Recently-Revealed Uber Attack Shows that Multi-Cloud Cyberthreats Are Already Coming for You
Only yesterday, Bloomberg reported that Uber lost the personal data of 57 million users in a data breach in October of 2016 (that’s right, twenty sixteen). The names, email addresses, and phone numbers of 50 million customers were exposed, along with the personal information of about 7 million drivers, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken as a result of these multi-cloud cyberthreats, Uber said.
Now, there are two main threads to this story. The first is how Uber responded to the attack as an organization, and the second is the threat it faced at a technical level. At an organizational level, this story is a scandal. Uber reacted completely inappropriately to the breach: it paid the ransom, trusted the hackers when they said they deleted the sensitive data, concealed the breach, and may have hidden the facts from key internal players as well as outside regulators and law enforcement. That’s all shocking. The irresponsible security managers at Uber have lost their jobs, but only after thirteen months and a change of leadership. Of course, Uber promises it’ll do better, but this is another huge blow to the already-embattled company’s credibility.
But for other companies, the cybersecurity angle of this news may be even more important going forward. There was a novel method of attack used in the Uber breach. Bloomberg reports that:
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
That makes this breach the first high-profile example of a type of attack that cybersecurity experts have been sounding the alarm about for the past several years: a multi-platform cloud cyberattack.
How did the Uber breach happen?
“Attackers broke into GitHub used by Uber software engineers, gained unauthorized access to Amazon Web Service (AWS) instances and stole Uber customer data.”
Uber, like many organizations, relies on a wide range of cloud services. The two key services in question were GitHub and Amazon Web Services (AWS). GitHub is a Software-as-a-Service company while Amazon Web Services is an Infrastructure-as-a-Service provider. Cyber criminals used user credentials in GitHub (which stored business-critical code), and then gained unauthorized access to the AWS instance that was hosting Uber customer data. Whatever security systems Uber had set up for AWS couldn’t stop the attackers—after all, they had legitimate credentials they’d stolen from GitHub! And only in the second location, on AWS, did they find data that they could use. Once they had that data in hand, they blackmailed the company.
We’ve known about the possibility of this mode of attack for a while. Take Mat Honan’s heartbreaking story from 2012: attackers who wanted to take over his twitter handle (the coveted three-letter @mat) jumped from his Amazon account to his iCloud, leveraging the information from previous services in order to compromise the next one, and eventually locking Honan out of his entire digital life (and deleting his baby photos of his children in the process).
And we know the cyberthreat lifecycle by now. First, cybersecurity analysts explore the theoretical possibility of an attack model. Next, hobbyists and trolls develop this attack strategy for use against selected individuals. Then, cybercriminals adopt it for use in bespoke attacks against large, targeted enterprises. And finally, black-hat hackers commoditize the process, and release tools that allow even non-technical bad actors to repeatably and scaleably attack a wide range of ordinary businesses and members of the general public. (Not every cyberthreat passes through each of these stages, but they do occur in a fairly consistent order.)
So: Uber’s attack is a rude awakening for Uber. But it’s well known that cyber criminals are looking for the weakest link in any cloud platform—attacking multiple systems and picking up data and credentials as they go, until they reach monetizable private information. That attack could hit any organization.
What can you do to protect your business?
Businesses need to ensure their defenses are sufficient to detect, respond, and remediate this type of cyberattack. Part of the defense against these new multi-platform cloud attacks is to gain 360 degree visibility into who is accessing sensitive data wherever it resides, both on-premises and in cloud infrastructures. In addition, it is necessary to architect compartmentalized systems, so that breaches are contained within the system they originally impact.
It is difficult to provide unified access control over application environments that span across on-premises and multi-cloud infrastructures. The best practice is to implement monitoring solutions using a SIEM (Security Information and Event Management) platform that has visibility across multiple cloud infrastructures, and then hire cybersecurity experts to manage the SIEM as part of a SOC (Security Operations Center). This setup enables teams to correlate activity across different cloud applications, identify overall attack kill-chain, and lock hackers out before they steal valuable company data.
No doubt building or refining such a SOC in-house will be a high priority for Uber’s new CISO (the old one was just fired). But that’s easy for Uber—they’ve got billions of dollars to develop this sort of security capability in-house.
For mid-size businesses that want enterprise-grade security without tech unicorn budgets, there’s SOC-as-a-Service from Arctic Wolf Network(AWN) that provides managed detection and response at a price-point that works for ordinary businesses and not just tech behemoths. With dedicated security experts, cutting-edge technology, 24×7 monitoring, and visibility into cloud deployments, the AWN CyberSOC™ enables businesses to detect and respond rapidly to attacks like the one that hit Uber.
Given how many more of them are coming, that’s a very good thing.