In September, ridesharing company Uber disclosed that hackers had stolen the personal information of about 57 million customers and drivers. The days following the attack were full of speculation around how the attacker – allegedly a 17 year old – was able to gain access to the systems.
1st. By obtaining access to login information for Uber’s VPN infrastructure, the attacker was able to enter its IT environment.
2nd. This contractor most certainly did not have elevated or unique access rights to critical resources, but he or she did have access to a network share, much like other Uber employees. Either this network share was accessible or the broad read ACL setting was set incorrectly. As a result, the hacker located a PowerShell script with hard-coded privileged credentials for Uber’s PAM solution within the network share.
3rd. The attacker was able to further elevate privileges by harvesting the hard-coded admin credentials for the privileged access management system.
4th. The attacker ultimately obtained “elevated permissions to a number of tools,” according to Uber’s most recent update. The potential for harm was high by accessing privileged access management solution secrets: According to reports, the hacker gained access to the SSO, consoles, and cloud management console, which Uber uses to store confidential customer and financial information.
5th. The attacker “downloaded some internal Slack communications, as well as accessing or downloaded information from an internal application our finance team uses to track some bills,” according to Uber, which is still looking into the matter.
Proactive security demands defence-in-depth, or a combination of complementary security layers that are in support of a zero-trust strategy. The absence of embedded credentials in the first place may be of importance in this situation.
In order to effectively manage these accounts, the Soffid product has the necessary logic to Identify accounts, classify them according to the level of risk and its scheme of use, distribution and assignment to responsible users, automatic and planned password change process, passwords delivery process to authorized users and automatic injection of passwords, when this injection applies and makes sense.