Uber attack methodology: simplified with infographic ;

 Uber attack methodology: simplified with infographic  ;


1. The hacker socially engineered an Uber employee to steal their credentials.


2. They then accessed Uber's VPN with the stolen credentials to connect to Uber's internal network.


3. While scanning Uber's internal network, the hacker discovered a shared network folder that contained PowerShell scripts.


4. The hacker identified a PowerShell script that included the username and password for an administrative user of a Privileged Access Management (PAM) tool, which stores secrets (e.g. credentials, keys, etc.). For Uber, this contained secrets for many internal systems and applications.


5. The hacker used secrets stored in PAM tools to access Uber's systems and applications.


With control of this account, the attacker claimed, they were able to gain access tokens for Uber's cloud infrastructure, including Amazon Web Services, Google's GSuite, VMware's vSphere dashboard, the authentication manager Duo, and the critical identity and access management service OneLogin.


6. The hacker then taunted Uber by posted in their company slack instance, notifying them of the hack.



More Details ;



'Let's discuss the problems responsible for compromise of Uber Intranet Infrastructure and solutions for it.


Let's recall first how Uber was Hacked ☣️:


1. Hacker performed social engineering on Employee.


2. Hacker did OSINT on Uber Employee and discovered his Whatsapp Number.


3. Later, Hacker possessed himself from Uber IT Department asking employees to log in on a Fake Uber Site by relaying the original Uber Site login (possibly with evilginx).


4. Hacker successfully compromised the credentials of Uber employees even though Uber was using MFA. 


5. After gaining access to credentials, Hacker gained access to Intranet Network (*.corp.uber.com) by logging VPN.


6. Upon scanning the network (Probably used NMAP), Hacker found a share accessible that contained some PowerShell scripts.


7. One of the scripts in the share contained credentials of Thycotic (PAM) which gave access to AWS, Gdrive, HackerOne, EDR, etc.


Image credit : hacker Associates.


Disclaimer: (This post has been shared only for technology education & knowledge sharing purpose. Image & Info has been taken from above mentioned source and credited to the author. There is no endorsement of any products or service.)


             Thank you !



Contact link !

https://twitter.com/ManieshNeupane




Comments

Popular posts from this blog

Two Factor Authentication ! [2FA]