On Thursday, September 15th, Uber confirmed reports of an organization-wide cybersecurity breach. This is an evolving situation, but we will bring you here the latest information and commentary as we get it.
“What makes this breach appear so significant is that this does not appear to be a breach of a single system. The attackers seem to have moved laterally between systems for a complete organization takeover”
Mackenzie Jackson – Security Advocate at GitGuardian
Update 9/20/22: Uber confirmed in a security update that the named attacker “Tea Pot” was affiliated with the Lapsus$ hacking group, famous for breaching NVIDIA, Samsung, and Microsoft earlier this year. According to their early investigations, it is likely that the attacker targeted an external contractor whose credentials were bought on the dark web.
What happened
Here’s what we know so far, pending investigation and confirmation from Uber’s security teams.
- The attack started with a social engineering campaign on Uber employees, which yielded access to a VPN, in turn granting access to Uber’s internal network *.corp.uber.com.
- Once on the network, the attacker found some PowerShell scripts, one of which contained hardcoded credentials for a domain admin account for Thycotic, Uber’s Privileged Access Management (PAM) solution.
- Using admin access, the attacker was able to log in and take over multiple services and internal tools used at Uber: AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, Uber’s internal employee dashboards, and a few code repositories.
The critical vulnerability that granted the attacker such high levels of access was hardcoded credentials in a PowerShell script. These credentials gave admin access to a Privileged Access Management (PAM) system: Thycotic. This tool carries huge amounts of privilege, making it a single point of failure; it stores both end-user credentials for employee access to internal services and third-party apps as well as DevOps secrets used in the context of software development. This is a worst-case scenario. The PAM system controls access to multiple systems, and having admin access means you can give yourself or extract secrets to all connected systems. This has appeared to give the attacker complete access to all of Uber’s internal systems.
This isn’t the first time we’ve seen an Uber data breach: in 2014 hackers gained access to an AWS S3 bucket after developers leaked secrets to a public git repository. Two years later, a similar incident happened when attackers exploited poor password hygiene by some developers to gain access to private repositories which contained multiple access credentials. Now we appear to have the final episode in the trilogy, and it appears to be the most serious situation yet.
“There have been three reported breaches involving Uber in 2014, 2016, and now 2022. It appears that all three incidents critically involve hardcoded credentials (secrets) inside code and scripts”
Mackenzie Jackson – Security Advocate at GitGuardian
How bad is it?
Critically, Uber’s Privileged Access Management (PAM) platform was compromised through the exposure of its admin credentials. Privileged access management (PAM) is the combination of tools and technology used to secure, control, and monitor employee access to an organization’s critical information and resources. With that in mind, the attacker may have gained access to nearly all the internal systems of Uber. Let’s go through the ones we know of based on preliminary information and evidence to understand the severity of this incident.
“We very often find credentials and secrets for specific systems that have leaked, but finding admin credentials to an access management system is like finding a master key to every room and alarm system, in every building, in every country that an organization owns.”
Mackenzie Jackson – Security Advocate at GitGuardian
Thycotic – Severity = Critical
The attacker gained admin access to the Thycotic PAM system. PAM systems can be a single full-featured software console or a collection of multiple tools; in the case of Thycotic, it is a single tool with many features. It can control access to different services and also has a secrets manager where credentials and passwords are stored. It appears the hacker was able to access secrets inside the secure storage, granting the worst possible scenario for Uber.
AWS instance – Severity = Critical
The AWS instance controls the cloud infrastructure of Uber’s applications. Depending on configuration, privileges, and architecture, the attacker can potentially shut down services, abuse computing resources, access sensitive user data, delete or ransom data, change user access, and many more things.
VMware vSphere – Severity = Critical
VMware vSphere is a cloud computing virtualization platform. This is a critical platform as it interfaces with both cloud computing and on-premise servers which can give attack access to controlled on-premise servers as well as many administrative functions that would help an attacker move deeper into systems.
SentinelOne – Severity = High
SentinelOne is an XDR (eXtended Detection and Response) platform. Simply put, this platform connects to your mission-critical systems and lets you know if there are security issues. Any attacker that can obtain privileged access to this system can obfuscate their activity and prolong their attacks. XDRs can bake in “backdoors” for Incident Response (IR) teams, such as allowing IR teams to “shell into” employee machines and potentially widening the attacker’s access.
Slack workspace – Severity = Medium
The internal messaging system of Slack can be used to great effect as an attacker to launch phishing campaigns. As the attacker has the instant trust of other users, they can send malicious links, try and get admins to elevate their privilege, and access sensitive information. As the attacker has made themselves known, this is likely a smaller threat.
GSuite Admin – Severity = Medium
GSuite is a tool used by many companies to manage their users, store data, and many other administrative tasks. With admin access, the attacker can create and delete accounts, but would also likely have access to employee data and other sensitive company data.
HackerOne – Severity = Medium
HackerOne is the platform used to pay and communicate with security researchers that find vulnerabilities within systems for rewards. Given the level of detail bounty hunters usually provide, anyone with access to the HackerOne tenant has detailed how-tos on how to exploit (likely unpatched) vulnerabilities in other areas of their IT systems. This means persistence is highly likely.
What’s next for Uber?
Although we can’t be sure at this point, the immediate disclosure of the breach by the attacker himself both to security researchers on the HackerOne platform and Uber personnel on their Slack workspace tend to indicate that he might not be financially motivated.
From what we have seen, the attacker likely has access to many more systems and services belonging to Uber, but these are the ones we know about. Given the blast radius of this breach, we believe it will be extremely difficult and costly for Uber to sift through all their systems and access logs to ensure the attacker has not achieved persistence.