Uber’s Amazon Web Service, Duo, GSuite, and other platforms compromised.
Access leaked to the internal network(Intranet) *.uberinternal.
Social engineering employed as an initial attack vector.
Obfuscation of the application code.
Leak of sensitive & critical information.
Multiple account takeovers.
Equip malicious actors with details to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
Analysis and Attribution
Information from Open Source
On 16 September 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor claiming to have compromised Uber, the American mobility service provider.
Uber has confirmed the above claims and responded to the incident by stating that it is in contact with law enforcement agencies.
The threat actor was able to compromise an employee’s HackerOne account to access vulnerability reports associated with Uber.
To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.
Moreover, the attacker has also shared several screenshots of Uber’s internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal.
Official Tweet by the Uber Communication
Information from the Samples
CloudSEK’s Research team analyzed the sample snapshots shared by the threat actor, which implied access to the following assets:
The actor employed social engineering techniques as an initial attack vector to compromise Uber’s infrastructure.
After attaining access to multiple credentials, the actor exploited the compromised victim’s VPN access to:
Pivot and escalate privileges inside the internal network
Scan the internal network(Intranet) for access
Subsequently, the actor gained access to an internal network(Intranet) *.corp.uber.com where the actor got access to a directory, plausibly with a name “share”, which provided the actor with numerous PowerShell scripts that contained admin credentials to the privilege access management system (Thycotic).
This enabled the actor with complete access to multiple services of the entity such as Uber’s Duo, OneLogin, AWS, Gsuite Workspace, etc.
Pictorial Representation of threat actor’s TTPs for compromising Uber
Impact & Mitigation
Impact
Mitigation
Obfuscation of the application code, hindering the usability of the application.
Leaked credentials and access could facilitate multiple account takeovers.
Leaking of sensitive and critical information of the entity.
It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
Reputational damage for Uber.
Training of employees against social engineering attacks and techniques.
Implement a strong password policy and enable MFA across logins.
Create specialized users and groups with minimum privileges.
Close unused ports and limit file access.
Patch vulnerable and exploitable endpoints.
Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
Monitor for anomalies in user accounts, which could indicate possible account takeovers.
Scan repositories to identify exposed credentials and secrets.