Uber September 2022: MFA Fatigue, a PowerShell File, and a Teenager

Threat Intelligence

The Uber breach happened because an MFA prompt was approved at the wrong time and because admin credentials sat in a shared PowerShell script. The end state was Slack, the internal HackerOne, and AWS at the same time. A walkthrough of the chain.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 9, 2024 · 8 min read

On September 15, 2022 someone posted a message in the Uber engineering Slack: 'I announce I am a hacker and Uber has suffered a data breach.' That message was real. The actor was an 18-year-old affiliated with Lapsus$, and the chain that put him in that Slack workspace is, three years on, still the most common path into mid-sized enterprises.

Timeline

1. Early September 2022: the actor obtains valid credentials for an Uber contractor account, likely from a stealer log purchased on a marketplace.
2. September 15, evening Pacific: the actor attempts logins. The contractor's Duo Push prompts begin firing. After more than an hour, possibly social-engineered through a side channel claiming to be IT, the contractor approves one push.
3. Within minutes: the actor enumerates the corporate network share and finds a PowerShell script containing hardcoded credentials for a Thycotic privileged access management admin account.
4. Same evening: with PAM admin, the actor pulls secrets for AWS, GCP, the SSO admin console, the Slack workspace, the internal HackerOne instance, and the financial system.
5. Late evening: the actor posts in Slack and on HackerOne. Uber engineers initially think it is a prank.
6. September 16: Uber confirms publicly. The internal HackerOne disclosure means several unfixed bug bounty reports were exposed to the attacker.

Root cause

Two root causes, one chain. First, push-notification MFA without number matching is a denial-of-service attack on the user's attention; eventually a tired person taps approve. Second, a privileged account credential lived in a script in a network share. The PAM tool was supposed to be the vault. Instead the script was the vault.

If your PAM admin password is in a PowerShell file, you do not have a PAM tool. You have a database with an extra step.

Attacker actions

Once inside the PAM tool the actor moved fast. The screenshots later released showed a methodical enumeration: vSphere, the AWS console, the GCP console, the Google Workspace admin, the SentinelOne console (read-only), and the financial system. The actor did not deploy ransomware. The objective looked closer to bragging rights and bug bounty report exfiltration than monetization, which is consistent with the Lapsus$ profile of the period.

Detection signals

• Repeated Duo Push events for a single user over a short window, ending in an approval far outside the user's normal hours. This is the highest-fidelity MFA fatigue signal.
• First-time logins from new ASNs immediately followed by access to PAM, AWS console, and SSO admin in the same session.
• Programmatic credential checkouts from the PAM tool at a higher rate than baseline for the account class.
• New API tokens or session creations in HackerOne, Slack, and AWS within the same fifteen-minute window.

Lessons

• Turn on number matching for every push MFA. It costs nothing and breaks the fatigue model.
• Scan internal file shares and Git for credentials. The PAM password in a PowerShell file is the most embarrassing finding in the report.
• Limit the blast radius of a single contractor credential. A contractor that can reach PAM admin from a single push approval is a privilege model bug.
• Tabletop the public-Slack scenario. If an attacker posts in your engineering channel claiming a breach, what happens in the first ten minutes?

The Uber breach is regularly cited as sophisticated. It was not. The attacker was a teenager, the tooling was a stealer log and a network share, and the leverage was a tired contractor and a credential in plaintext. Detection caught it after the Slack post. The lesson is to push detection earlier in the chain, before someone has to read about it in the company Slack.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.