On Thursday evening, around 6:25 PM, Uber announced that it was responding to a cybersecurity incident. While Uber hasn’t gone into details about what happened, the purported threat actor has openly corresponded with several security professionals, including Sam Curry at Yuga Labs, Corben Leo at Zellic.io and The New York Times.
According to both Curry and Leo, multiple systems were impacted. From Slack, Google Workspace, and AWS to critical security services like Duo, Onelogin, SentinelOne, and HackerOne.
The hacker has eagerly laid out the story of how they compromised Uber, but it is worth covering to tease out the concerning trends that this story highlights.
The hack began with a phishing attack, likely smshing (SMS phishing), as the hacker told The New York Times that he’d sent a text message to an employee, posing as a member of the information security team, to steal credentials.
Uber uses MFA organization-wide, and it’s not exactly clear how the hacker bypassed MFA over the phone; however, as security researcher Bill Demirkapi points out on Twitter, MFA by itself doesn’t thwart phishing. Most commonly, threat actors use spoofed login domains to capture credentials and bypass MFA. This is a tactic that has seen a massive uptick this year, and it’s possible it was used in this hack.
Once he had the credentials, the hacker accessed Uber’s corporate intranet via the company VPN. Over the intranet, he found an internal network share that contained PowerShell scripts, one of which had admin credentials for Thycotic.
Thycotic is a privileged access management provider (PAM). Unlike standard identity and access management, PAM specifically revolves around providing account access to users with elevated permissions within the tools and services they need to use. As such, PAMs are very likely to be secret stores and access to them must be very closely guarded. Once inside Thycotic, the hacker had the keys to the kingdom, and access to any other system would have been trivial.
Despite the scale of this hack, this attack vector is pretty common. Many threat actors often move laterally within corporate networks and external cloud systems and are able to leverage privilege escalation when they discover exposed credentials, something we talked about earlier this year.
In fact, this breach has pretty similar parallels to the 2020 hack of Twitter, right down to the age of the hackers—both are teenagers, apparently just a year apart in age. In the Twitter hack, the hacker used Vishing (voice phishing) to pose as Twitter IT support to gain access to an employee’s account. He moved laterally through Twitter’s systems until he found a Slack channel containing credentials to Twitter’s backend, which he used to hijack high-profile user accounts like Barack Obama, Bill Gates, Elon Musk, and others. We’ve also documented many hacks where threat actors explicitly sought out secrets and credentials for the expressed purpose of privilege escalation.
Uber has yet to investigate the extent of the hack, but assuming everything revealed so far is validated, this highlights various risk vectors, including the risk posed of improperly stored secrets and credentials. Since organizations cannot assume that threat actors won’t infiltrate their environments, one step they can take is to limit the impact of privilege escalation by shoring up data security hygiene. While multifaceted, this entails first discovering where secrets and credentials are stored across services, and second, taking steps to clean up inadvertent secret sharing and storage. For example, secrets and keys may be inadvertently stored in code repositories or shared in cloud services. Remediating such risk requires a two-pronged approach: first investing in data protection tools that can identify, and ideally automatically address improper sharing of sensitive data, then educating employees on best practices until it becomes second nature.