On September 15th Uber suffered a significant breach. In this video, we will break down exactly how Uber was breached from initial access to how the attacker moved laterally into different internal systems of Uber.

Read more on the topic here: https://s.gitguardian.com/ojv

What happened?
Here’s what we know so far, pending investigation and confirmation from Uber’s security teams.

1. The attack started with a social engineering campaign on Uber employees, which yielded access to a VPN, in turn granting access to Uber's internal network *.corp.uber.com.
2. Once on the network, the attacker found some PowerShell scripts, one of which contained hardcoded credentials for a domain admin account for Thycotic, Uber’s Privileged Access Management (PAM) solution.
3. Using admin access, the attacker was able to log in and take over multiple services and internal tools used at Uber: AWS, GCP, Google Drive, Slack workspace, SentinelOne, HackerOne admin console, Uber’s internal employee dashboards, and a few code repositories.

How bad is it?
Critically, Uber’s Privileged Access Management (PAM) platform was compromised through the exposure of its admin credentials. Privileged access management (PAM) is the combination of tools and technology used to secure, control, and monitor employee access to an organization's critical information and resources. With that in mind, the attacker may have gained access to nearly all the internal systems of Uber. Let’s go through the ones we know of based on preliminary information and evidence to understand the severity of this incident.

intro -0:00
Exactly what happened - 01:12
What was breached - 03:10
Uber's response to the breach - 08:40
Previous Uber Breaches - 13:40
What should you do as a Uber user - 16:18
Conclusion - 17:30