Create and Manage Your Uber Bill Format for Security Effortlessly

Uber bill format for Security

Hello everyone. Welcome to another video.  Today we are talking about the Uber breach   and oh boy this is a big one. In this video  we're gonna look at exactly what happened   play-by-play. How the attacker gained access  into Uber's internal systems. We're going to   look at what we know based on evidence from  the attacker of what they say they've gained   access to and then we're going to compare  this with the latest statements from Uber   of what they're saying essentially has  happened and see if the two Stack Up. So let's get straight into it what exactly  happened. Well, the first news of this came   from the New York's Times on September 15th  and we believe that they may have had a heads   up from the attacker themselves and what all  avenues point to is that this attacker wasn't   really after the destruction of Uber or ransoming  information. They were really after publicity and   making lots of noise which may have been attached  to different motivations that we'll talk about.   So let's just go into exactly what happened  while an Uber employee's account or perhaps   contractor was compromised the attacker claims  through a social engineering campaign. Social   engineering just means that when the attacker is  basically deceiving someone an employee or someone   connected to Uber to either disclose sensitive  information to them or inadvertently grant them   access to different things. In this case they got  access to Uber's VPN which granted them access to   Uber's internal Networks. Once the attacker was  inside Uber's internal networks they started   searching for sensitive information essentially  they wanted to move from the internal Network into   some administrative or production assets and  infrastructure so that they could persist the   attack. They achieved this through some Powershell  Scripts. Powershell scripts are basically lists   of instructions that execute administrative  tasks on a machine that these can really be   about anything but there was one Powershell  script that was of particular interest and   this is because it contained hard-coded Secrets or  plain text credentials. This was to a PAM system.   A privileged access management system, this  essentially controls all the passwords, all the   secrets for Uber's internal systems. Their access  management. From here the attacker was essentially   able to compromise, what appears to be a huge  number of systems because they had admin access   to the central Network that controlled it. From  there they looks like that's where their attack   ended because they made a huge amount of noise  and published a lot of information and Uber was   able to try and limit further escalation of this.  So what did these attackers ultimately actually   compromise? Well there is a number of different  systems that were breached in this attack and we   can quickly run through a few of them. So the  first one that we know of is Thycotic. What is   Thycotic? Thycotic is a PAM, a Privileged Access  Management system and this is basically one of   the most critical pieces of infrastructure in  any company's systems. This is what controls   access to different internal and external Services  you can think of this like a secret manager like   AWS Secrets or Hashicorp vault combined with a  password manager like Onepassword or Dashlane but   company-wide. Potentially the attacker could have  had access to everything because they had critical   admin access to Thycotic. Pretty much a worst case  scenario and this is as critical as any system   gets. Now based on screenshots from the attacker  we know that they also had access to lots of other   systems which gives credibility to the concept  that they had access to the PAM system Thycotic   in the first place. We know they had access  to AWS. AWS is a cloud a service provider. Now   depending on the infrastructure depending on the  Privileges which we don't fully understand yet but   the attacker could have had access to databases.  Could have access to Production Services. Could   have been able to shut down areas. Could have been  able to create accounts for them to squat in these   systems for extended periods of times. We don't  know enough to know what this system could have   done because a lot will depend on setup. But  we know that this is critical and we know that   there's definitely areas of attack here. From  AWS we also know that they had access to VMware   Vsphere. Vsphere is an interesting tool that  can visualize between Cloud infrastructure and   on-premise infrastructure. This would have given  the attacker great access into the blueprint of   how Uber's infrastructure would have been set up  and using what they've already compromised could   have launched sophisticated attacks using  this visualization tool. But they all also   could have severed connections between on-premise  service and Cloud servers and really being able to   escalate an attack using VMware Vsphere. Another  platform of a very high severity is Sentinel one.   Sentinel one is an extended detection response  platform. Essentially this is the alarm system   to find out if an attacker has gained access into  any external services or any of your services. By   having access to this, the attacker critically has  access to be able to shut off some of the alarms   systems. This could have been critical had  there been additional malicious intent.   What we know about this attacker is that they  announce themselves very quickly right they were   trolling Uber by publishing in their slack forum.  For example publishing on their HackerOne account.   