Attacker Apparently Didnt Have to Breach a Single System to Pwn Uber
Alleged teen hacker claims he found an admin password in a network share inside Uber that allowed complete access to ride-sharing giants AWS, Windows, Google Cloud, VMware, and other environments.
Questions are swirling around Ubers internal security practices after an 18-year-old hacker gained what appears to have been
complete administrative access
to critical parts of the companys IT infrastructure using an employees VPN credentials as an initial access vector.
Numerous screenshots that the alleged attacker posted online suggest the intruder did not have to breach a single internal system to essentially pwn the ride-sharing giants IT domain almost entirely.
So far, Uber has not disclosed details of the incident beyond saying that the company is
responding to it
and working with law enforcement to investigate the breach. So, at least some of what is being is reported about the incident is based on a
New York Times
report from Sept. 15 in which the teen claimed to have gained access to Ubers internal networks using credentials obtained from an employee via social engineering. The attacker used that access to move laterally across Ubers internal domain to other critical systems, including its email, cloud storage, and code repository environments.
Since then, he has posted numerous screen shots of internal systems at Uber to confirm the access he had obtained on it and how it was obtained.
The screenshots show the hacker gained full administrative access to Ubers AWS, Google Cloud, VMware vSphere, and Windows environments — as well as to a full database of vulnerabilities in its platform that security researchers have discovered and disclosed to the company via a bug bounty program managed by HackerOne. The internal data the attacker accessed appears to include Uber sales metrics, information on Slack, and even info from the companys endpoint detection and response (EDR) platform.
In a
tweet thread
that some security researchers reposted, Twitter user Corben Leo posted claims from the alleged hacker that he used the socially engineered credentials to access Ubers VPN and scan the companys intranet. The hacker described finding an Uber network share that contained PowerShell scripts with privileged admin credentials. One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM). Using this I was able to extract secrets for all services, DA, Duo, OneLogin, AWS, GSuite, the attacker claimed.
For now, the attackers motivations are not very clear. Normally, its pretty apparent, but the only thing that hacker has done so far is make a lot of noise, noted that Uber drivers should be paid more, and shared screenshots proving access.
They seemed really young and maybe even a little sloppy. Some of their screenshots had open chat windows and a ton of metadata, says Sam Curry, a security engineer at Yuga Labs who has reviewed the screenshots,
Invincible Security Group (ISG), a Dubai-based security services firm, claimed that its researchers had
obtained a list of administrative credentials
that the threat actor had gathered. They seem to be strong passwords, which confirms that it was indeed a social-engineering attack that got him access to Ubers internal network, ISG tweeted.
Curry tells Dark Reading that the attacker appears to have gained initial access from compromising one employees login information and social engineering that persons VPN two-factor authentication 2FA prompt.
Once they had VPN access, they discovered a network drive with keys to the kingdom, which allowed them to access [Ubers] cloud hosting as root on both Google Cloud Platform and Amazon Web Services, Curry notes. This means they probably had access to every cloud deployment, which is likely the majority of Ubers running applications and cloud storage.
One significant fact is that the employee who was initially compromised worked in incident response, he notes, adding that normally such employees have access to many more tools within Ubers environment than average employees.
Having this level of access, and additionally the access they found in the PowerShell script, means that they probably didn’t have too many limitations to do whatever they wanted inside Uber, Curry says.
In a series of tweets, independent security researcher Bill Demirkapi said the attacker appears to have gained persistent MFA access to the compromised account at Uber by socially engineering the victim into accepting a prompt that allowed the attacker to register their own device for MFA.
The fact that the attackers appear to have compromised an IR team members account is worrisome,
Demirkapi tweeted
. EDRs can bake in backdoors for IR, such as allowing IR teams to shell into employee machines (if enabled), potentially widening the attackers access.
The apparent fact that the attacker gained access to Uber vulnerability data submitted via its bug bounty program is also problematic, security experts say.
Curry says he learned of the access after the hacker posted a comment about Uber being hacked on the companys bug bounty tickets. Curry had previously discovered and submitted a vulnerability to Uber, which if exploited would have permitted access to its code repositories. That bug was addressed, but its unclear how many of the other vulnerabilities that have been disclosed to the company have been fixed, how many of them were unpatched, and what level of access those vulnerabilities could provide if exploited. The situation could become significantly worse if the hacker sells the vulnerability data to others.
Bug bounty programs are an important layer in mature security programs, says Shira Shamban, CEO at Solvo. A main implication here is that the hacker now knows about other vulnerabilities within the Uber IT environment and can use them to set up backdoors for future use, which is unsettling.
Vulnerability and pen-testing tools are important in enabling companies to better assess and improve the security postures, says Amit Bareket, CEO and co-founder of Perimeter 81. However, if the correct security measures arent put in place, these tools can turn into double-sided swords, enabling bad actors to take advantage of the sensitive information they may contain, he says.
Companies should be aware of this and make sure such reports are protected and stored in encrypted form to avoid being misused for malicious intent, Bareket notes.
The latest incident is unlikely to do much to improve Ubers already somewhat dinged reputation for security. In October 2016, the company experienced a data breach that exposed sensitive information on some 57 million riders. But instead of disclosing the breach as it was required to, the
company paid $100,000
to the security researchers that reported the breach in what was viewed as an attempt to pay them off. In 2018,
the company settled a lawsuit
over the incident for $148 million. It arrived at similar but much smaller settlements in lawsuits over the incidents in the UK and the Netherlands.
Tags:
Attacker Apparently Didnt Have to Breach a Single System to Pwn Uber