On September 15th Uber confirmed that it had been infiltrated by a hacker going by the handle Tea Pot, who has ties to the hacker group Lapsus$. How did one individual gain access to many of Uber’s critical systems?
Social Engineering
As long as passwords are still used, social engineering will be the easiest way for adversaries to gain unauthorized access. More than 90% of data breaches start with a successful phishing campaign. Spear phishing, where the adversary pretends to be a service or person the target trusts, accounts for 60% of these, and in any organization it’s not a matter of if, but when a phishing attack is successful.
After obtaining the login credentials through a successful phishing campaign Tea Pot repeatedly attempted to log in, which repeatedly sent authentication notifications to the compromised employee, and Tea Pot then called this employee posing as an employee working with the authentication service apologizing for the repeated notifications and claiming that the only method they knew of stopping it was to accept the authentication request. And then, they were in.
Exposed Credentials
While having an intruder sounds bad, it isn’t really that bad as there should be access controls set in place to prevent any, even authorized, individuals from having too much access, and privileged access levels should be tightly monitored. Where this breach took a turn for the worse was that while logged into the corporate intranet through the compromised account, Tea Pot found a script that contained the login credentials for an admin account for Uber’s Privileged Access Management system. From there Tea Pot could take control of many critical services, including the one supposed to detect intrusions.
Where did Uber go wrong?
It would be naïve to blame the intrusion on the compromised employee. Phishing attacks occur very frequently, and a large organization, such as Uber, should expect accounts to be compromised on a regular basis. The first mistake was to not have alerts for multiple failed logins. As for the hardcoded credentials, people will be lazy and take the path of least resistance. If there is an easy alternative to gaining access to the privileged account, that is what would be used. Secondly, privileged accounts should require more than one person to log in.
You can’t expect people to be perfect, that’s why you design for imperfection.