So it was very obvious that Uber were suffering  from some kind of breach. Had they wanted to be   a little bit more sophisticated then they could  have actually used Sentinel one to kind of go   undetected to enable them to squat, move literally  through systems without trigging any alarm. I   already mentioned that they were trolling Uber.  They had access to the Slack accounts. This has   a pretty medium severity because you can't shut  down any services using Slack and potentially   you shouldn't be able to access sensitive  information but depending on privileges you may be   able to access private chats which could contain  additional sensitive information. But what I find   really interesting about internal messaging  systems is the ability to be able to launch   spearfishing campaigns internally. They could have  gained access to additional employees accounts   from using Slack. So, still a severe, still a  severity of medium for Slack. Another system   that has a high or medium severity is the G Suite  admin. This can be very critical depending on the   setup but we don't have enough information on the  type of account that they had and what they could   have done. That G Suite basically controls amongst  many other things emails and access to different   administrative services and access to office  tools. By gaining access to them they could have   created an account. They could have removed access  to certain people. They could have potentially   done takeovers of email accounts and then from  there moved into lots of different systems. Lots   of different attack paths from G Suite but we  don't know exactly the privilege that they had   in there and what they were able to do. Finally,  the last one that we know of at this moment is   HackerOne. HackerOne is a bug Bounty platform.  This is external to Uber but this is basically the   platform that researchers use to publish security  vulnerabilities and then get a bug bounty to get   paid for it. This indicates some motivation of the  attacker. It's been hypothesized that the attacker   was really upset with Uber's bug bounty policies. Essentially not being able to pay enough money for   disclosing vulnerabilities and that this  was the motivation to basically humiliate   Uber in this way. But we don't know enough  information about that. We do know that   Hacker One was compromised by the attacker  because they published internal systems. So, what has Uber said. Well, Uber has had  lots of breaches in the past and critically   one such breach Uber was really criticized  because they tried to keep this from the   public without disclosing that actually some  users information were disclosed. With that   in mind Uber is definitely not trying to hide  that and there's no reason to not believe that   they're going to be forefront. But you have to be  cautious when you read information disclosed by a   company because there's obviously motivations  to limit the severity of what has happened.   But what they have said is that an Uber external  contractor had their account compromised by   the attacker. So, this will go back to their  initial social engineering campaign. However,   Uber has said that it's possible that Uber's  corporate password was actually leaked on the   dark web and the attacker bought it. Uber goes on  to say that the attacker made several attempts to   log into this contractor's account. Was stopped by  multi-factor authentication however at one point   the contractor actually accepted multi-factor  authentication. This seems strange on the surface   but certainly could have been true. Uber have  said that from there the attacker ultimately   gained access to a number of tools including G  suite and Slack. They've stopped at just G suite   and Slack. This is kind of in direct contrast to  what we've seen. The attacker post access to. I   think out of the two that Uber has named there  they're probably some of the least severe which   potentially has been compromised. We'll need to  see more information come out from Uber about   what actually has been compromised and see if we  get any response from the attacker at this point.   In Uber's response they've said that they've  essentially taken access to stop the attack   and basically identify employees accounts that  may be compromised or potentially compromised.   They've disabled many effective or potentially  affected internal tools. So the fact that they've   used the word many affected here but only listed  two before may suggest that there is actually a   whole lot more than just G suite and Slack that  have been affected. They've said they've rotated   their keys which obviously you would hope. They've  locked down their code base to prevent new changes   and of course they're adding additional  multi-factor authentication policies and   and locking down internal tools. They  have said that their investigation is   still ongoing but it doesn't appear that the  attacker had access to production systems   that power out their application or any user  accounts or the database that were used to   store sensitive information like credit card  numbers and bank accounts or trip history.   So we can see there that they've actually kind of  limited. That they haven't had access to databases   of these types but they haven't blankly said that  they haven't had access to databases so we'll   see how that unfolds and whether or not there's  something to read into there. They've said they've   reviewed the code base and that there isn't any  malicious code in there so hopefully this all   being said that the attacker has been stopped and  there aren't any backdoors or potential access   points that have been injected by the attacker  into their code or by creating different user   accounts or compromising other user accounts.  