a message on hacker one bug bounty programme of uber, slack.

Uber employees confirming that they have been receiving unsolicited NSFW pictures

The attacker also had access to break glass credentials from the leaked information.

On Friday afternoon, Uber posted an additional update stating that the investigation is still ongoing but could share these additional details:

  • We have no evidence that the incident involved access to sensitive user data (like trip history).
  • All our services are operational, including Uber, Uber Eats, Uber Freight, and the Uber Driver app.
  • As we shared yesterday, we have notified law enforcement.
  • Internal software tools that we took down as a precaution yesterday are coming back online this morning.

As a note, it is a very stressful time for anyone working at uber. Leave them be and let this passed course.

Update 20/9/22: uber has responded with the latest fixes that they implemented and a bit more details on the attacker:

What happened?

An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then tried logging in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

From there, the attacker accessed several other employee accounts, ultimately giving the attacker elevated permissions to several tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.

—-

Here are some of the key actions we took and continue to take: 

  • We identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
  • We disabled many affected or potentially affected internal tools.
  • We rotated keys (effectively resetting access) to many of our internal services.
  • We locked down our codebase, preventing any new code changes.
  • When restoring access to internal tools, we required employees to re-authenticate. We are also further strengthening our multi-factor authentication (MFA) policies.
  • We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.

Previous Issues of vulnerability Weekly



Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Owasp top 10 has been a pillar over the years; sister to CWE – Common Weakness Enumeration we provide an overview of the top software vulnerabilities and web application security risks with a data-driven approach focused on helping identify what risk to fix first.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Asset and Vulnerability Management – Associate assets with multiple Applications and Environments – Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
With cyber threats growing in sophistication, understanding exploitability has become crucial for security teams to prioritize vulnerabilities effectively. This article explores the key factors that influence the likelihood of exploits in the wild, including attack vectors, complexity levels, privileges required, and more. You’ll learn how predictive scoring systems like EPSS are bringing added dimensions to vulnerability analysis, going beyond static scores. We discuss the importance of monitoring verified threat feeds and exploiting trends from reliable sources, instead of getting distracted by unverified claims and noise. Adopting a risk-based approach to prioritization is emphasized, where critical vulnerabilities are addressed not just based on CVSS severity, but also their likelihood of being exploited and potential business impact. Recent major exploits like Log4Shell are highlighted to stress the need for proactive security. Equipped with the insights from this guide, you’ll be able to implement a strategic, data-backed approach to focusing on the most pertinent risks over the barrage of vulnerabilities.
Francesco Cipollone
The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform. Improved Management your Vulnerabilities and Assets Display “Closed” vulnerabilities list page Display vulnerability stats in Asset screens Override asset exposure for whole Apps/Envs Filter on-screen dynamic statistical and insights Risk-based Posture Management Update risk formula structure Update Vuln risk formula factors Integrations Configure “vulnerability types” fetched from SonarCloud/SonarQube Users can manually trigger a “scanner refresh” Update Jira tickets when the associated vulnerability is closed Other Improvements Handle large number of items in Treemap chart Improved scanner flow: don’t fetch targets until needed Improved performance of MTTR queries
Alfonso Eusebio

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO