Uber attack methodology: simplified with infographic ;

 Uber attack methodology: simplified with infographic  ;


1. The hacker socially engineered an Uber employee to steal their credentials.


2. They then accessed Uber's VPN with the stolen credentials to connect to Uber's internal network.


3. While scanning Uber's internal network, the hacker discovered a shared network folder that contained PowerShell scripts.


4. The hacker identified a PowerShell script that included the username and password for an administrative user of a Privileged Access Management (PAM) tool, which stores secrets (e.g. credentials, keys, etc.). For Uber, this contained secrets for many internal systems and applications.


5. The hacker used secrets stored in PAM tools to access Uber's systems and applications.


With control of this account, the attacker claimed, they were able to gain access tokens for Uber's cloud infrastructure, including Amazon Web Services, Google's GSuite, VMware's vSphere dashboard, the authentication manager Duo, and the critical identity and access management service OneLogin.


6. The hacker then taunted Uber by posted in their company slack instance, notifying them of the hack.



More Details ;



'Let's discuss the problems responsible for compromise of Uber Intranet Infrastructure and solutions for it.


Let's recall first how Uber was Hacked ☣️:


1. Hacker performed social engineering on Employee.


2. Hacker did OSINT on Uber Employee and discovered his Whatsapp Number.


3. Later, Hacker possessed himself from Uber IT Department asking employees to log in on a Fake Uber Site by relaying the original Uber Site login (possibly with evilginx).


4. Hacker successfully compromised the credentials of Uber employees even though Uber was using MFA. 


5. After gaining access to credentials, Hacker gained access to Intranet Network (*.corp.uber.com) by logging VPN.


6. Upon scanning the network (Probably used NMAP), Hacker found a share accessible that contained some PowerShell scripts.


7. One of the scripts in the share contained credentials of Thycotic (PAM) which gave access to AWS, Gdrive, HackerOne, EDR, etc.


Image credit : hacker Associates.


Disclaimer: (This post has been shared only for technology education & knowledge sharing purpose. Image & Info has been taken from above mentioned source and credited to the author. There is no endorsement of any products or service.)


             Thank you !



Contact link !

https://twitter.com/ManieshNeupane




Comments

Post a Comment

Popular posts from this blog

Two Factor Authentication ! [2FA]

Image
 Two Factor Authentication ! What is 2FA 🤔 ? Let's get started , 2FA stands for 2-factor authentication. It is used as an additional layer of security for user accounts. This simply means there will be two factors for you to authenticate into your account. One is simply your credentials, and if due to some case they are compromised the additional layer(second authentication) can protect your account from getting takeover. This can be of many forms like ;    1:) Sending verification code to email. 2:) Sending OTP to email or mobile number. 3:) Third-party app-generated codes. 4:) Verification through QR codes. 5:)     SMS verification. This provides an extra layer of security for user accounts. Even if your credentials got exposed, your account can still be safe if you have your 2FA turned on. But what if this 2FA is also vulnerable. Then your account is not safe even if you have your 2FA turned on. So this vulnerability is a serious one and can be used to take over other accounts
Read more