Weekly Video: September 19, 2022
9–19–2022 (Monday)
Hello and welcome to another edition of Cyber Risk at Deal Speed, your weekly video rundown of cybersecurity news and strategy for investors, deal teams, and the management teams of portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday, September 19th, and this week we’re going to focus on the one big story from last week: the security incident at Uber.
Lost of lessons to learn, and we’re going to try to do it in 5 minutes or less.
Uber’s Breach
Follow-Up: International Hotel Group
Fundraising is BACK
Uber’s Breach
Last Thursday - September 15th - a breach of Uber’s systems was announced by someone who claims to be a lone, teenage threat actor. They announced it both on Uber’s internal Slack channels, and to the New York Times.
There’s a lot of lessons to learn from this breach, and the optics for Uber certainly aren’t great, but let’s start with a few of the things the attacker claims (it’s hard to call them facts, though Uber doesn’t appear to be refuting much):
The attack started by a “social engineering” attack to gain a user’s credentials
Uber had Multi-Factor Authentication turned on, as is a recommended best practice, but the attacker simply hammered the user with repeated authentication requests to their phone until the user either got frustrated or fatigued and allowed the access to stop the constant pinging.
From there, a string of additional security weaknesses allowed the attacker to run rampant through Uber systems
These weaknesses include scripts with passwords to the Privileged Authentication Management (PAM) solution, which allowed the attacker to gain access to much of the rest of Uber’s critical systems - including the management consoles of their Amazon AWS instance and their EDR solution.
Here are the lessons I think we should take away from this:
The basics still matter: Defense in Depth and Diversity of Defense. You should assume that all of your defensive measures will fail in some fashion, and create defensible space in other ways.
For highly privileged accounts, hardware two-factor (YubiKeys or similar) should be required.
Communications is critical. As I record this, Uber hasn’t made an update to the official page in three days - which is an eternity in the scope of these events. Once you start communicating publicly, you need to keep up the cadence and see things through.
Furthermore, the language Uber is using - that there’s “no evidence” the threat actor had access to sensitive user data - isn’t exactly confidence inspiring. Another reason for robust logging so that you can say definitively if this did or didn’t happen.
Finally, it’s not just a matter of having the right tools and going through the motions - Uber had all these next-gen defensive capabilities there, but they were misconfigured or defeated by other weaknesses (such as the script in the password).
It’s times like these where we find truth to be stranger than fiction.
If I were hired by Uber to do a table-top, and the scenario I used was that a single teenage hacker got in, pivoted around, and owned their entire infrastructure, I’d be laughed out of the room at how improbable that scenario is. And yet - here we are.
Cyber defenses need to be designed for resilience - it takes people, process, and technology - and should be designed such that single points of failure are identified and eliminated to the extent possible. Uber, of all places, has the budget and skillset to do cyber well, and we can see that it’s still this difficult to get it all right.
International Hotels Group
A short update on this story from last week. Again - we’re seeing minimal corporate communications, but the threat actors are going to the press. In this case, claiming to be a couple from Vietnam, the threat actors say that the password used to protect the database was ‘Qwerty1234’ and that they got frustrated when their ransomware attack failed and simply wiped the database instead.
"Our attack was originally planned to be a ransomware but the company's IT team kept isolating servers before we had a chance to deploy it, so we thought to have some funny [sic]. We did a wiper attack instead," one of the hackers said.
The images, which IHG has confirmed are genuine, show they gained access to the company's internal Outlook emails, Microsoft Teams chats and server directories.
Fundraising
Fundraising is back. The past week saw more than $26B in new capital commitments, which dwarfs last week’s $18.6B number. The pace is accelerating and something we should keep in mind as we close out Q3 and race to the end of the year.
Best of luck to all the funds with new capital to deploy.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next week with another edition of Cyber Risk at Deal Speed.
LINKS: