Uber’s Intranet Compromised Via Social Engineering

CloudSEK DRP discovered a threat actor claiming to have compromised Uber, the American mobility service provider. To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.

Updated on

April 19, 2023

Published on

September 21, 2022

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Category: Adversary Intelligence	Industry: Business Services	Region: Global	Source*: C2

Executive Summary

THREAT	IMPACT
Uber’s Amazon Web Service, Duo, GSuite, and other platforms compromised. Access leaked to the internal network(Intranet) *.uberinternal. Social engineering employed as an initial attack vector.	Obfuscation of the application code. Leak of sensitive & critical information. Multiple account takeovers. Equip malicious actors with details to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.

Analysis and Attribution

Information from Open Source

On 16 September 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor claiming to have compromised Uber, the American mobility service provider.
Uber has confirmed the above claims and responded to the incident by stating that it is in contact with law enforcement agencies.
The threat actor was able to compromise an employee's HackerOne account to access vulnerability reports associated with Uber.
To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.
Moreover, the attacker has also shared several screenshots of Uber's internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal.

[caption id="attachment_20615" align="alignnone" width="828"]

Official Tweet by the Uber Communication[/caption]

Information from the Samples

CloudSEK’s Research team analyzed the sample snapshots shared by the threat actor, which implied access to the following assets:

Domain admin
Intranet network
Amazon Web Service console
Google Cloud Platform console
VMware vSphere admin
GSuite (Workspace) email admin dashboard
HackerOne reports and other details
Confluence Pages
Financial data
Multiple code repositories

(For more information refer to the Appendix)

Techniques, Tactics, and Procedures (TTPs)

The actor employed social engineering techniques as an initial attack vector to compromise Uber’s infrastructure.
After attaining access to multiple credentials, the actor exploited the compromised victim’s VPN access to:
- Pivot and escalate privileges inside the internal network
- Scan the internal network(Intranet) for access
Subsequently, the actor gained access to an internal network(Intranet) *.corp.uber.com where the actor got access to a directory, plausibly with a name “share”, which provided the actor with numerous PowerShell scripts that contained admin credentials to the privilege access management system (Thycotic).
This enabled the actor with complete access to multiple services of the entity such as Uber’s Duo, OneLogin, AWS, Gsuite Workspace, etc.

[caption id="attachment_20616" align="alignnone" width="789"]

Pictorial Representation of threat actor’s TTPs for compromising Uber[/caption]

Impact & Mitigation

Impact

Mitigation

Obfuscation of the application code, hindering the usability of the application.
Leaked credentials and access could facilitate multiple account takeovers.
Leaking of sensitive and critical information of the entity.
It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
Reputational damage for Uber.

Training of employees against social engineering attacks and techniques.
Implement a strong password policy and enable MFA across logins.
Create specialized users and groups with minimum privileges.
Close unused ports and limit file access.
Patch vulnerable and exploitable endpoints.
Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
Monitor for anomalies in user accounts, which could indicate possible account takeovers.
Scan repositories to identify exposed credentials and secrets.

References

Appendix

[caption id="attachment_20617" align="alignnone" width="1280"]

Sample screenshot shared by the actor depicting VSphere VM workstation with *corp.uber.com access[/caption] [caption id="attachment_20618" align="alignnone" width="1294"]

Threat actor’s message on the company's Slack Channel with hashtag “uberunderpaisdrives”[/caption] [caption id="attachment_20619" align="alignnone" width="1383"]

Threat actor’s comment using the HackerOne account.[/caption] [caption id="attachment_20620" align="alignnone" width="739"]

The alleged actor revealing the TTP of the attack[/caption]

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

Get started

Learn more