Unpack the Hack: Uber
Incursion: Access Breach
Date: September 2022
Company: Uber
Download: Report PDF
Date: September 2022
Company: Uber
Download: Report PDF
More than
80% of hacking
involves brute force or the use of lost or stolen credentials.
80% of hacking
involves brute force or the use of lost or stolen credentials.
In Australia, a new cybercrime is reported every
7 minutes.
7 minutes.
Self-reported losses from cybercrime total more than
$33 billion.
$33 billion.
On 15 September 2022, Uber confirmed that an attacker gained access to multiple internal systems. The attacker was affiliated with the Brazilian hacking group Lapsus$, according to Uber. The same group successfully breached several other large companies.
Uber says it is likely that the hacker bought the contractor’s password on the dark web.
The hacker then repeatedly tried to log in to the contractor’s account and was able to socially engineer Uber’s MFA log-in protection. It is believed the contractor received so many MFA requests that they eventually approved one.
The attacker then accessed several other employee accounts enabling them elevated permissions to a number of tools, including G-Suite and Slack. They proceeded to announce their presence to Uber by sending a message to all employees over a company-wide Slack channel.
Once the initial incursion was complete, the attacker gained access to the company’s internal network and located a PowerShell script containing hard-coded domain administrator credentials to Thycotic, Uber’s Privileged Access Management (PAM) system.
Taking advantage of administrative access, the attacker was able to move laterally across systems and access a large volume of data. This included access to Uber’s bug reporting program, which gave the hacker insight into detected vulnerabilities that may not yet have been in the public domain or easily available to other threat actors.
Uber also said the attacker exfiltrated data from the company’s finance system and Slack messages. There is no admission, currently, that any customer or driver Personal identifiable Information (PII) was exfiltrated.
Source: Uber Security Update: www.uber.com/en-AU/newsroom/security-update/
As it happened.
The chain of events leading to the Uber breach started with credential theft. This led to lateral movement resulting in data exfiltration.
The diagram below shows the key steps the attackers used to execute this breach.
If they had Daltrey, we’d have stopped the attacks at steps 1, 2 and 4. Protection at depth is critical.

As it happened.
The chain of events leading to the Uber breach started with credential theft. This led to lateral movement resulting in data exfiltration. The diagram below shows the key steps the attackers used to execute this breach.
If they had Daltrey, we’d have stopped the attacks at steps 1, 2 and 4. Protection at depth is critical.

The attackers likely purchased user credentials and then used MFA spamming to break through Uber’s first line of defense and access the company’s VPN.
Once inside, the attackers moved laterally through the network and found PowerShell scripts containing unencrypted user credentials. These were used to escalate user privileges though the company’s Privileged Access Management tool (PAM).
Armed with a user account with escalated privileges, the attackers were able to access multiple systems and find valuable data that they were able to exfiltrate.
Lessons learned.
Securing user identities is critical. Annual reports by the Ponemon Institute and Verizon highlight that credential theft remains the most effective tool in the hacker’s arsenal. Once a credential is compromised, a threat actor’s job becomes considerably easier.
- Securing user identities is critical. Annual reports by the Ponemon Institute and Verizon highlight that credential theft remains the most effective tool in the hacker’s arsenal. Once a credential is compromised, a threat actor’s job becomes considerably easier.
- Administrative and other credentials should never be hard coded into scripts or other assets that can be accessed by anyone with network access.
- Privileged Access Management systems must be protected by strong authentication. Managing privileged access is critical – ensure all escalated and administrative accounts cannot be compromised by brute force attacks, phishing, social engineering, or single factor authentication.
Solutions.
Daltrey is a biometric cyber-defence company. We help our customers remove weak credentials such as passwords from authentication workflows, eliminating the biggest vulnerability in data security. To defend your data, your teams, and your customers, implementing an ‘Impersonation Resistant Authentication’ such as a biometric credential is now an imperative. Here’s how:
A T1589.001: Credentials – Possibly acquired credentials in dark forums.
Biometric authentication ensures weak credentials don’t even make it to the dark web.
User onboarding: Make sure when you are bringing new team members into the business that you verify who they are and connect their verified identity to biometric credentials. Only allow those credentials to be used in approved authentication workflows, on approved devices.
B T1621: MFA Authentication Request – 2FA/MFA Spamming.
MFA spamming isn’t possible as users must be actively engaged during authentication workflows.
Authentication: Make sure your solution balances security with user experience. Introducing user friction can lead to frustration, making them vulnerable to exploitation by social engineering or security process fatigue. To ensure the user is who they say they are, implement presentation attack detection and proximity checks to make sure the user is live and present when, and where, the authentication request is made.
C T1552.001: Credential in Files.
If an adversary has found their way to the Privileged Access Management (PAM) system, access would be denied because the biometric credential would have been required to authenticate.
Deploy identity at depth: Make sure the same verified biometric credential is available across all authentication scenarios. This will protect against malicious actors as they move laterally across your network regardless of how they got there in the first place.
1. More than 80 percent of hacking involves brute force or the use of lost or stolen credentials (Source: Verizon Data Breaches Investigation Report 2022 https://www.verizon.com/business/resources/reports/dbir/)
2. In Australia, a new cybercrime is reported seven minutes (Source: ACSC Annual Cyber Threat Report, July 2021 to June 2022, (https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2021-june-2022)
3. Self-reported losses from cybercrime total more than $33 billion (Source: ACSC Annual Report, https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/acsc-annual-cyber-threat-report-july-2020-june-2021)