How The Uber Breach Went Down – ESW #289



Based on what we know so far (which is limited and could change), the Uber breach appears to be a classic example of how penetration testers and criminals alike break into large organizations. In this segment, we’ll discuss how the attack happened. We’ll go over the controls that failed, why they failed, and what Uber could have done to prevent or detect this attack.
For those listening live, questions are welcome! Visit https://www.securityweekly.com/esw for all the latest episodes!

Full Episode Show Notes

How The Uber Breach Went Down

1. Social Engineer employees to install stealer malware (Raccoon, Vidar, or RedLine)
2. Stealer malware obtains their credentials OR [attacker purchased Uber contractor creds from the dark web](https://twitter.com/zackwhittaker/status/1571941745281355776) (there are conflicting reports)
3. Log into company VPN
4. VPN sends 2FA prompt to employee
5. Attacker spams 2FA for an hour, to no effect (aka MFA Bombing or MFA Fatigue)
CONTROL: push storms can be easily detected!
6. Attacker reaches out to employees via Whatsapp and pretends to be from Uber IT, convinces them to approve the 2FA
7. Attacker somehow enrolls their own device for MFA (not sure how they did this)
8. Scan file servers on company intranet
9. Look through files and scripts
CONTROL: Use canary tokens to detect snooping
10. Find powershell with hardcoded creds for Thycotic
CONTROL: use canary creds to detect compromise
11. Log into Thycotic
12. Discover stored secrets for Windows Domain Admin, Slack, VSphere, Duo, OneLogin, AWS, GSuite, HackerOne & other services (Thycotic Secret Server is basically a password manager)
CONTROL: Also have some fake creds or accounts in here!
13. Access to Thycotic, Duo, and OneLogin renders all MFA useless
14. Log into other services and continue scanning for interesting data and exfiltrating it
15. Logs into Slack, HackerOne, and other services to mock and taunt Uber

Hosts

Adrian Sanabria

Adrian Sanabria – Director of Product Management at Tenchi Security

@sawaba

Adrian is an outspoken researcher that doesn’t shy away from uncomfortable truths. He loves to write about the security industry, tell stories, and still sees the glass as half full.

Tyler Shields

Tyler Shields – CMO at JupiterOne

@txs

Tyler advises, guides, and operates high tech startups primarily in the B2B security space. He is a former market analyst, engineer, product manager, marketing leader, and partnership manager. In other words, Tyler builds and grows businesses – in all aspects. He’s a board advisor, angel investor, and board member at multiple firms and an investment advisor for a venture debt business. He loves to play guitar and poker in his free time.

Katie Teitler

Katie Teitler – Senior Security Strategist at Axonius

@Katherinert15

Katie Teitler is a cybersecurity content creator. In her current role with Axonius, she is part of the product marketing team, helping audiences understand the value proposition of cyber asset management as it pertains to risk reduction. In past roles, Katie was an industry analyst, research director, content marketer, and freelance author, and managed content and speakers for InfoSec World, now a flagship offering of the Cyber Risk Alliance.

Announcements

  • Don’t miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!