On Thursday, September 15th, Uber confirmed reports of an organization-wide cybersecurity breach.

“What makes this breach appear so significant is that this does not appear to be a breach of a single system. The attackers seem to have moved laterally between systems for a complete organization takeover”
Mackenzie Jackson – Security Advocate at GitGuardian

Update 9/20/22: Uber confirmed in a security update that the named attacker "Tea Pot" was affiliated with the Lapsus$ hacking group, famous for breaching NVIDIA, Samsung, and Microsoft earlier this year. According to their early investigations, it is likely that the attacker targeted an external contractor whose credentials were bought on the dark web.

What happened

Here’s what we know so far, pending investigation and confirmation from Uber’s security teams.

  1. The attack started with a social engineering campaign on Uber employees, which yielded access to a VPN, in turn granting access to Uber's internal network *.corp.uber.com.
  2. Once on the network, the attacker found some PowerShell scripts, one of which contained hardcoded credentials for a domain admin account for Thycotic, Uber’s Privileged Access Management (PAM) solution.
  3. Using admin access, the attacker was able to log in and take over multiple services and internal tools used at Uber: AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, Uber’s internal employee dashboards, and a few code repositories.
Screenshot from a private message with the hacker on Telegram
Screenshot from a private message with the hacker on Telegram

The critical vulnerability that granted the attacker such high levels of access was hardcoded credentials in a PowerShell script. These credentials gave admin access to a Privileged Access Management (PAM) system: Thycotic. This tool carries huge amounts of privilege, making it a single point of failure; it stores both end-user credentials for employee access to internal services and third-party apps as well as DevOps secrets used in the context of software development. This is a worst-case scenario. The PAM system controls access to multiple systems, and having admin access means you can give yourself or extract secrets to all connected systems. This has appeared to give the attacker complete access to all of Uber's internal systems.

This isn't the first time we've seen an Uber data breach: in 2014 hackers gained access to an AWS S3 bucket after developers leaked secrets to a public git repository. Two years later, a similar incident happened when attackers exploited poor password hygiene by some developers to gain access to private repositories which contained multiple access credentials. Now we appear to have the final episode in the trilogy, and it appears to be the most serious situation yet.

“There have been three reported breaches involving Uber in 2014, 2016, and now 2022. It appears that all three incidents critically involve hardcoded credentials (secrets) inside code and scripts”
Mackenzie Jackson – Security Advocate at GitGuardian

How bad is it?

Critically, Uber’s Privileged Access Management (PAM) platform was compromised through the exposure of its admin credentials. Privileged access management (PAM) is the combination of tools and technology used to secure, control, and monitor employee access to an organization's critical information and resources. With that in mind, the attacker may have gained access to nearly all the internal systems of Uber. Let’s go through the ones we know of based on preliminary information and evidence to understand the severity of this incident.

“We very often find credentials and secrets for specific systems that have leaked, but finding admin credentials to an access management system is like finding a master key to every room and alarm system, in every building, in every country that an organization owns.”
Mackenzie Jackson – Security Advocate at GitGuardian

Thycotic – Severity = Critical

The attacker gained admin access to the Thycotic PAM system. PAM systems can be a single full-featured software console or a collection of multiple tools; in the case of Thycotic, it is a single tool with many features. It can control access to different services and also has a secrets manager where credentials and passwords are stored. It appears the hacker was able to access secrets inside the secure storage, granting the worst possible scenario for Uber.

AWS instance – Severity = Critical

The AWS instance controls the cloud infrastructure of Uber's applications. Depending on configuration, privileges, and architecture, the attacker can potentially shut down services, abuse computing resources, access sensitive user data, delete or ransom data, change user access, and many more things.

Uber Hack 2022 - AWS IAM console access

VMware vSphere – Severity = Critical

VMware vSphere is a cloud computing virtualization platform. This is a critical platform as it interfaces with both cloud computing and on-premise servers which can give attack access to controlled on-premise servers as well as many administrative functions that would help an attacker move deeper into systems.

Uber Hack 2022 - VMware vSphere access

SentinelOne – Severity = High

SentinelOne is an XDR (eXtended Detection and Response) platform. Simply put, this platform connects to your mission-critical systems and lets you know if there are security issues. Any attacker that can obtain privileged access to this system can obfuscate their activity and prolong their attacks. XDRs can bake in "backdoors" for Incident Response (IR) teams, such as allowing IR teams to "shell into" employee machines and potentially widening the attacker's access.

Uber Hack 2022 - SentinelOne privileged access (Incident Response Team)

Slack workspace – Severity = Medium

The internal messaging system of Slack can be used to great effect as an attacker to launch phishing campaigns. As the attacker has the instant trust of other users, they can send malicious links, try and get admins to elevate their privilege, and access sensitive information. As the attacker has made themselves known, this is likely a smaller threat.

Uber Hack 2022 - Uber Slack workspaces

GSuite Admin – Severity = Medium

GSuite is a tool used by many companies to manage their users, store data, and many other administrative tasks. With admin access, the attacker can create and delete accounts, but would also likely have access to employee data and other sensitive company data.

Uber Hack 2022 - GSuite Admin access

HackerOne – Severity = Medium

HackerOne is the platform used to pay and communicate with security researchers that find vulnerabilities within systems for rewards. Given the level of detail bounty hunters usually provide, anyone with access to the HackerOne tenant has detailed how-tos on how to exploit (likely unpatched) vulnerabilities in other areas of their IT systems. This means persistence is highly likely.

Uber Hack 2022 - HackerOne message posted by the attacker

What’s next for Uber?

Although we can't be sure at this point, the immediate disclosure of the breach by the attacker himself both to security researchers on the HackerOne platform and Uber personnel on their Slack workspace tend to indicate that he might not be financially motivated.

From what we have seen, the attacker likely has access to many more systems and services belonging to Uber, but these are the ones we know about. Given the blast radius of this breach, we believe it will be extremely difficult and costly for Uber to sift through all their systems and access logs to ensure the attacker has not achieved persistence.

Before you go

Want to learn more about the problem of hardcoded credentials? Read our State of Secrets Sprawl 2023 report or request a complimentary audit of your secrets exposure.

If you are interested in other 2022 data breaches and attacks, you can find a detailed analysis of the Cloudflare breach and the Toyota data breach.