The Uber Hack Explained

The Uber Hack Explained

By Michael Hawkins
Posted in Security
On September 29, 2022

In recent days, it has been widely reported that Uber suffered a significant intrusion into their network. While the extent of the damage is unknown, we do know about the sequence of events that allowed the breach to be successful. Below is a discussion of some of the known facts along with our own commentary on the situation. Most importantly, we provide lessons for others to break the chain of events, which can help businesses to avoid these types of attacks.

1st Link: An Uber employee configured an application to connect to the Uber privileged account manager (PAM) using a privileged service account. Those credentials had administrative level privilege (probably an "administrator" account). The hacker, now inside Uber’s network, found those credentials.

Lesson: Do not use privileged accounts when user accounts (with the minimum required permissions) are sufficient.

2nd Link: The privileged credentials were stored in clear text in a PowerShell script.

Lesson: Do not save credentials (or hashes) in scripts or files. Do not leave scripts and files on systems. Ask yourself if they should be there in the first place and then answer with an emphatic "NO".

3rd Link: Multiple SaaS and cloud services were compromised because the same privileged account was used to access AD, DUO, OneLogin, AWS, G Suite, and the Uber PAM itself.

Lesson: Do not use the same account for multiple services. Create a new account for each service connection. Use strong passwords (32 characters or more). When creating service accounts, use a name that uses randomized first and last name combinations (or according to your own user naming convention) so the account name is camouflaged as a normal username (yes, camouflage is security through obscurity, but it does slow the hackers down). Always use a credentials vault for storage.

4th Link: The hacker then targeted another Uber employee and illicitly obtained their credentials (maybe dark web, maybe somewhere else). The targeted Uber employee then received many, many unsolicited MFA requests on their cell phone and eventually caved in and clicked "accept". This action gave the hacker the last link in the chain required to make first entry into the Uber network.

Lesson: Do not click on repeated MFA requests for authorization. In general, do not give up credentials to anyone or anything that you cannot completely trust. Trust no one.

Irony: It is particularly ironic that the privileged account that was used to broadly hack Uber’s services was an account created and intended to be used with the Uber PAM, which is itself a privileged account management system. So, the very security control (PAM) that was intended to control privileged access within Uber was itself a closely involved participant in the compromise of data and privileged accounts at Uber. Oh, the irony.

Final Lesson: Improve your security controls, your employee cybersecurity behaviors, and your IT staff practices. Ensure that cybersecurity polices are comprehensive and current, and input them into standards, guidelines, and job aids. Then help everyone to be held accountable.

Michael Hawkins

Michael Hawkins

Michael is a creative results-driven expert in the design and implementation of cost-effective secure technology solutions. Michael’s criteria for success is high performance, high reliability, and highly secure networks and systems. Michael's extensive experience includes working with highly complex security and networking solutions in large and small environments across many industries.