A security analyst, IT admin, and risk officer walk into a bar. The next day, they get together and talk about the night before. The security analyst says, “I was so drunk last night, I dropped and shattered my laptop that had the EDR analysis report.” The IT admin declares, “That’s nothing, I mistakenly sent my privileged credentials to a ransomware group.” The risk officer shares, “I went home, and my alarm went on.” The security analyst and IT admin respond with “What’s so bad about that?” He replies, “You guys don’t understand! The alarm was the company’s SOAR alerting me of a major breach!”
Cybersecurity is no laughing matter. Just ask Uber. On September 15th, Uber was informed by a hacker using the company’s Slack system that their corporate network had been breached. The breach evaded the company’s EDR security, took the credentials of an Uber employee, and managed to elude other security measures the company had in place.
The attacker had access to virtually all of Uber’s network-connected resources. Almost every digital asset was compromised, including multiple databases, their privileged access management (PAM), endpoint security (EDR), vCenter, Slack, as well as AWS and Google Cloud services.
The attacker used social engineering, claiming to be from the company’s corporate IT department. They persuaded an employee to provide their Slack credentials, which gave the 18-year-old hacker access into Uber’s network and systems. The hacker compromised the employee’s Slack account, and boldly proclaimed to company employees, “I announce I am a hacker and Uber has suffered a data breach.”
This is not Uber’s first breach. And like many other organizations, these successful attacks will continue to multiply, if organizations repeatedly deploy weak cybersecurity products and tools.
Uber could have avoided the impact of this breach if they had deployed RevBits
Instead of multiple solutions from different vendors that introduce the security gaps that plague Uber, RevBits Cyber Intelligence Platform (CIP) is built with a modern architecture and native integration of Email Security, Zero Trust Networking (ZTN), Extended Detection and Response (XDR), Endpoint Security (EDR), and Deception Technology. Everything is managed and monitored natively through RevBits built-in orchestration and SIEM capabilities.
RevBits unified cybersecurity protects against all the vulnerabilities that enabled the Uber breach. For instance, the hacker was able to obtain the user’s VPN credentials to login to the network. Once in, they scanned the network, and gained lateral access to the company’s systems.
RevBits ZTN locks-down controlled access to resources both on-premises and within cloud services. For additional security to monitor access, kill sessions, or record activity, pairing ZTN with RevBits PAM provides the ultimate access management and control. RevBits ZTN ensures the identity, integrity and authorization of all users and devices. Access is provided only after verification is completed, regardless of location or network connection. No access is allowed before establishing a ZTN-brokered session between a user, including non-managed IoT devices, and an enterprise resource. When access is granted, users have least privileges to complete a task.
When RevBits ZTN is combined with RevBits PAM access control is expanded by not allowing users, including employees and third-party service personnel, to directly access internal infrastructure. All users authenticate to the RevBits PAM jump server with a one-time authentication.
Additionally, the attacker was able to get access to Thycotic service account, which was discovered inside a PowerShell script. Although no one should store plaintext credentials within a PowerShell script, or anywhere for that matter, the Thycotic server is a Windows service, and requires full admin access to run. Also, the Thycotic agent needs to be installed on each machine and doesn’t use a jump server architecture.
This all could have been avoided using RevBits PAM
Uber was using the Thycotic PAM server for privileged identity management, which is a Windows desktop app that requires high-level privileged accounts and credentials to access Active Directory (AD). This PAM solution does not use jump servers. So, every time users access a resource, they connect directly to the resource, in this case AD, by providing their real credentials, rather than fake accounts and credentials provided by a jump server.
Uber created a PowerShell script with plain text credentials to automatically generate and install the Thycotic desktop app on all their user’s computers. Because of the PAM architecture that runs on Windows desktops, and the fact that Uber decided to implement a PowerShell script to ease the installation process, the combined technology and integration created the opportunity for the hacker to gain direct access to AD, and then to the rest of Uber’s IT resources.
RevBits PAM runs in Linux servers and doesn’t require a full admin account to be valid within Active Directory (AD). It also doesn’t have an agent installed on end user machines. RevBits PAM and jump server are lightweight, so they can even run inside small docker containers on-premises and in the cloud. The RevBits PAM jump server was developed in C++ and optimized to handle many types of connections (e.g., VNC, RDP, SSH, MSSQL, PostgreSQL, MySQL, Telnet, Oracle DB, Cassandra, and others) simultaneously — without requiring a desktop agent.
