Besides an initial infiltration through the supply chain, multifactor authentication failures and exposed hard-coded PAM admin credentials were glaring oversights

After post mortem, the 15 September cybersecurity incident at Uber Technologies featured several interesting elements that cybersecurity professionals can be aware of to prevent similar attacks in the future.

The named attacker, called “Tea Pot” was affiliated with the Lapsus$ hacking group that had even breached other big name organizations such as Samsung and Microsoft. Investigations point to a supply chain attack beginning with an external contractor which had already suffered a breach and had stolen data being sold on the Dark Web.

According to Budiman Tsjin, Solutions Engineering Manager (ASEAN), CyberArk, while much of the analysis so far had focused on the human element (social engineering and multi-factor authentication fatigue), what happened post-initial access is the key here.

Key breach characteristics
The contractor whose account was hacked probably did not have elevated or unique access rights to critical resources, but the firm did have access to a network share, just like other Uber employees.

Within the network share, the attacker had located a PowerShell script with hard-coded privileged credentials for Uber’s Privileged Access Management (PAM) solution. The attacker then stole the PAM solution’s hard-coded admin credentials.

With those credentials, the attacker had ultimately obtained “elevated permissions to a number of tools,” according to Uber. This was when the attacker “downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices.” 

Learning points

To prevent similar attacks, organizations need to take note of the following:

    • Get rid of any embedded credentials. Focus on securing these vital credentials and secrets before extending the best practices across other data and information
    • After IT and security teams have developed a strategy for dealing with hard-coded credentials, consider taking the following additional measures to strengthen defenses:
        • Preventing credential theft: Attackers are getting better at circumventing MFA security by using a wide range of vectors and methods. In fact, the Uber breach had multiple MFA compromises. Staff members are the gatekeepers of data. Thus it is essential to train them to recognize and report phishing to avoid identity theft.
        • Adopt the principle of least privilege and ensure workers and external contractors have the least number of permissions necessary to perform their responsibilities. Access to privileged accounts for administrators should only be granted when it is necessary with a time limit. All privileged account access needs to be separated and validated. As identity compromise through credential theft is one of the most common initial attack vectors today, organizations should also adopt endpoint security tools to limit such attacks (i.e., stealing of browser passwords, session cookies, etc.)
    • The incident demonstrates a scenario where an attacker obtains the key that safeguards all other keys. To eliminate this risk, employ both proactive and reactive control measures to make sure other systems are in place to detect and stop threats even if multifactor authentication is compromised.
    • Limit attacker lateral movement. Organizations should remove intruders’ standing access to sensitive infrastructure and online or cloud interfaces after gaining entry. Just-in-time elevation of privileges can significantly minimize the access of any compromised identity, especially when combined with robust authentication.

By incorporating robust, layered cybersecurity defenses that are supported by trained staff that can recognise potential sources of danger, organizations will be able to limit attackers’ success and also resume secure operations as soon as possible.