2022 Uber Hack: How a 17 year old owned the company?

In Sep 2022, a mysterious message was sent to Uber employees on their internal Slack channel:

"I announce I'm a hacker and Uber has suffered a data breach" it read.

Next, the hacker posted chilling screenshots of their admin access to Uber's critical services, including AWS, EDR, G Suite, and Slack. Almost, every key platform is hacked.

Who was this intruder? How did they get access to almost everything?

Attack Flow:

1. Attacker purchases stolen credentials of an Uber employee (contractor) on the dark web > Attempts to login but MFA blocks it.

2. Attacker keeps repeatedly triggering MFA > Uber employee now flooded with MFA push notifications > User gets fatigued but still doesn't yet approve.

3. Attacker now contacts the employee via WhatsApp, poses as Uber IT team, and convinces them to accept the MFA prompt > Employee approves > Attacker now accesses Uber VPN!

4. Attacker searches Uber’s internal n/w shares > Finds PowerShell scripts containing admin credentials for Uber's PAM > Using this, attacker further extracts secrets for all services.

5. Using these credentials, the attacker gains access to multiple critical Uber platforms, including: Slack admin, G Suite admin, EDR admin, AWS admin.
    

6. Attacker announces the breach on Uber's Slack channel!

Key Lessons:

1. The art of hacking is the art of never giving up. The attacker tried creds and MFA blocked it. The attacker tried MFA bombing and the user blocked it. The attacker tried social engineering the user and it worked! This thought process of improvising continuously, taking new paths as obstacles arise and never giving up is the core of ‘hacker mindset’.  

2. Push notification-based MFA is susceptible to social engineering attack played out in this incident. Post this, the industry started to switch to more secure options like number-matching MFA and phish-resistant credentials.

3. Uber had Privileged Access Management (PAM) solution. But the creds to that PAM were hard coded in a PowerShell script left on a network share. This is similar to locking your house and leaving the key under the door mat. Never leave "the key to your keys" open.

4. Think about this: You own the network. You own the assets. But someone else is able to identify hard-coded credentials in your network. If an external attacker can find them, with the knowledge you have of your network, you should be able to detect and address them faster better. Scan your networks for creds before attackers do.

5. Using stolen admin creds, attacker logged into Uber’s sensitive services (AWS, EDR, G-Suite, Slack). The hacker also allegedly accessed Uber’s bug bounty reports, which often contained un-remediated security vulnerability reports. No matter what credentials got leaked, no body should be able to get this level of access. For admins, enforce 1) Additional MFA controls 2) JIT authentication 3) Leverage PAW (Privileged access workstations) 4) Apply conditional policies 5) Heightened monitoring for those accounts.

6. All of this started because the attacker simply purchased employee creds in dark web. These are sold sometimes for <10$ per creds. Implement dark web monitoring to act on compromised credentials.

7. The hacker was allegedly a 17 year old who chose to victoriously announce vs causing more damage. Which makes one ponder: If a random 17-year-old could create this mayhem, what could nation-state actors, backed by substantial resources and power, accomplish?