Uber has suffered a data breach that has allowed a hacker to gain access to vulnerability reports and internal systems. The hacker sent screenshots of email, cloud storage, and code repositories to cybersecurity researchers and The New York Times, indicating that they have full access to many critical Uber IT systems, including the company’s software and Windows domain. The threat actor gained access to the company’s internal systems using stolen credentials. Uber is currently working with law enforcement to respond to the incident. Cyber experts shared their insights on the attack, many citing that VPN and MFA-based attacks are becoming all too common. Ian McShane, Vice President, Strategy, Arctic Wolf
"Uber is renowned for having some of the best cybersecurity in the business so the fact they have been compromised points to what we should all know, nobody’s perfect and even the best managed security organizations can be compromised. The key is how quickly you respond and mitigate the issue which they appear to have done here.
While no official explanation has been provided yet, someone claiming to be the attacker explains that initial access was gained through social engineering - contacting an unwitting Uber staff member, pretending to be tech support and resetting their password. Then the intruder was able to connect to Corporate VPN to gain access to the wider Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share.
This is a pretty low-bar to entry attack and is something akin to the consumer-focused attackers calling people claiming to be MSFT and having the end user install keyloggers or remote access tools. Given the access they claim to have gained, I’m surprised the attacker didn’t attempt to ransom or extort, it looks like they did it “for the lulz”.
Attacks that make use of insider threats and compromised user credentials continue to grow – by 47% according to the 2022 Ponemon Institute report and it’s proof once again that often the weakest link in your security defenses is the human. It is therefore critical that you manage that risk by running regular training and security awareness sessions while running around-the-clock monitoring, detection, and response, as well as other security operations solutions to reduce risk and keep your organization protected." Francisco Donoso, Vice President, Security Strategy and Platforms at Kudelski Security "The threat actor in last night’s Uber hack seemed to gain initial access via employee VPN and seemed to be able to bypass MFA by abusing the push mechanism to “annoy” users into accepting MFA push prompts. This method is becoming increasingly more common, even being used in the recent Twilio and Cisco attacks. Organizations should consider training their employees about these MFA constant request tricks and tell them to notify InfoSec immediately in the event of suspicious activity. The single most effective way to prevent these types of bypasses altogether, however, is to leverage MFA number matching to authenticate requests.
Once the attacker gained access to Uber’s servers, it seems like they scanned the internal network and found a PowerShell or automation script with hard-coded credentials that provided the attacker with access to Uber’s Privileged Access Management (PAM) system. Once an attacker has full access to an organization's PAM, they likely will have full access to your entire IT environment including cloud, SaaS, and on-premises systems.
Attacks of this kind are not going away any time soon; in fact, they will likely grow in frequency. Organizations should consider conducting a tabletop exercise with this exact scenario so they can plan how they’d respond, communicate with employees, and recover if a threat actor had full admin access to all their infrastructure, cloud, and SaaS providers– including those used for employee chat and email." Josh Yavor, CISO, Tessian "This is yet another example of what attack after attack has shown: social engineering is the predominant way that companies fall victim to breaches, and adversaries know it works. While too early to be confident about details regarding the details of the attack, one point is clear: weak multi-factor authentication deployments are leaving large organizations that are attractive targets vulnerable to major attacks.
This is not to say that MFA doesn’t work. In this and other recent cases, attackers targeted an employee with techniques and tools to bypass MFA. We’re seeing an increased availability of free and accessible attacker tooling, which helps automate phishing and bypass of weaker MFA factors including push notifications. This in turn is leading to more compromises where attackers make MFA requests that trick the victim into approving access for the attacker.
In order to reduce the risk of these attacks, it’s critical that companies realize that not all MFA factors are created equal. Factors such as push, one-time-passcodes (OTPs), and voice calls are more vulnerable and are easier to bypass via social engineering. Security key technology based on modern MFA protocols like FIDO2 have resiliency built into their design, and we need to increase the adoption and use of these phishing-resistant factors globally. Finally, further defense in-depth is necessary to reduce the impact of MFA bypass events. Even with the best technology deployed, strategies to guard against MFA bypass are necessary, including the use of secure-access policies that enforce further device-based requirements before providing access. These types of secure access policies increase the complexity and cost of the attack, and give security teams more chances to detect and respond.
It’s also noteworthy that various types of attackers (“sophisticated” hacking groups to individual teenagers) are using these techniques. This further reinforces that attackers will reliably use techniques that work and are low cost. No matter the size or budget of the adversary, they will always use the easiest and most cost-effective methods to compromise their targets. That’s why we keep seeing the same tactics play out regardless of the adversary or victim: adversaries know that people can be tricked into giving up their passwords, weak MFA is prevalent, and the tools to exploit this are free and relatively easy to use." Keith Neilson, Technical Evangelist at CloudSphere "High-profile enterprises entrusted with large volumes of sensitive customer data have a responsibility to establish strict guardrails around access management. For organizations today, basic password protection just isn’t enough to ensure proper identity access management and security of all cyber assets. Malicious attacks of this magnitude illustrate the need for businesses to extend their focus beyond just password best practices – they must prioritize secure access and next-generation authentication. Developing new and improved alternatives to password management begins with the implementation of a robust cyber asset management strategy.
In the context of this incident, the most important thing to consider is that companies have no way of remediating what they cannot see. Given the multi-layer implications between data, assets, applications, and users, companies can only begin to enforce identity and password management policies when they secure full visibility of their attack surface. Hence, the first step to an effective cyber asset management strategy is taking inventory of all cyber assets hosted within the company’s IT estate. Once all assets are accounted for, enterprises can adopt and enforce more advanced authentication methods and security guardrails. Without this integration, passwords will continue to be used as a fallback, leaving valuable data vulnerable to attacks." Samantha Humphries, Head of Security Strategy EMEA at Exabeam
“This coordinated social engineering attack - on such a large and established organisation - is sadly not the surprise that it may have been a few years ago. What seems to be clear at this stage is it’s a credentials-based attack - malicious use of an employee’s legitimate password. This is far from rare; in fact, a 2022 report found that insider threat incidents have risen 44% over the past two years.
Almost all of the high-profile breaches we see in the news involve attackers leveraging stolen user credentials to gain access to sensitive data. Insiders with access to privileged information represent the greatest risk to a company’s security. This kind of threat can be much harder to detect. After all, an attacker with valid credentials looks just like a regular user. This presents one of the most significant challenges for security teams.
Sadly, this is unlikely to be the last time we’ll see this type of breach. Failure to adapt security operations to detect and mitigate credential-based attacks will continue to have serious consequences.
Whilst there are already many details being shared by the purported attacker, the wider implications of this breach are still unknown. However, for Uber’s incident responders, it is certain that they have had better days in the office, and my heart absolutely goes out to them.”
Arti Raman (She/Her), CEO & Founder, Titaniam
"Uber is the latest in a string of social engineering attack victims. Employees are only human, and eventually mistakes with dire consequences will be made. As this incident proved, despite security protocols put in place, information can be accessed using privileged credentials, allowing hackers to steal underlying data and share them with the world.
The gig economy provides people the opportunity to be their own boss, and choose how and when they want to work in a way that fits their lifestyles. It has also revolutionized the way we use public transportation and has allowed for unprecedented mobility and convenience.