This attack is unique and worthy of attention as it shows how credential theft can lead to a breach of multiple systems. The hacker stole the admin credentials needed for elevated permission to different critical systems and tools. Privilege Escalation and Access to Critical Systems The PAM user credentials granted access to Uber’s secret services, such as DA, DUO, AWS, GSuite, and Onelogin. Furthermore, even with restricted access, the cyber actor located a PowerShell script containing hard-corded privileged credentials for Thycotic, the target’s Privileged Access Management (PAM) solution. This access is authorized for most internal users.
Nevertheless, the contractor had access to a network share. The contractor whose credentials were stolen did not have privileged access to critical systems. However, according to their update, the attacker successfully logged in after the contractor accepted one of the many attempted two-factor login approval requests. It’s important to note that Uber has implemented multifactor access control for its systems. “It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web after the contractor’s device had been infected with malware, exposing those credentials.” “An Uber EXT contractor had their account compromised by an attacker,” reads Uber’s security update. We got this information from Uber’s September 19 security update that names Lapsus$ as the potential threat actor.
:max_bytes(150000):strip_icc()/slackremindmeaboutthis-76786ff068db4882884989ab933b45ca.jpg "slack list reminders")
The hackers accessed Uber’s IT environment after accessing the company’s VPN infrastructure credentials. Therefore, based on the Uber incident details, we provide a list of effective strategies organizations can use to identify and mitigate similar incidents in the future. This breach is a reminder that threats are always present and evolving, hence we must do our utmost to learn and adapt to the ever-changing threat landscape. The security industry, however, is still abuzz following this incident, with experts concerned about how an allegedly 17-year-old attacker hacked Uber’s IT infrastructure and acquired sensitive data.Įxperts at InsiderSecurity dissected the attack and came up with hackers' progression along Uber's killchain, starting from the initial access, discovery, lateral movement, and data exfiltration. An in-depth analysis of the attack reveals how the attack occurred and ways organizations can prevent similar incidents in the future. Uber Technologies disclosed it was investigating a cybersecurity incident after reports that hackers had breached the company’s network. Originally published by InsiderSecurity on December 9, 2022.
0 kommentar(er)
