The Uber Hack

Social engineering is a popular hacking strategy, as humans tend to be the weakest link in any network. Teenagers used a similar ploy in 2020 to hack Twitter. MFA Fatigue attacks are when a threat actor has access to corporate login credentials but is blocked from access to the account by multi-factor authentication. They then issue repeated MFA requests to the target until the victims become tired of seeing them and finally accept the notification.

Uber has suffered another massive security incident after 2016 and potentially may have compromised its entire network. The hacker was believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including Amazon Web Services Services console, VMware vSphere/ESXi virtual machines, and the Google Workspace admin dashboard for managing the Uber email accounts. The internal systems are breached and vulnerability reports stolen.

The hacker, who claimed to be 18 years old, told NYT he had sent a text message to an Uber employee and said they were able to gain access to Uber's Intranet after conducting a social engineering attack on an employee. The screenshots shared by the hacker, which appears to be full access to many critical Uber IT systems, including the company’s security software and Windows domain.

It is expected that the social engineering hack allowed him to breach Uber’s systems, with the hacker describing the company’s security posture as weak. Experts are expecting that the attacker allegedly used an MFA Fatigue attack and pretended to be Uber IT support to convince the employee to accept the MFA request.

One screenshot posted on Twitter and confirmed by researchers shows a chat with the hacker in which they say they obtained the credentials of an administrative user through social engineering.

The Uber hack demonstrates how important identity management backed by strong authentication, such as hardware security keys, are for privileged systems, and why today’s organizations need the ability to detect when attackers exploit, misuse or steal credentials.

The report says that the person who claimed responsibility for the hack said they sent a text message to an Uber worker claiming to be a company tech employee and persuaded the worker to hand over a password that gave them access to the network.

In recent high-profile attacks against large organizations, persistent attackers can and will find a way around multi-factor authentication systems that rely solely on time-based one-time passwords or push-based authentication.

The need for compartmentalized access to critical resources, strong authentication and detection of identity-based activity is an important part of an organization's layered defenses.

S Mohini Ratna, Editor, VARINDIA