Uber Hack: It’s the Simple Things That Kill Your Security
In Uber’s last update about its recent hack, the ride-sharing company blamed the Lapsus$ hacking group for its security fiasco. Lapsus$, Uber added, had also breached Microsoft, Cisco, Samsung, Nvidia, and Okta. Over the last week, they’d also breached video game maker Rockstar Games. That sounds really big and scary, doesn’t it? Well, the attack’s results were ugly, but it’s the way it was done that stands out. That was the kind of simple-minded attack that a script-kiddie teenager could pull up. And, oh, what’s this? The attack had been made by an 18-year-old with the moniker “Tea Pot.”
And how did Tea Pot pull it off? By buying a contractor’s ID and password off the dark web. The real hacking tool used here? About 1/20th of a Bitcoin, or a grand in real money, for business account access.
The original compromise appears to have been when the contractor was tricked by a phishing attack into giving up his user ID and password. Still, since his Uber account was protected by multifactor authentication (MFA), it still should have been OK.
Right? Right!? Wrong.
Eventually, the contractor accepted an MFA request, and the attacker was in. People, come on! If you get an MFA request you don’t recognize, you don’t approve it!
True, as Darren Williams, business security company BlackFog CEO and founder, said, “Social engineering is becoming a more popular tactic for cybercriminals as it really provides the keys to the castle, as we can see from the recent attack on Uber.” This is old news, but since people fall for phishing attacks every day, we can never stop repeating it.
After getting his foot in the door, the attacker found an internal network share with PowerShell scripts with privileged admin credentials. Do not ask me what it was doing there. This is a classic stupid security trick. With it, the hacker got access to Uber, AWS, G-Suite, Google Cloud Platform, OneLogin, SentinelOne incident response portal, Slack, and Uber’s OpenDNS resources. Once in, he even posted on Uber’s Slack announcing what he’d done… and, for a while, people seem to have thought it was a joke.
Williams continued, “protecting the perimeter alone simply isn’t going to cut it. Organizations must make the assumption that the bad guys are going to find their way in, so the focus must be on preventing them from leaving with the crown jewels.” Root-level scripts in a semi-public directory certainly count as the crown jewels in my book.
Do the Right Things
Uber, after the fact, is saying all the right things: Identify and reset compromised employee accounts; rotate keys, lockdown the codebase, strengthen MFA policies, and increase internal security monitoring. But this is a classic case of locking the barn door after the horse is out.
Uber claims that while the hacker had the keys to its IT kingdom, nevertheless, he didn’t access any public-facing systems; user accounts; or sensitive user information, such as credit card numbers, user bank account info, or trip history. You can believe that if you like. I’m not so sure.
The point here is that while fancy cybersecurity tricks that sound like they came out of Mission Impossible may catch your attention, to really secure your systems, you need to keep reinforcing the security basics — over and over again.