Why is it worth educating your employees about phishing and social engineering? Ask Uber. They were hacked on Thursday and the hacker bragged about it to The New York Times.
According to cybersecurity site BleepingComputer, compromised systems include Uber's security software, Windows domain, Amazon Web Services console and Google Workspace admin dashboard. In other words, to put it bluntly, the hacker blew Uber's systems wide open. Uber confirmed the attack via its Uber Comms Twitter account.
Multi-factor authentication (MFA), a common cybersecurity technique, not only failed to prevent the attack but was key to its success.
And the hacker allegedly used a vulnerability in one of Uber's systems that the company knew about two years ago, a vulnerability cited on a list of all known Uber system vulnerabilities generated by security researchers who are paid to find them. The hacker reportedly gained access to this list, as well.
Social Engineering for the (Hacker's) Win
The hacker allegedly used a social engineering technique called an MFA Fatigue attack to gain access to an Uber employee's account. In this attack technique, a hacker already has a target's login name and password but cannot gain an MFA code sent to the target's authentication app.
The hacker then barrages the target employee with MFA requests. The employee could receive multiple text messages asking the employee to approve the login request, for example. In some MFA systems, just responding with the word "YES" is enough to approve access.
Eventually, if the technique is successful, the target employee gets tired of the repeated authentication requests and finally approves it. Once that happens, the hacker can finally breach the target's account. And, in this case, that's when all hell breaks loose.
"This is far from rare; in fact, a 2022 report found that insider threat incidents have risen 44% over the past two years," says Samantha Humphries, head of security strategy EMEA at cybersecurity company Exabeam. "This kind of threat can be much harder to detect. After all, an attacker with valid credentials looks just like a regular user. This presents one of the most significant challenges for security teams."
"We can anticipate that organizations which collect the trifecta of private information—Personally Identifiable Information (PII), credit card data and user's behavioral patterns like ride history—will become the epicenter of future cyberattacks," says Neil Jones, director of cybersecurity evangelism at Egnyte.
Multi-factor authentication is commonly suggested as a dependable cybersecurity technique. If MFA ceases to be effective as a security measure because employees are not vigilant against false authentication requests, what other options should companies consider?
"Encryption-in-use, also known as data-in-use encryption, makes it possible for valuable data to be sliced and diced without decryption. This means that even if attackers get in via privileged credentials and access treasure troves of data, they cannot leave with unencrypted data," says Arti Raman, CEO & Founder of cybersecurity company Titaniam. "This helps neutralize all possible data-related leverage and dramatically limits the impact of a data breach.”
"Utilizing adaptive techniques that create a baseline of how users interact with a network and can identify odd behavior, which might be a sign of a malicious attack. Today, prevention has a place, but in order to reduce the impact of breach attempts, it must be backed up by threat detection and action.," says Jyoti Bansal, co-founder and CEO at cybersecurity company Traceable AI. " We need to stop relying on 20th century technologies to fight 21st century problems.”
"The incident at Uber is just another illustration of how dangerous it is to put infrastructure credentials into the hands of your staff," says Tim Prendergast, CEO at cybersecurity company strongDM. "Organizations must adopt modern security and access practices, such as removing credentials completely from the equation. That's the only way to prevent these types of breaches in the future."
