After news of the cyberattack on Uber and its IT infrastructure and access to sensitive customer data, the human element in this story is gaining strength, with attention turning to multi-factor authentication (MFA) and other security issues. identity security best practices. Therefore, as more details of the story are known, it is inevitable to ask ourselves: “Does it really matter who the attacker was or how he got in?” Because once Uber took on this attack, what makes it so notorious is what happened next. Based on available analysis and reports, CyberArk Red Team has deconstructed the Uber cyberattack with a focus on the “hardcoded” credentials, the true critical point of the attack, as they were allegedly used to gain administrative access to privileged access management. (PAM), provided by another provider, which unlocked other high-risk access. In this sense, Shay Nahari, VP, Red-Team Services of CyberArk, has commented. “Much of the analysis of the Uber cyberattack has focused on social engineering and multiple MFA attack vectors, but the real turning point for the attack occurred after the initial break-in. The presence of embedded credentials on a misconfigured network share is critical to deconstructing this attack. It was the access credentials to a PAM solution embedded in the PowerShell script that allowed the attacker to gain high-level access, escalate privileges, and gain access to Uber’s IT systems. Proactive protection relies on implementing multiple layers of security, but as this attack ramps up, the most important lesson is to embrace a security breach.”
Much of the analysis of the Uber cyberattack has focused on social engineering.
Deconstructing the Uber attack cyberattack, step by step: what we supposedly know
Phase 1: Initial Access. The attacker penetrated Uber’s IT environment by gaining access to the company’s VPN infrastructure credentials. Phase 2: Discovery. The supplier most likely did not have special or elevated privileges to sensitive resources, but did have access to a shared network drive, just like other Uber workers. This network share was either open or misconfigured to allow a wide read ACL (access control list). Within the network share, the attacker discovered a PowerShell script containing embedded privileged credentials for Uber’s PAM solution. In the Uber breach, hardcoded credentials granted administrative access to a privileged access management solution. Also, it appears that these credentials had not been changed in a while, making them much easier to exploit. Phase 3: Escalation of Privileges, access the PAM System. By collecting the administrator credentials for the privileged access management solution, the attacker was able to further escalate privileges. Phase 4: Access the secrets of the PAM system, reach the critical systems of the company. According to Uber’s latest update, the attacker obtained “elevated permissions for various tools.” By accessing the secrets of the privileged access management solution, the attacker allegedly compromised access to SSO and consoles, as well as the cloud management console where Uber stores sensitive data (financial and customer). . Phase 5: Data exfiltration. Uber is still investigating the incident, but has confirmed that the attacker “downloaded some internal messages from Slack and accessed or downloaded information from an internal tool that our finance team uses to manage some invoices.” Proactive protection requires defense in depth, a combination of complementary security layers that support a Zero Trust strategy that uses strong least privilege controls. Therefore, to reduce cyber risk, CyberArk recommends focusing on inventorying the environment to find and remove embedded credentials that exist in code, PaaS configurations, DevOps tools, and internally developed applications.