CS Nov-Dec 2022
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
eaches<br />
MAJOR BREACH, HARSH LESSONS<br />
WHAT HARSH LESSONS CAN BE LEARNED FROM THE MAJOR BREACH<br />
SUFFERED BY UBER - AND HOW MIGHT SUCH ATTACKS BE STOPPED?<br />
Following the Uber security breach,<br />
disclosed in September this year, the<br />
cybersecurity sector is still buzzing.<br />
"While it is inevitable questions will be raised,<br />
it's important to reiterate this breach could<br />
not have been avoided by a single<br />
technology solution," points out Rich Turner,<br />
SVP EMEA at CyberArk. "Nor is it one in<br />
which a single person, company or provider<br />
was to blame. Saying that, there is a lot<br />
which can be learned from the breach, with<br />
it having a number of interesting elements<br />
for cybersecurity professionals to delve into."<br />
Turner lays out in detail what is known<br />
about the attack in five stages:<br />
Step 1: The attacker entered Uber's IT<br />
environment by gaining access to the<br />
credentials for its VPN infrastructure.<br />
Step 2: The contractor whose account was<br />
compromised likely did not have privileged<br />
access to key resources or any other special<br />
access permissions, but they did have access<br />
to a network share, just like other Uber<br />
employees. "Either this network share was<br />
reachable or the Access Control List was<br />
configured incorrectly to allow for broad<br />
read access," says Turner. "After, the hacker<br />
discovered a PowerShell script in the network<br />
share, which included privileged credentials<br />
for Uber's Privileged Access Management<br />
(PAM) solution hardcoded into it."<br />
Step 3: By stealing the administrator<br />
credentials that were hard-coded into the<br />
privileged access management solution,<br />
the attacker was able to further escalate<br />
their privileges.<br />
Step 4: According to an Uber update,<br />
the attacker eventually acquired 'elevated<br />
permissions to a number of tools'. Adds<br />
Turner: "Accessing the secrets of a privileged<br />
access management solution carried a high<br />
risk of harm. The SSO, consoles and cloud<br />
management console, which Uber uses<br />
to store private consumer and financial<br />
information, were reportedly all<br />
compromised by the hacker.<br />
Step 5: Uber said the attacker 'downloaded<br />
some internal Slack messages, as well as<br />
accessed or downloaded information from<br />
an internal application our finance team<br />
uses to track some bills' - a matter that the<br />
business reported it was looking into.<br />
PROTECTING EMBEDDED CREDENTIALS<br />
So, asks Turner, "how can a similar attack be<br />
stopped?", offering his recommendations<br />
for protecting embedded credentials.<br />
"Getting rid of any embedded credentials<br />
would be the first step towards preventing<br />
a similar attack. In addition to discontinuing<br />
this practice, we advise conducting an<br />
environment inventory to find and remove<br />
any hard-coded credentials that might be<br />
present in code, PaaS configurations, DevOps<br />
tools and internally developed applications."<br />
However, this is simpler to say than to do,<br />
he concedes. "In order to gradually reduce<br />
risk, focus first on your organisation's most<br />
important and potent credentials and secrets<br />
before spreading these best practices."<br />
Reiterating that neither the tools, nor<br />
the personnel in place at Uber, is to blame<br />
for this breach is important, he also states<br />
that nor is there a magic bullet for stopping<br />
cyberattacks. "No longer is it thought<br />
an attack can be completely prevented.<br />
However, we have some control over how<br />
far they go. Strong, layered cyber security<br />
defences may reduce attacks like the Uber<br />
breach. This should be strengthened by<br />
regular employee training to help them<br />
identify possible sources of danger.<br />
"These features make it more challenging<br />
for attackers to get a foothold, manoeuvre,<br />
find and accomplish their goals," adds Turner.<br />
"They also enable us to minimise the effectiveness<br />
and impact of attacks, and to resume<br />
regular activities as soon as feasible. This is<br />
the important knowledge we should absorb<br />
and use in our own organisations."<br />
36<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk