On Sept 15th a curious teenage hacker looking for fun, compromised Uber in a serious way, gaining administrative access to the company’s massive cloud instance, development environments, tools, and even their access management server! The hacker joked with how terribly easy it was and shared proof with news outlets, on hacker message boards, and even with employees on Uber’s internal Slack communication tool.
The attack was not masterful, but rather simple, and yet snowballed into a massive data breach.
This is not the first big breach that Uber has experienced. Back in 2016 another breach occurred, affecting 57 million people, and executives tried to conceal it. That resulted in a $148 million dollar fine and an agreement with the FTC to maintain a comprehensive privacy program for 20 years.
As for this recent hack, it started with a simple social engineering attack that granted access to the internal network, then while snooping around a PowerShell script was found that contained administrator level access which cascaded into Super Admin permissions across the company.
Security experts describe this hack as a “total compromise”, which is a term not often used.
I see many people pointing a finger at the weakness of behaviors, some say it is a failure of technology, while a handful are defending Uber, saying being breached is an inevitability.
Well, from where I sit there were failures across the cybersecurity spectrums of technology, behaviors, and processes.
Let’s cover a few:
- Behaviors: Social engineering targets people, the weakest link, and it appears that the training and security culture could be much improved. Beyond the fact that phishing was the starting point, the reporting of the issue was slow, and even when the crisis team told employees to not use internal tools like Slack, the employees ignored the instructions.
- Processes: Yes, the crisis response process could be improved, especially with getting staff on-board with containment and recovery actions. But the biggest issues are around allowing scripts to have embedded passwords to systems and not requiring more sophisticated authentication for Admin accounts. …and Failsafe Super Admin accounts should be protected and reserved to evict bad actors.
- As for the technology: Strong Multi-Factor authentication should be in place for all Admin accounts. Better oversight and blocking capabilities for remote Admin logins should also be in place. Basically, the principles of Zero Trust, that is gaining so much momentum across security tool vendors.
- Lastly, from an organizational perspective, they are committed to have a comprehensive Privacy program, due to the 2016 data breach, but Privacy is meaningless without the necessary security to go with it.
Uber was lucky this attacker was not malicious. With those permissions, an attacker could destroy the systems and data of the company, probably causing hundreds of millions of dollars and disrupting services for months.
The bad news is that every organized cybercriminal group, ransomware crew, and nation-state offensive team will be looking at Uber as an easy target. Their history tells a story, the current event is looking egregious, and that might spell doom for Uber in the future.
Uber, it is time to invest and support a highly capable and enabled cybersecurity, privacy, and ethics program which should be reporting to the CEO and board. In the meantime, there are likely rough roads ahead for Uber.