RevBits jump server architecture protects assets
RevBits jump server provides two principal security enhancements within RevBits PAM. First, the PAM user never has a live and active connection to any resource, like Uber had with their AD. This means they cannot leave “backdoor” access credentials on an on-boarded resource. Secondly, all session recording is conducted at the jump server, not on user devices. This this not only eases installation and deployments, it protects organizations from malicious activity by not allowing hackers to obfuscate logs and recordings, as session recordings and logs on a jump server are not accessible.
The RevBits jump server isolates user sessions by passing a randomly generated credential that is valid for two minutes, for a one-time use. The jump server makes the connection, and then passes the real credentials directly to the real server or database. The user never sees the real credentials or real server IP addresses.
RevBits jump servers run on-premises, in the cloud, and within hybrid environments. It is integrated with Active Directory and LDAP, as well as clouds, including AWS, Azure, Google Cloud, and others using API keys. Admins can define filters for servers within specific zones, data centers, IP ranges and tags, and automatically pull the servers into RevBits PAM. RevBits jump servers can also be located within a VLAN for highly restricted access control. RevBits PAM can be network segmentation aware, and handle connections to segmented assets through appropriate jump servers automatically.
The hacker was able to access to the admin user for all cloud services, including Google Cloud, Azure, AWS, and even SalesForce and Zoom. This access could have been prevented by RevBits PAM, as admins could onboard these accounts to PAM, and require session recording and session monitoring for accessing these cloud admin pages.
The attacker managed to gain access into a Thycotic PAM service account and was able to access Uber’s entire network. The hacker also gained access into Uber’s endpoint detection and response (EDR), and was able to use it as tool, with no detection from EDR itself. The company had no honeypots or breadcrumbs to be dropped into the network to lure hackers away from legitimate targets. Honeypots gather intelligence about the identity, methods, and motivations of bad actors.
RevBits EPS — endpoint detection and response (EDR)
RevBits Endpoint Security (EPS) combines three different detection methods to provide superior protection. Signature-based analysis is combined with behavioral analysis and advanced machine learning to detect and block even the most sophisticated malware. The Uber hacker was able to dump all credentials and conduct credential harvesting without getting caught. RevBits EPS safeguards Local Security Authority Server Service (LSASS) and Local Security Authority (LSA) cache, so that all credential harvesting methods will be detected, blocked, and reported. This could have alerted Uber network administrators very early on.
This three-phased analysis not only enhances the detection rate of malware but also greatly reduces the percentage of false positives. Registering too many false positives means perfectly normal processes are blocked without a valid reason and are disruptive to day-to-day security operations. As proven by extensive testing against the latest threats at ICSA labs, RevBits EPS has a nearly 100% detection rate with zero false positives.
Another critical aspect of endpoint protection is detecting and blocking exploits. RevBits EPS advanced exploit detection engine automatically detects, classifies, blocks, and reports exploit attempts. All common, as well as very advanced exploit techniques, are in scope. RevBits patented technology even provides protection against sophisticated Windows kernel rootkit attacks.
Where most EDR solutions only have a command line interface with limited interaction with remote workstations, RevBits provides full GUI-based access and control over a broad range of processes, threads, registry, filesystem and more. The optimized interface provides single click action for the most used activities and there is an option to fully automate the process of gathering data for forensic investigation and analysis.
RevBits deception technology
RevBits deception technology, or DT, generates deceptive decoys (honeypots) that mimic legitimate digital assets, like databases, file servers, networking devices and many others throughout the network. Honeypots trick cybercriminals into thinking they’ve discovered a way to escalate privileges and steal credentials.
Sound cybersecurity requires the right technology and proper execution
The Uber breach was a serious and costly event that showed their lax security environment and improper use of technology. The company has a history of misuse and abuse within their security organization. The former CISO received a fine of approximately $150 million and was found guilty of two felony counts for failure to disclose a 2016 breach to federal regulators.
As described above, the breach was due to a combination of social engineering, basic architectural failure of Thycotic’s PAM product, and unwise decisions made to simplify deployment. RevBits CIP would have identified and prevented this breach on several levels. With its unique combination of jump server architecture (PAM), controlled access (ZTN), and decoy databases (DT), CIP offers a broad set of detection and response, identity and access, and deception capabilities for on-premises, cloud, and hybrid environments.
Uber’s siloed security infrastructure added to their vulnerabilities, with gaps between products and no consistent way to integrate, correlate and easily analyze critical information. RevBits CIP has a broad range of integrated cybersecurity products that are best-in-class individually, and more importantly, provide superior protection, by seamlessly working together. With one glance at the RevBits integrated dashboard, or mobile app, a CISO can immediately see the status of all major components within their cyber defense.
Originally published at https://revbits.com
