After an Uber EXT contractor had their credentials compromised by a hacker, the adversary was able to gain elevated permissions in a number of company tools and eventually, reconfigure the rideshare company’s OpenDNS to display a graphic image to employees on some internal sites.
The adversary had obtained the credentials on the dark web, and although Uber had multi-factor authentication (MFA) in place, they managed to manipulate the user and gain access.
These recent events could leave organizations wondering about the benefit of MFA, what companies should be doing differently, and what exactly happened to create such a compromising situation.
To answer these important questions, we begin with a brief recap of the events that occurred, and offer the latest insights on MFA, password protection, and empowered incident response from Cybersafe’s team of experts.
A Recap of the Uber Attack
On Thursday, Sept. 15, Uber discovered its network had been breached when a message on the rideshare company’s internal system told employees: “I announce I am a hacker and Uber has suffered a data breach,” reads a New York Times article published on the day of the attack.
“They pretty much [had] full access to Uber,” said Sam Curry in the article, a security engineer at Yuga Labs who had corresponded with the person claiming responsibility for the breach. “This is a total compromise, from what it looks like.”
The infiltration was made possible when an Uber EXT contractor had their credentials compromised. They were obtained by the adversary via an underground forum on the dark web, according to an article from news and analysis source Cybersecurity Dive.
After entering the credentials into Uber’s login system, the hacker was stalled due to the company’s MFA in place, but began a heavy campaign of attempting to login repeatedly—which created a high-volume of MFA prompts to the user’s phone. This is what’s referred to as an MFA Fatigue attack.
The hacker reached out via WhatsApp to inform the user that the attacker was a member of IT, and that the only way to get the MFA push notifications to stop was to acknowledge and accept one of them. The user did so, and this granted the attacker full access.
It was from there that the hacker discovered a file on a network share that contained usernames and passwords within scripts used by administrators for high-level administration accounts for Uber’s infrastructure.
Once they had those, the adversary could access financial data, vulnerability reports, and had elevated permissions in a number of tools such as Google Workspace and Slack, the Cybersecurity Dive article continues.
Although Uber’s codebase was not altered in the attack, the hacker posted the aforementioned message to a company-wide Slack channel, and “reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites,” according to a statement from Uber.
Following the attack, the rideshare company says it has taken a number of measures, including:
- Identifying Compromised Employee Accounts, Blocking Access to Uber Systems, and/or Requiring Password Resets
- Disabling Affected or Potentially Affected Internal Tools
- Rotating Keys & Reset Access to Internal Services
- Locking Down the Codebase to Prevent Code Changes
- Restoring Internal Tools Access, Requiring Employee Re-Authentication & Strengthening MFA Policies
- Implementing Additional Monitoring of Internal Environment
Follow-Up & Lessons Learned
What can your organization learn from this incident?
There are a few questions and takeaways that Cybersafe professionals recommend all companies consider:
Does this mean that MFA or two-factor authentication is irrelevant?
No. Unequivocally, no.
MFA is still a best practice for all your accounts.
- It reduces the potential for businesses to be victimized by general credential leaks, such as brute-force or spray-and-pray types of attacks.
- If an attacker can guess the right credentials, MFA stands in the way of them being able to accomplish their takeover and creates another hurdle they need to clear.
What the Uber event illustrates is that MFA—like any security control or solution—is not 100%.
However, there are a few controllable factors that led to the defeat of the MFA solution here.
We can discern from the articles about the event that Uber was using push notifications for MFA. This is a version of MFA where the user receives a notification on their phone or other device, prompting them to approve or deny the current login attempt. Many users find this convenient, since it doesn’t require them to enter any additional numeric codes—just push a button. However, the threat actor proceeded to barrage the user with these prompts. Most people want to make the annoying, repetitive alerts stop, and are eager to take the steps to do so. By impersonating a member of the help desk and offering a simple solution to stop the constant stream of prompts, the threat actor got the user to approve the MFA access.
Recommendation: MFA solutions have already responded to this MFA fatigue technique with additional features and advanced configuration options. Organizations should work with their vendors to determine which options are available to them and would work best for their organization, such as Microsoft’s Azure/365 platform and Duo Security.
Some in the security field are recommending the nuclear option of disabling push notifications. However, while this will mitigate against a fatigue attack, it has drawbacks for an organization, as well.
- → For one example, unexpected push notifications are early indicators that account credentials have been compromised—empowering them to notify their organization to have their password reset.
While one-time passcodes or PINs are not subject to the same type of fatigue attack, there are plenty of cases where these implementations have been bypassed by attackers through other means.
Do not maintain a master file of logins and passwords.
Many organizations create a master file of all the login accounts and passwords that individuals—often administrators—will need to login into systems. Scripts used for automating any number of tasks often have the necessary credentials hardcoded into them.
The systems and accounts that are stored in these files are often the highest level of permissions for their respective systems, if not the so-called “God Accounts” for the organization at large.
If an attacker should gain access to the network and discover this network share or local copy, they will have all the information they need to gain full, unfettered access to an organization and act in whatever malicious manner they choose.
It doesn’t matter what type of file the information is stored in, nor what clever name one thinks they gave the file to fool a potential attacker; the threat actor will find it.
Recommendations: Instead, organizations should implement a password vault—often referred to as a password manager—which requires its own authentication and MFA to access. Most password manager solutions restrict access for certain folders to specific individuals—further controlling access to the credentials.
- → Members that are also administrators of systems and/or services should have a separate administrative account that is different from their personal account. The only time the administrative accounts should be used is when performing an administrative duty.
- → Separating the permissions for the individual creates a buffer should their account be compromised. A compromise to that account alone does not provide administrative access to the attacker.
To further support robust security, all accounts used—administrator and individual accounts—should have MFA enabled by default. No exceptions.
Train your people and empower them as your first line of defense.
A common tactic used by threat actors to gain the information they are looking for is to impersonate a known department or company to an individual. Making your people aware of this tactic, in both business and personal scenarios, will familiarize them with it.
This is the same advice individuals may have heard from the IRS, their bank, credit card company, or utility regarding their policies of never reaching out via email or text to ask for login information or initiate login to a corporate portal.
Recommendations: Let your people know this. The IT help desk is rarely, if ever, the first to be aware of a specific issue affecting one user, until the user reaches out themselves.
You should also empower your people to push back in the event of an outreach that they aren’t expecting.
- → This is no different from the tact that they should take when their credit card company calls them about an account issue: It is best practice to stop, ask for any reference number, and then call the company back using a previously known number that the individual already has. (Often it’s the phone number on the back of the credit card itself.)
- → If your company receives a cold call from IT about an issue—one they haven’t even reported yet themselves—they should feel fully empowered to put a stop to the current call or communication, then initiate their own contact with the helpdesk from a number or communication platform they recognize.
Several components of the Uber hack made it so impactful.
It is often by linking vulnerabilities—not exploiting one singular point of failure—that threat actors are able to gain the most access and do the most damage.
Even if they appear insignificant on their own, implementing a series of best practices contributes to fortifying an organization’s cybersecurity posture into one that resists and anticipates attacks before they have a chance to strike.
Cybersafe Solutions is a state-of-the-art, managed security provider. With more than 20 years of experience in the online threat landscape, our team of certified specialists is equipped to bolster your organization's security posture with cutting-edge tech and continuous monitoring—expertly thwarting attacks before they occur.
Contact us today to learn more about how to proactively protect your organization against prevalent threats.