TEENAGER ALLEGEDLY BEHIND THE BREACH
The ride-hailing company has admitted to a vicious attack after discovering malware in several internal communications and engineering systems. The incident has forced the service to take a number of critical systems offline.
A teenage hacktivist is allegedly behind this social engineering attack. The news broke when he sent screen-grabs of several compromised resources, like email, cloud storage and code repositories, to New York Times.
Soon after the report in NYT late on Thursday, Uber admitted to the breach and the communications team posted a tweet at 2:25 am on Friday, September 16, saying, “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.” Uber has asked its staff to stop using Slack, the workplace messaging app widely used by the service for internal communications.
EXUBERANCE OF YOUTH : Initial investigations have revealed that the attacker is an eighteen year old hacktivist who is testing his skills by launching the attack. First he infiltrated an employee’s network access by sending text messages impersonating as an internal IT admin. After obtaining the credentials by this ruse, he gained access to a majority of Uber’s internal resources. Again this allowed the hacker to penetrate deeper and locate PowerShell script containing privileged credentials for an admin user of Thycotic, a provider of Privileged Access Management (PAM) solutions. These exploits permitted the teenager to access multiple servicess.
Having accomplished these tasks, the hacker went on to use Slack and posted messages listing the compromised services. He also sent out pornographic content, perhaps to celebrate his achievements. Finally he placed a demand asking Uber executives to give out better payments to the drivers.
Earlier, the hacker had contacted Sam Curry, a security engineer at Yuga Labs, to claim what he did. After analyzing the story, Sam Curry describe the breach as a ‘total compromise,’ meaning the attacker had complete access to a majority of Uber’s systems.
HISTORICAL FACT : A few years back, Uber had experienced a similar attack but that incident was concealed by the then security head of the company. In a trial in San Francisco court, the former head of security is facing charges of obstructing justice by failing to disclose that a breach had occurred. The Uber boss, Dara Khosrowshahi, is a key witness in the case and he has testified that he did not trust his ex-security chief and removed him from his job soon after learning about his transgressions.
DISSECTING THE PROBLEM : To start with, if the hacker was able to reach the absolute backend with just a VPN, then the network segmentation and isolations were not in place—which allowed smooth nmap scan. Then, PowerShell, as a tool for automation, used clear admin cred is in itself a major security problem. Having no role-based access methodology seems to be the reason for using single or limited number of admin accounts for multiple roles (script automation and PAM). Lastly, one PAM had absolute reign over the entire critical info. That should not be. It should at least have had a separate admin cred.
DG INVESTIGATION : 1. Social engineering was poor, resulting in compromising user VPN credentials. 2. Bad practices by system admin where the person left PAM username/password in a power shell script accessible via network shares (unfortunately, this practice is ubiquitous all over the world).
DG LESSONS : 1. Create awareness for all types of users 2. Provide network segmentation to lower the impact in case of any breach 3. Don’t put all your golden eggs in one single basket (like the PAM case here)
accessible via network shares (unfortunately, this practice is ubiquitous all over the world).
DG LESSONS : 1. Create awareness for all types of users 2. Provide network segmentation to lower the impact in case of any breach 3. Don’t put all your golden eggs in one single basket (like the PAM case here)
