Understanding Uber’s corporate hack – lessons learned
On September 15th this year, an 18-year-old surprised Uber’s security team by gaining access to the company’s internal networks.
The supposed attacker sent evidence of their escapades to security researchers and the New York Times – including screenshots of source code, cloud storage, and internal emails. The attacker also explained their methods – presenting a great opportunity to examine what happened and determine what lessons we can learn from this corporate hack.
How did the Uber hack play out?
This attack started with a phishing campaign. Posing as an employee from Uber’s IT department, the attacker contacted genuine Uber employees, asking for their passwords. Eventually, a victim was persuaded to hand over their credentials.
The attacker’s next challenge was to bypass Uber’s multifactor authentication (MFA) system. To do this, they used a social engineering technique called “MFA-Fatigue”. This technique involves spamming the victim with requests to accept an MFA challenge. Due to the extremely high number of push messages or phone calls the victim receives, in most cases, they will sooner or later simply accept one of them. Previously, this technique has been used to compromise companies as large as Microsoft.
Having gained a foothold in Uber’s internal networks, the attacker started to move laterally. First, they searched for credentials on shared drives which would enable them to access other machines in the internal network. The attacker eventually found admin account credentials in a PowerShell script, which gave them access to a range of highly valuable targets. One of these was the company’s internal messaging platform, Slack, where the attacker joked about hacking Uber’s corporate network. They also compromised other resources, including Amazon Web Services and Google Cloud.
The overall scope of this corporate hack was enormous. Cybersecurity researcher M. Curry commented that “they [the attacker or attackers] pretty much have full access to Uber.”
Uber responded quickly to this attack by shutting down a variety of systems. However, its consumer-facing applications (Uber, Uber Eats and Uber for drivers) didn’t suffer serious service interruptions.
In the aftermath of the attack, Uber continues to work closely with law enforcement agencies, including the FBI and US Ministry of Justice. However, as of September 22nd , the company still hasn’t made a public announcement detailing which data was stolen.
Recent media reports have suggested that the attacker wasn’t simply a teenager acting alone, instead pointing the finger at the notorious Lapsus$ Group. Famous for its social engineering attacks, Lapsus$ has targeted a whole host of tech giants, including Microsoft, Nvidia, Ubisoft, and T-Mobile.
Takeaways and best practice
So, what can we learn from the Uber hack? First and foremost, no matter how many resources you dedicate to security, if basic security principles aren’t followed by teams, your systems will always be at risk. Having admin credentials in a script isn’t just bad practice – it gives potential attackers a master key to your systems.
Often – as in Uber’s case – we see companies robustly defending their external networks, but not dedicating the same effort to protecting their internal systems. This is a mistake. If an attacker does manage to enter your networks, it’s crucial to ensure they’re not able to move laterally, as this is when they can do the greatest damage.
The Uber hack also highlights the importance of raising awareness of social engineering among employees. But it’s not just a case of telling employees what not to do. It’s also important to give them trusted contacts to turn to when they’re not sure if something is suspicious. A company like Airbus Protect can be a good first contact for employees to reach out to.
All in all, the Uber hack demonstrates how quickly things can go wrong in the fast-moving world of cybersecurity. The only way to avoid falling victim to a corporate hack is to build a strong overall security ecosystem – including a SOC, incident responders, penetration testers and a proper red team. It’s equally important to ensure you don’t drop the ball on the basics – like not storing admin credentials in a script. This doesn’t just apply to Uber, but to all other companies, organisations and governments around the world.