Uber data breach 2022:
How the hacker annoyed his way into the network (and our learnings)
On Sept. 15, Uber Technologies Inc. was breached by an 18-year-old. The hacker purchased an employee’s stolen credentials from the dark web and pushed a flood of multi-factor authentication (MFA) requests and fake IT messages to them in hopes of getting into their account. Irritated by the non-stop pop-ups, the employee caved in and approved the request, unwittingly setting off a cyberattack. Once in, the hacker exploited a privileged account to access Uber’s critical information.
This did not happen by chance, it’s an example of MFA Fatigue Attack. When an attacker gets hold of an account’s credentials but is unable to login due to MFA, they trigger many MFA requests to the target until exasperation wins out. The victim accepts the notification, and the hacker is in. This method works because it takes advantage of human elements such as ignorance, confusion, or irritation.
- The breach began with a malware attack that compromised the account of a Uber employee. A hacker purchased the leaked credentials on the dark web and attempted to log in to the empoyee's account but was unsuccessful because it as protected by MFA.
- The hacker carried out an MFA fatigue attack on the employee, bombarding them with numerous MFA requests for an hour.
- They then pretended to be from Uber's IT team and contacted the employee over WhatsApp, asking them to accept the push notification.
- The employee, fed up with the nagging notifications, gave in and aproved the request, unleashing a cyberattack. As a result, the hacker gained access to Uber's VPN.
- Once inside Uber's intranet, they began scanning for senstive information. One of the PowerShell scripts contained a hard-coded admin credential of Uber's Privilege Access Management (PAM) tool.
- Using this admin access, they accessed Amazon Web Services, Google Cloud Platform, DUO, DA, financial records, and a few code repositories.
- The hacker then posted a message on the company's internal messaging app, Slack: "I announce I am hacker and Uber has suffered a data breach." But the brash message was met with jokes and laughing emojis, the employees not realizing an actual cyberattack was taking place.
- The hacker logged into Uber's HackerOne vulnerability bug bounty account and left comments on few tickets. There are possibilities of the hacker downloading vulnerability reports.
What we learn
- MFA fatigue attacks have become increasingly common against well-known organizations like Twitter, Cisco, Samsung, and Okta in 2022 alone. Many users don’t know about this malicious strategy and end up approving the notifications to make them go away.
- In reality, most organizations in the world could be hacked in the same way Uber was. But in Uber’s case, the worse blunder was hard-coding a privileged account’s login credentials into its PowerShell scripts. This event serves as a reminder to keep an eye on our PAM landscapes.
What we should do better
Your organization’s security is only as good as its employees’ awareness. Employees continue to be a business’s first line of defense, and it is critical that they understand their responsibility in defending the organization. They must be trained to recognize the consequences of their actions as well as know the response strategy in the event of an incident.
Familiarity breeds contempt, and being accustomed to your organization’s procedures may cause you to miss a few evident security problems. That is why a fresh perspective is needed to tell you everything that’s wrong with your network. Penetration testing is an effective method for identifying flaws, strengthening defenses, and closing gaps.
Be aware of what is going on around you. The lessons learned from these incidents must be taken seriously. They frequently disclose loopholes, misconfigurations, or vulnerabilities in third-party apps. Large breaches are often the result of a minor mistake.
Never trust devices, users, or applications on or off a network until they have been thoroughly verified. More attention needs to be given to securing an endpoint as they prove to be the easiest entry point for attackers. Invest in a product that will help administrators create and automate a Zero Trust security protocol for your endpoints. People make mistakes, so make sure your technology doesn’t make any.
Endpoint Central offers an innovative Zero Trust solution for endpoints. Today’s workplaces contain a wide range of devices that request access from both within and outside the corporate network. Endpoint Central considers every request hostile unless it is accompanied by validation. It employs intelligent verifications to ensure the security of the devices, including the data, applications, and users. No matter how the threat is posed, whether it’s internal or external, or even if the attacker is already inside, this framework protects against it. Endpoint Central lets organizations enforce Zero Trust policies while ensuring a positive user experience.