CS Nov-Dec 2022

eaches
MAJOR BREACH, HARSH LESSONS
WHAT HARSH LESSONS CAN BE LEARNED FROM THE MAJOR BREACH
SUFFERED BY UBER - AND HOW MIGHT SUCH ATTACKS BE STOPPED?
Following the Uber security breach,
disclosed in September this year, the
cybersecurity sector is still buzzing.
"While it is inevitable questions will be raised,
it's important to reiterate this breach could
not have been avoided by a single
technology solution," points out Rich Turner,
SVP EMEA at CyberArk. "Nor is it one in
which a single person, company or provider
was to blame. Saying that, there is a lot
which can be learned from the breach, with
it having a number of interesting elements
for cybersecurity professionals to delve into."
Turner lays out in detail what is known
about the attack in five stages:
Step 1: The attacker entered Uber's IT
environment by gaining access to the
credentials for its VPN infrastructure.
Step 2: The contractor whose account was
compromised likely did not have privileged
access to key resources or any other special
access permissions, but they did have access
to a network share, just like other Uber
employees. "Either this network share was
reachable or the Access Control List was
configured incorrectly to allow for broad
read access," says Turner. "After, the hacker
discovered a PowerShell script in the network
share, which included privileged credentials
for Uber's Privileged Access Management
(PAM) solution hardcoded into it."
Step 3: By stealing the administrator
credentials that were hard-coded into the
privileged access management solution,
the attacker was able to further escalate
their privileges.
Step 4: According to an Uber update,
the attacker eventually acquired 'elevated
permissions to a number of tools'. Adds
Turner: "Accessing the secrets of a privileged
access management solution carried a high
risk of harm. The SSO, consoles and cloud
management console, which Uber uses
to store private consumer and financial
information, were reportedly all
compromised by the hacker.
Step 5: Uber said the attacker 'downloaded
some internal Slack messages, as well as
accessed or downloaded information from
an internal application our finance team
uses to track some bills' - a matter that the
business reported it was looking into.
PROTECTING EMBEDDED CREDENTIALS
So, asks Turner, "how can a similar attack be
stopped?", offering his recommendations
for protecting embedded credentials.
"Getting rid of any embedded credentials
would be the first step towards preventing
a similar attack. In addition to discontinuing
this practice, we advise conducting an
environment inventory to find and remove
any hard-coded credentials that might be
present in code, PaaS configurations, DevOps
tools and internally developed applications."
However, this is simpler to say than to do,
he concedes. "In order to gradually reduce
risk, focus first on your organisation's most
important and potent credentials and secrets
before spreading these best practices."
Reiterating that neither the tools, nor
the personnel in place at Uber, is to blame
for this breach is important, he also states
that nor is there a magic bullet for stopping
cyberattacks. "No longer is it thought
an attack can be completely prevented.
However, we have some control over how
far they go. Strong, layered cyber security
defences may reduce attacks like the Uber
breach. This should be strengthened by
regular employee training to help them
identify possible sources of danger.
"These features make it more challenging
for attackers to get a foothold, manoeuvre,
find and accomplish their goals," adds Turner.
"They also enable us to minimise the effectiveness
and impact of attacks, and to resume
regular activities as soon as feasible. This is
the important knowledge we should absorb
and use in our own organisations."
36
computing security Nov/Dec 2022 @CSMagAndAwards www.computingsecurity.co.uk