- Uber’s Amazon Web Service, Duo, GSuite, and other platforms compromised.
- Access leaked to the internal network(Intranet) *.uberinternal.
- Social engineering employed as an initial attack vector.
- Obfuscation of the application code.
- Leak of sensitive & critical information.
- Multiple account takeovers.
- Equip malicious actors with details to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
Analysis and Attribution
Information from Open Source
- On 16 September 2022, CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor claiming to have compromised Uber, the American mobility service provider.
- Uber has confirmed the above claims and responded to the incident by stating that it is in contact with law enforcement agencies.
- The threat actor was able to compromise an employee's HackerOne account to access vulnerability reports associated with Uber.
- To demonstrate the legitimacy of the claims, the actor has posted unauthorized messages on the HackerOne page of the company.
- Moreover, the attacker has also shared several screenshots of Uber's internal environment including their GDrive, VCenter, sales metrics, Slack, and the EDR portal.
[caption id="attachment_20615" align="alignnone" width="828"]
Official Tweet by the Uber Communication[/caption]
Information from the Samples
CloudSEK’s Research team analyzed the sample snapshots shared by the threat actor, which implied access to the following assets:
- Domain admin
- Intranet network
- Amazon Web Service console
- Google Cloud Platform console
- VMware vSphere admin
- GSuite (Workspace) email admin dashboard
- HackerOne reports and other details
- Confluence Pages
- Financial data
- Multiple code repositories
(For more information refer to the Appendix
Techniques, Tactics, and Procedures (TTPs)
- The actor employed social engineering techniques as an initial attack vector to compromise Uber’s infrastructure.
- After attaining access to multiple credentials, the actor exploited the compromised victim’s VPN access to:
- Pivot and escalate privileges inside the internal network
- Scan the internal network(Intranet) for access
- Subsequently, the actor gained access to an internal network(Intranet) *.corp.uber.com where the actor got access to a directory, plausibly with a name “share”, which provided the actor with numerous PowerShell scripts that contained admin credentials to the privilege access management system (Thycotic).
- This enabled the actor with complete access to multiple services of the entity such as Uber’s Duo, OneLogin, AWS, Gsuite Workspace, etc.
[caption id="attachment_20616" align="alignnone" width="789"]
Pictorial Representation of threat actor’s TTPs for compromising Uber[/caption]
Impact & Mitigation
- Obfuscation of the application code, hindering the usability of the application.
- Leaked credentials and access could facilitate multiple account takeovers.
- Leaking of sensitive and critical information of the entity.
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence.
- Reputational damage for Uber.
- Training of employees against social engineering attacks and techniques.
- Implement a strong password policy and enable MFA across logins.
- Create specialized users and groups with minimum privileges.
- Close unused ports and limit file access.
- Patch vulnerable and exploitable endpoints.
- Do not share your secrets unencrypted in messaging systems like Slack or WhatsApp.
- Monitor for anomalies in user accounts, which could indicate possible account takeovers.
- Scan repositories to identify exposed credentials and secrets.
[caption id="attachment_20617" align="alignnone" width="1280"]
Sample screenshot shared by the actor depicting VSphere VM workstation with *corp.uber.com access[/caption]
[caption id="attachment_20618" align="alignnone" width="1294"]
Threat actor’s message on the company's Slack Channel with hashtag “uberunderpaisdrives”[/caption]
[caption id="attachment_20619" align="alignnone" width="1383"]
Threat actor’s comment using the HackerOne account.[/caption]
[caption id="attachment_20620" align="alignnone" width="739"]
The alleged actor revealing the TTP of the attack[/caption]