What Can We Learn from the Latest Uber Breach?

While details of Uber’s recent breach continue to unfold, it seems like the general narrative of this attack is already becoming clear. Companies typically tend to hide details about how they have been breached, and Uber is no different. Interestingly enough, however,  the hacker who carried out the attack provided detailed information on the turn of events, as published by SC Media.

Every cyber attack has a story to tell including this latest one to victimize Uber. Let’s look at what happened, the sequence of events (the kill chain) leading to the attack’s dire outcome, and most importantly, what we can learn from it to better protect our corporate networks.

The road leading to the breach

It all started, as many breaches do, with a phishing attack aimed at gaining Uber employee credentials. Once the hacker obtained the credentials, he used them to access the corporate VPN and gain access to Uber’s internal network. Roaming freely within the network, the hacker was able to locate script files containing admin-level credentials, which were then used to access numerous Uber systems containing sensitive information. 

What went wrong and what can we learn from it?

Let’s look at the flow of events to see how this attack could have been prevented:

1. Phishing attack – This is one of the leading social engineering attacks. Phishing exploits users’ carelessness to get them to provide sensitive information such as corporate credentials, or to download malware to their endpoint devices.
   
   How can phishing attacks be avoided? Companies should be aware that the “human factor” is one of the largest contributors to cyber attacks and network breaches.
   
   Security training –  Help employees identify suspicious emails and avoid falling victim to their schemes. 
   
   Secure Web Gateway (SWG) – A SWG processes all user Internet requests and can identify phishing sites and block corporate user attempts to reach them. 
   
2. Corporate network infiltration– Enabling inadequately secure and unrestricted access to corporate networks makes hackers’ lives easy and potential damage much more devastating.
   
   How can VPN access be more secure? Obtaining user credentials shouldn’t be enough to gain access to corporate networks, and even when they are, they shouldn’t enable unrestricted lateral movement within the network. This can be avoided by:
   
   Multi-factor authentication (MFA) – By implementing an MFA solution, users must provide additional proof of who they are (i.e. token, code, fingerprint, etc.). Even if hackers can compromise a user’s credentials, they will likely not be able to supply the additional required proof–though MFA is vulnerable to social engineering if precautions aren’t taken.
   
   Zero Trust Network Access (ZTNA) – A secure access mechanism such as ZTNA limits any specific users’ access to network resources. By implementing a least privilege approach, ZTNA limits access only to those systems explicitly allowed to said user. This greatly limits the capacity of lateral movement and the ability to compromise sensitive resources outside the scope of the user’s granted access.
   
   Device Posture Checks (DPC) – Adding a mechanism that continuously monitors all corporate endpoints to make sure they are meeting the defined requirements and comply with geo and time-based restrictions goes a long way in preventing non-corporate devices from accessing and breaching the corporate network. It also can be used to enforce access only from pre-approved managed devices of the organization.
   
3. Admin credential exploitation – In the event additional credentials are obtained, especially ones of higher privilege, additional access restrictions should be put in place. The best practice to help prevent this is, once again, the implementation of a Multi-factor Authentication (MFA) mechanism. The greater the privileges a user has, the stricter this restriction should be, possibly requiring additional verification forms beyond those required from other users. 

Key takeaways 

Corporate users and networks are at constant risk of being targeted by malicious actors. As hacking techniques are become more sophisticated and breaches become more devastating, companies should always look for ways to improve their security posture. A good start is to better-educate employees about the cybersecurity risks lurking around them, by seeking to adopt improved security best practices, and by implementing advanced security tools to help prevent, detect and mitigate cybersecurity risks.

Book a demo with Perimeter 81 today to ZTNA in action.