It can control access to different services and also has a secrets manager where credentials and passwords are stored. PAM systems can be a single full-featured software console or a collection of multiple tools in the case of Thycotic, it is a single tool with many features. The attacker gained admin access to the Thycotic PAM system. Mackenzie Jackson – Security Advocate at GitGuardian Thycotic – Severity = Critical “We very often find credentials and secrets for specific systems that have leaked, but finding admin credentials to an access management system is like finding a master key to every room and alarm system, in every building, in every country that an organization owns.” Let’s go through the ones we know of based on preliminary information and evidence to understand the severity of this incident. With that in mind, the attacker may have gained access to nearly all the internal systems of Uber. Privileged access management (PAM) is the combination of tools and technology used to secure, control, and monitor employee access to an organization's critical information and resources. Mackenzie Jackson – Security Advocate at GitGuardian How bad is it?Ĭritically, Uber’s Privileged Access Management (PAM) platform was compromised through the exposure of its admin credentials. It appears that all three incidents critically involve hardcoded credentials (secrets) inside code and scripts” “There have been three reported breaches involving Uber in 2014, 2016, and now 2022. Now we appear to have the final episode in the trilogy, and it appears to be the most serious situation yet. Two years later, a similar incident happened when attackers exploited poor password hygiene by some developers to gain access to private repositories which contained multiple access credentials. This isn't the first time we've seen an Uber data breach: in 2014 hackers gained access to an AWS S3 bucket after developers leaked secrets to a public git repository. This has appeared to give the attacker complete access to all of Uber's internal systems. The PAM system controls access to multiple systems, and having admin access means you can give yourself or extract secrets to all connected systems. This tool carries huge amounts of privilege, making it a single point of failure it stores both end-user credentials for employee access to internal services and third-party apps as well as DevOps secrets used in the context of software development. These credentials gave admin access to a Privileged Access Management (PAM) system: Thycotic. The critical vulnerability that granted the attacker such high levels of access was hardcoded credentials in a PowerShell script. Screenshot from a private message with the hacker on Telegram Using admin access, the attacker was able to log in and take over multiple services and internal tools used at Uber: AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, Uber’s internal employee dashboards, and a few code repositories.Once on the network, the attacker found some PowerShell scripts, one of which contained hardcoded credentials for a domain admin account for Thycotic, Uber’s Privileged Access Management (PAM) solution.The attack started with a social engineering campaign on Uber employees, which yielded access to a VPN, in turn granting access to Uber's internal network *.Here’s what we know so far, pending investigation and confirmation from Uber’s security teams. According to their early investigations, it is likely that the attacker targeted an external contractor whose credentials were bought on the dark web. Update 9/20/22: Uber confirmed in a security update that the named attacker "Tea Pot" was affiliated with the Lapsus$ hacking group, famous for breaching NVIDIA, Samsung, and Microsoft earlier this year. Mackenzie Jackson – Security Advocate at GitGuardian The attackers seem to have moved laterally between systems for a complete organization takeover” “What makes this breach appear so significant is that this does not appear to be a breach of a single system. This is an evolving situation, but we will bring you here the latest information and commentary as we get it. On Thursday, September 15th, Uber confirmed reports of an organization-wide cybersecurity breach.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |