Uber’s Intranet Compromised Via Social Engineering

CloudSEK DRP discovered a threat actor claiming to have compromised Uber, the American mobility service provider. To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.
Updated on
April 19, 2023
Published on
September 21, 2022
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
 
Category: Adversary Intelligence Industry: Business Services Region: Global Source*: C2

Executive Summary

THREAT IMPACT
  • Uber’s Amazon Web Service, Duo, GSuite, and other platforms compromised.
  • Access leaked to the internal network(Intranet) *.uberinternal.
  • Social engineering employed as an initial attack vector.
  • Obfuscation of the application code.
  • Leak of sensitive & critical information.
  • Multiple account takeovers.
  • Equip malicious actors with details to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.

Analysis and Attribution

Information from Open Source

  • On 16 September 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor claiming to have compromised Uber, the American mobility service provider.
  • Uber has confirmed the above claims and responded to the incident by stating that it is in contact with law enforcement agencies.
  • The threat actor was able to compromise an employee's HackerOne account to access vulnerability reports associated with Uber.
  • To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.
  • Moreover, the attacker has also shared several screenshots of Uber's internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal.
[caption id="attachment_20615" align="alignnone" width="828"]Official Tweet by the Uber Communication Official Tweet by the Uber Communication[/caption]  

Information from the Samples

CloudSEK’s Research team analyzed the sample snapshots shared by the threat actor, which implied access to the following assets:
  • Domain admin
  • Intranet network
  • Amazon Web Service console
  • Google Cloud Platform console
  • VMware vSphere admin
  • GSuite (Workspace) email admin dashboard
  • HackerOne reports and other details
  • Confluence Pages
  • Financial data
  • Multiple code repositories
(For more information refer to the Appendix)

Techniques, Tactics, and Procedures (TTPs)

  • The actor employed social engineering techniques as an initial attack vector to compromise Uber’s infrastructure.
  • After attaining access to multiple credentials, the actor exploited the compromised victim’s VPN access to:
    • Pivot and escalate privileges inside the internal network
    • Scan the internal network(Intranet) for access
  • Subsequently, the actor gained access to an internal network(Intranet) *.corp.uber.com where the actor got access to a directory, plausibly with a name share”, which provided the actor with numerous PowerShell scripts that contained admin credentials to the privilege access management system (Thycotic).
  • This enabled the actor with complete access to multiple services of the entity such as Uber’s Duo, OneLogin, AWS, Gsuite Workspace, etc.
[caption id="attachment_20616" align="alignnone" width="789"]Pictorial Representation of threat actor’s TTPs for compromising Uber Pictorial Representation of threat actor’s TTPs for compromising Uber[/caption]  

Impact & Mitigation

Impact Mitigation
  • Obfuscation of the application code, hindering the usability of the application.
  • Leaked credentials and access could facilitate multiple account takeovers.
  • Leaking of sensitive and critical information of the entity.
  • It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
  • Reputational damage for Uber.
  • Training of employees against social engineering attacks and techniques.
  • Implement a strong password policy and enable MFA across logins.
  • Create specialized users and groups with minimum privileges.
  • Close unused ports and limit file access.
  • Patch vulnerable and exploitable endpoints.
  • Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers.
  • Scan repositories to identify exposed credentials and secrets.

References

Appendix

[caption id="attachment_20617" align="alignnone" width="1280"]Sample screenshot shared by the actor depicting VSphere VM workstation with *corp.uber.com access Sample screenshot shared by the actor depicting VSphere VM workstation with *corp.uber.com access[/caption]   [caption id="attachment_20618" align="alignnone" width="1294"]Threat actor’s message on the company's Slack Channel with hashtag “uberunderpaisdrives” Threat actor’s message on the company's Slack Channel with hashtag “uberunderpaisdrives”[/caption]   [caption id="attachment_20619" align="alignnone" width="1383"]Threat actor’s comment using the HackerOne account. Threat actor’s comment using the HackerOne account.[/caption]   [caption id="attachment_20620" align="alignnone" width="739"]The alleged actor revealing the TTP of the attack The alleged actor revealing the TTP of the attack[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations