Questions are swirling around Uber’s internal security practices after an 18-year-old hacker used an employee’s VPN credentials as an initial access medium to gain full administrative access to key parts of the company’s IT infrastructure.
Numerous screenshots posted online by the alleged attackers suggest that the intruders could take almost complete control of the ride-sharing giant’s IT sector without having to compromise a single internal system.
So far, Uber has not disclosed details of the incident, other than saying that the company is respond to it And cooperate with law enforcement to investigate violations. As such, at least some reports of the incident are based on a Sept. 15 New York Times report that the teen claimed to have accessed Uber’s internal network using credentials obtained from employees through social engineering. The attackers used this access to move laterally within Uber’s internal domains to other critical systems, including its email, cloud storage, and code storage environments.
Since then, he has posted a number of screenshots of internal systems at Uber to confirm the access he gained and how.
Screenshots show that hackers gained full administrative access to Uber’s AWS, Google Cloud, VMware vSphere and Windows environments, as well as a full database of platform vulnerabilities discovered by security researchers and disclosed to the company through a bug bounty program. Managed by HackerOne. The internal data accessed by the attackers appears to include Uber sales metrics, information on Slack, and even information from the company’s endpoint detection and response (EDR) platform.
in a Tweet thread Some security researchers retweeted Twitter user Corben Leo’s alleged hacker’s statement that he used social engineering credentials to access Uber’s VPN and scan the company’s intranet. Hackers describe finding an Uber network share containing a PowerShell script with privileged administrator credentials. “One of the PowerShell scripts contains the username and password of the admin user in Thycotic (PAM). Using it, I was able to extract the secrets of all services, DA, Duo, OneLogin, AWS, GSuite,” the attacker claimed.
At present, the motives of the attackers are not very clear. Usually, this is obvious, but so far the only thing the hackers have done is make a lot of noise, point out that Uber drivers should be paid more, and share screenshots proving access.
“They look really young, maybe even a little sloppy. Some of their screenshots have chat windows open and lots of metadata,” said Sam Curry, a security engineer at Yuga Labs, who reviewed the screenshots,
pure social engineering
Dubai-based security services firm Invincible Security Group (ISG) claims its researchers have Got a list of administrative credentials Threats have gathered. “They appear to be strong passwords, confirming that he was indeed a social engineering attack that gave him access to Uber’s internal network,” the ISG tweeted.
Curry told Dark Reading that attackers appear to have gained initial access by compromising the login information and social engineering of an employee whose VPN prompted two-factor authentication 2FA.
“Once they gained VPN access, they discovered a network drive with a ‘kingdom key’ which allowed them to access [Uber’s] Cloud hosting as root on both Google Cloud Platform and Amazon Web Services,” Curry noted. “That means they may have access to every cloud deployment, which may be the bulk of Uber’s running applications and cloud storage.
He pointed to the important fact that the employees who were initially attacked worked in incident response, adding that typically these employees have access to more tools than the average employee in an Uber environment.
“Having this level of access, and the access they find in PowerShell scripts, means they probably don’t have as many restrictions and can do whatever they want inside Uber,” Curry said.
In a series of tweets, independent security researcher Bill Demirkapi said that attackers appear to have gained persistent MFA access to Uber’s stolen accounts, “by socially engineering victims into accepting Prompt to allow attackers to enroll their own devices for MFA.”
“The fact that the attackers appear to have compromised the accounts of members of the IR team is concerning,” Demir Capi tweeted. “EDR can provide ‘backdoors’ to IR, such as allowing IR teams to ‘hack’ employee machines (if enabled), potentially increasing attackers’ access.”
Bug bounty data access is ‘problematic’
The apparent fact that attackers gained access to Uber vulnerability data submitted through the bug bounty program is also problematic, security experts say.
Curry said he learned of the access after the hacker made comments that Uber was hacked on the company’s bug bounty ticket. Curry previously discovered and submitted a vulnerability to Uber that, if exploited, would allow access to its code repository. The vulnerability has been addressed, but it is unclear how many of the other vulnerabilities disclosed to the company have been fixed, how many of them have not been patched, and what level of access those flaws could provide if exploited. It could get even worse if hackers sell vulnerability data to others.
“Bug bounty programs are an important part of a mature security program,” said Solvo CEO Shira Shamban. “One of the main implications here is that hackers are now aware of other vulnerabilities in Uber’s IT environment and can use them to set up backdoors for future use, which is troubling.”
Amit Bareket, CEO and co-founder of Perimeter 81, said that vulnerability and penetration testing tools are important to enable companies to better assess and improve their security posture. “However, without the right security measures in place, these tools can become double-edged swords, enabling bad actors to exploit the sensitive information they may contain,” he said.
Bareket noted that companies should be aware of this and ensure such reports are protected and stored in encrypted form to avoid being misused for malicious purposes.
The recent events are unlikely to do much to improve Uber’s already somewhat tainted reputation for safety. In October 2016, the company experienced a data breach that exposed the sensitive information of around 57 million passengers. However, instead of disclosing the breach as required, the company paid $100,000 to the security researchers who reported the breach, in what was seen as an attempt to reimburse them. In 2018, the company settled a lawsuit over the incident for $148 million. It reached similar but much smaller settlements in litigation over the UK and Dutch events.