What is really interesting here is that Uber have   assigned responsibility loosely but still named  the group Lapsus$. We know that Lapsus$ is kind   of a group of teenagers or at least that's what  we've been led to believe. They're responsible   for lots of different attacks like Microsoft and  Nvidia. I have a whole videos of those attacks   on this channel that you can check out and this  does actually fit into to the kind of Lapsus$   group ethos which is that they gain access to all  the sensitive stuff but they kind of stop short of   worst case scenarios of what they could have done  and make a whole bunch of noise. Almost kind of   wanting that publicity, wanting that recognition  of the attack as the main thing. To our knowledge,   they didn't try and extort Uber for any money yet  although there have been suggestions of that .  They don't appear to have been backed up by Uber  or anyone else critical credible at this stage . What Uber hasn't made mention of is the Powershell  scripts and the hard-coded credentials to their   privilege access management system. They've  stopped short at that and they've kind of   said that the once the attacker was able to  gain access to the compromised account they   gained access to further Uber employees  accounts. You can't go from one account   to another without discovering additional  vulnerabilities so that at some point there's   something on the network that the attackers  used to transition into different accounts.   This would suggest that perhaps a Thycotic  takeover is actually real and that was what   was used but we can't be 100% certain  because Uber hasn't clarified that.  We do know in the past that Uber has had other  breaches. In 2014 an employee leaked credentials   to their database on public git repository. In  2016 we know that attackers were able to gain   access to private code repositories of employees  due to bad password hygiene and inside their code   repositories there was other hard-coded  Secrets. Other credentials and it appears   that in this attack there was credentials inside  a Powershell script as well. This would follow the   kind of like the trend. A very concerning Trend  that Uber has of having hard-coded credentials   hard-coded secrets and lots of other areas so  it does fit the trend although you really would   hope that there wouldn't be an admin hard-coded  credential. But at the moment with the evidence   that we have it does appear that there certainly  was some kind of credentials that the attacker   was able to use to elevate privileges and  move laterally into different accounts. How bad was this on Uber's perspective. I don't  want to speculate more than what I have of   exactly what's happened and lay blame to Uber . Uber is certainly not alone in these types of   attacks we've seen them in other areas although  this one appears to be particularly critical yes   definitely bad practices uh were had there  although Uber is claiming that multi-factor   authentication was installed and it was a user's, it was a contractor's fault for allowing that   but there does have to have been additional  vulnerabilities for that user to be able to   move laterally into different systems. It appears  that there is some security policies that aren't   being enforced on Uber's end. Does this mean  that Uber is a terrible company? Absolutely not.  Security vulnerabilities happen everywhere. Ot  just appears at this point. It's been a very   critical mistake of hard-coding credentials  in a Powershell script. Why exactly you would   hard code admin credentials to a password  and secret manager, a Privileged Access   Management platform in a Powershell script  ? I'm not exactly sure. Perhaps that script   was being used to create different accounts.  To grant access to stuff. That does appear to   be a pretty fundamental error if it is true.  We're just going to have to wait and find out. So what should you do to protect yourself if  you're an Uber customer? Well, at this point   it doesn't appear to be any indications from the  information that has been disclosed from both the   attacker and the Uber that personal in information  in particular passwords and credit card details   have been affected. we do know that this is  encrypted on Uber's end. Critical information   is encrypted like credit cards so therefore even  if the attacker was able to gain access to those   databases hopefully the encryption is adequate  enough that the attacker won't be able to reverse   that and be able to gain access to those numbers.  There doesn't appear to be any immediate action   that you need to take as a customer apart from  be cautious at the moment and making sure that   you don't reuse passwords on different areas  because there is the potential that password   hashes or usernames have been leaked. But  we have no verification of this it's just a potential so we want to implement good practices  ever anyway and don't reuse passwords. That's it   from what we have today. I'll provide an update  if we get any more critical information about   this breach but from now we're just going to have  to hold our breath. Then it appears definitely   that Uber has been breached and that there has  been a lot of escalation from the time that the   attacker compromised an employee or contractor's  account to where they've ended up. We're going to  have to wait and find out more information but  I hope you enjoyed this video give it a thumbs   up or add any comments down below and if you  have any information that I haven't covered be   sure to let me know. You can tag me on Twitter  or you can let me know in the comment section   below. Thanks for watching and I hope you have a  great day and remember secure code is good code.