Wizer Free Security Awareness Blog

How Uber Was Hacked: A Deep Dive

Written by Wizer Team | Aug 22, 2024 12:07:58 PM

 

In today's Wizer Security Awareness post, we’re diving into the fascinating case of the Uber hack, which happened about three years ago.

This talk was given to our Weekly MSP/IT Meetup Group. Join us next time by registering here

Who Am I?

Before we delve into the details, let me introduce myself. I'm Robbe Van Roey, also known as PinkDraconian online. I work full-time as an offensive security lead and penetration tester at Toreon, and I’m deeply passionate about bits, bytes, and finding security vulnerabilities. Outside of my primary role, I also search for bugs as a bug bounty hunter and create security content on YouTube. I’m a very technical person with a passion for cybersecurity.

The Uber Hack: An Overview

So, what exactly happened in the Uber hack? This incident is widely interesting because of several factors, including who performed the hack and how it was executed. The hacker, known as “Tea Pot”, is believed to be associated with the Lapsus hacking group. Rather than staying in the shadows, Teapot went public with his achievement, sharing screenshots and chatting openly about the hack on social media. This level of transparency is uncommon and gave the public a rare inside look at the hack.

The Beginning: Phishing

The hack began with a simple, yet effective technique: phishing. Information around how credentials were compromised differs - some say credentials were found on the dark web, while others believe the attacker used a fake Uber login page to steal them. Tools like Evilginx, an open-source man-in-the-middle framework, could have been used to capture login credentials. Whether through dark web purchases or phishing, Teapot acquired a contractor's credentials and attempted to login.

Bypassing 2-Factor Authentication

Despite gaining access, the hacker faced an obstacle: two-factor authentication (2FA). Initially, the Uber contractor denied the login attempts. However, persistence paid off. The 2FA system kept sending notifications, which annoyed the contractor into eventually approving the login request. Compounding the pressure, the hacker called the victim, posing as Uber support, and convinced them to approve the request under false pretenses. This highlights a critical vulnerability in human factors often overlooked in cybersecurity measures.

Access to Uber’s Internal Network

Once inside the network, the hacker ran Snaffler, a tool designed to find secrets like passwords and API keys across systems. This tool enabled Teapot to locate a PowerShell script containing administrative credentials. This script provided access to Thycotic Pam, Uber's privileged access management system which essentially held the keys to Uber’s kingdom.

The Damage Done

With these credentials, Teapot had unrestricted access to Uber's AWS infrastructure, VMware sphere environment, and SentinelOne, Uber's threat detection system. This level of control allowed the hacker to manipulate Uber's network undetected and even to tamper with security rules. The hacker also breached Uber's Slack and HackerOne environments, showcasing the extent and ease of the infiltration.

Lessons Learned

The Uber hack offers several critical lessons in cybersecurity:

  1. Holistic Security Approach

Both technical and human security measures are essential. Systems are predictable, but humans are often the weakest link.

  1. Multi-layered Defense

Companies should not rely solely on training employees not to click on suspicious links. Routine internal penetration tests and minimizing single points of failure can bolster defense.

  1. Importance of 2FA Implementation

While 2FA adds a layer of security, how it’s implemented matters. Limiting repeated notifications and considering human behavior nuances can help prevent issues like the Uber hack.

  1. Secure Coding Practices

Avoid hard-coding credentials in scripts. Regular audits and employing secrets management solutions can mitigate risks.

  1. Preparedness for Intrusions

Organizations must assume breaches will happen and prepare accordingly. Rotating passwords and having robust incident response plans can minimize damage.

Conclusion

In conclusion, the Uber hack underscores the importance of a comprehensive approach to cybersecurity that includes both technical defenses and human factors. By understanding and mitigating risks from both angles, organizations can better protect themselves from similar incidents.

Thank you for reading. I hope this post sparks some valuable discussions and provides insights into improving cybersecurity practices.