|Category: Adversary Intelligence||Industry: Business Services||Region: Global||Source*: C2|
- On 16 September 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor claiming to have compromised Uber, the American mobility service provider.
- Uber has confirmed the above claims and responded to the incident by stating that it is in contact with law enforcement agencies.
- The threat actor was able to compromise an employee's HackerOne account to access vulnerability reports associated with Uber.
- To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.
- Moreover, the attacker has also shared several screenshots of Uber's internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal.
- Domain admin
- Intranet network
- Amazon Web Service console
- Google Cloud Platform console
- VMware vSphere admin
- GSuite (Workspace) email admin dashboard
- HackerOne reports and other details
- Confluence Pages
- Financial data
- Multiple code repositories
- The actor employed social engineering techniques as an initial attack vector to compromise Uber’s infrastructure.
- After attaining access to multiple credentials, the actor exploited the compromised victim’s VPN access to:
- Pivot and escalate privileges inside the internal network
- Scan the internal network(Intranet) for access
- Subsequently, the actor gained access to an internal network(Intranet) *.corp.uber.com where the actor got access to a directory, plausibly with a name “share”, which provided the actor with numerous PowerShell scripts that contained admin credentials to the privilege access management system (Thycotic).
- This enabled the actor with complete access to multiple services of the entity such as Uber’s Duo, OneLogin, AWS, Gsuite Workspace, etc.
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- Source of the attack- Tweet disclosing the attack on Uber