Apparently the attacker didn’t have to breach a single system to ride Uber

Questions are swirling around Uber’s internal security practices after an 18-year-old hacker gained what appears to have been full administrative access to critical parts of the company’s IT infrastructure using the company’s information. VPN identification of an employee as the initial access vector.

Numerous screenshots the alleged attacker posted online suggest the intruder didn’t have to breach a single internal system to essentially own the ride-hailing giant’s IT domain almost entirely.

So far, Uber has not released details of the incident beyond saying the company is answer to and work with law enforcement to investigate the breach. Thus, at least some of what is reported about the incident is based on a New York Times September 15 report in which the teenager claimed to have gained access to internal Uber networks using credentials obtained from an employee via social engineering. The attacker used this access to move laterally through Uber’s internal domain to other critical systems, including its messaging, cloud storage and code repository environments.

He has since posted numerous screenshots of Uber’s internal systems to confirm what access he gained there and how it was obtained.

Screenshots show the hacker gained full administrative access to Uber’s AWS, Google Cloud, VMware vSphere, and Windows environments, as well as a comprehensive database of its platform’s vulnerabilities that researchers security discovered and disclosed to the company through a bug bounty program. managed by HackerOne. The internal data accessed by the attacker appears to include Uber sales statistics, information about Slack, and even information from the company’s Endpoint Detection and Response (EDR) platform.

In a tweet thread which some security researchers have reposted, Twitter user Corben Leo posted claims by the suspected hacker that he used social engineering credentials to access Uber’s VPN and scan Uber’s intranet. the company. The hacker described finding an Uber network share containing PowerShell scripts with privileged administrator credentials. “One of the PowerShell scripts contained the username and password of an administrator user in Thycotic (PAM). Using this I was able to extract secrets for all services, DA, Duo, OneLogin , AWS, GSuite,” the attacker claimed.

For now, the striker’s motives are unclear. Normally it’s pretty obvious, but the only thing the hacker has done so far is make a lot of noise, note that Uber drivers should be paid more, and share screenshots proving access .

“They looked really young and maybe even a little sloppy. Some of their screenshots had chat windows open and a ton of metadata,” says Sam Curry, security engineer at Yuga Labs who reviewed screenshots. ‘screen,

Pure-play social engineering

Invincible Security Group (ISG), a Dubai-based security services company, claimed that its researchers had obtained a list of administrative powers that the threat actor had collected. “These appear to be strong passwords, confirming that it was indeed a social engineering attack that granted access to Uber’s internal network,” ISG tweeted.

Curry tells Dark Reading that the attacker appears to have gained initial access by compromising an employee’s login credentials and social engineering that person’s VPN two-factor authentication 2FA prompt.

“Once they had access to the VPN, they discovered a network drive with ‘realm keys’, which allowed them to access [Uber’s] cloud hosting as root on Google Cloud Platform and Amazon Web Services,” notes Curry. “That means they likely had access to all cloud deployments, which is likely the majority of Uber’s running apps and cloud storage.

An important fact is that the employee who was initially compromised worked in incident response, he notes, adding that normally such employees have access to many more tools in the Uber environment than employees. means.

“Having that level of access, plus the access they found in the PowerShell script, means they probably didn’t have too many limitations to do what they wanted inside Uber. “, says Curry.

In a series of tweets, independent security researcher Bill Demirkapi said the attacker appears to have gained persistent MFA access to the compromised account at Uber “by socially tricking the victim into accepting a prompt allowing the attacker to record his own device for MFA”.

“The fact that the attackers appear to have compromised an IR team member’s account is concerning,” Demirkapi tweeted. “EDRs can create ‘backdoors’ for IR, such as allowing IR teams to infiltrate employee machines (if enabled), potentially expanding attacker access.”

Access to Bug Bounty data is “problematic”

The apparent fact that the attacker had access to Uber’s vulnerability data submitted through its bug bounty program is also problematic, according to security experts.

Curry says he learned of the access after the hacker posted a comment about the Uber hack on the company’s bug bounty tickets. Curry had previously discovered and submitted a vulnerability to Uber, which, if exploited, would have allowed access to its code repositories. This bug has been fixed, but it is unknown how many other vulnerabilities that were disclosed to the company have been fixed, how many of them have not been fixed, and what level of access these vulnerabilities could provide if they were exploited. The situation could get significantly worse if the hacker sells the vulnerability data to others.

“Bug bounty programs are an important layer in mature security programs,” said Shira Shamban, CEO of Solvo. “A primary implication here is that the hacker now knows of other vulnerabilities within Uber’s computing environment and can use them to set up backdoors for future use, which is troubling.”

Vulnerability and penetration testing tools are important to enable organizations to better assess and improve security postures, says Amit Bareket, CEO and co-founder of Perimeter 81. “However, if the right security measures are not not put in place, these tools can turn into double-edged swords, allowing bad actors to take advantage of the sensitive information they may contain,” he says.

Companies should be aware of this and ensure that these reports are protected and stored in encrypted form to prevent being used for malicious purposes, Bareket notes.

The latest incident is unlikely to do much to improve Uber’s already somewhat tarnished reputation for safety. In October 2016, the company suffered a data breach that exposed sensitive information about some 57 million passengers. But instead of disclosing the breach as it should, the company paid $100,000 to security researchers who reported the breach in what was seen as an attempt to pay them. In 2018, the company settled a lawsuit over the incident for $148 million. He arrived at similar but much smaller settlements in legal proceedings over the incidents in the UK and the Netherlands.