Following the Uber security breach, disclosed in September 2022, the cybersecurity sector is still buzzing. "While it is inevitable questions will be raised, it's important to reiterate this breach could not have been avoided by a single technology solution," points out Rich Turner, SVP EMEA at CyberArk. "Nor is it one in which a single person, company or provider was to blame. Saying that, there is a lot which can be learned from the breach, with it having a number of interesting elements for cybersecurity professionals to delve into."

Turner lays out in detail what is known about the attack in five stages:

Step 1: The attacker entered Uber's IT environment by gaining access to the credentials for its VPN infrastructure.

Step 2: The contractor whose account was compromised likely did not have privileged access to key resources or any other special access permissions, but they did have access to a network share, just like other Uber employees. "Either this network share was reachable or the Access Control List was configured incorrectly to allow for broad read access," says Turner. "After, the hacker discovered a PowerShell script in the network share, which included privileged credentials for Uber's Privileged Access Management (PAM) solution hardcoded into it."

Step 3: By stealing the administrator credentials that were hard-coded into the privileged access management solution, the attacker was able to further escalate their privileges.

Step 4: According to an Uber update, the attacker eventually acquired 'elevated permissions to a number of tools'. Adds Turner: "Accessing the secrets of a privileged access management solution carried a high risk of harm. The SSO, consoles and cloud management console, which Uber uses to store private consumer and financial information, were reportedly all compromised by the hacker.

Step 5: Uber said the attacker 'downloaded some internal Slack messages, as well as accessed or downloaded information from an internal application our finance team uses to track some bills' - a matter that the business reported it as looking into.

PROTECTING EMBEDDED CREDENTIALS
So, asks Turner, "how can a similar attack be stopped?", offering his recommendations for protecting embedded credentials. "Getting rid of any embedded credentials would be the first step towards preventing a similar attack. In addition to discontinuing this practice, we advise conducting an environment inventory to find and remove any hard-coded credentials that might be present in code, PaaS configurations, DevOps tools and internally developed applications."

However, this is simpler to say than to do, he concedes. "In order to gradually reduce risk, focus first on your organisation's most important and potent credentials and secrets before spreading these best practices."

Reiterating that neither the tools, nor the personnel in place at Uber, is to blame for this breach is important, he also states that nor is there a magic bullet for stopping cyberattacks. "No longer is it thought an attack can be completely prevented. However, we have some control over how far they go. Strong, layered cyber security defences may reduce attacks like the Uber breach. This should be strengthened by regular employee training to help them identify possible sources of danger.

"These features make it more challenging for attackers to get a foothold, manoeuvre, find and accomplish their goals," adds Turner. "They also enable us to minimise the effectiveness and impact of attacks, and to resume regular activities as soon as feasible. This is the important knowledge we should absorb and use in our own organisations."