How do You Prevent Another Uber-Style Breach
Uber blames contractors for the hack and links breach to Lapsus$ organization.
In the News
According to Uber, the hacker responsible for the breach last week is a member of the Lapsus$ extortion group, which has previously attacked Microsoft, Cisco, NVIDIA, Samsung, and Okta, among other well-known IT firms.
According to the company, the attacker conducted an MFA fatigue attack by flooding the contractor with two-factor authentication (2FA) login requests until one of them was approved using the stolen credentials of an Uber EXT contractor.
The usage of this social engineering technique has increased dramatically in recent attacks on well-known businesses worldwide, including Twitter, Robinhood, MailChimp, and Okta. Continue to read how do you prevent another uber-style breach?
The attacker gained privileged access to several tools, including G-Suite and Slack, by breaking into numerous other employee accounts, according to Uber’s updated statement.
“The attacker then modified Uber’s OpenDNS to display a graphic image to employees on some internal sites,” which was posted to a company-wide Slack channel many of you saw.
The business stated that it had not discovered proof that the threat actor could access production systems that hold sensitive user data, including financial and personal information (e.g., credit card numbers, user bank account info, personal health data, or trip history).
The FBI and the US Department of Justice assist the company’s investigation into the event.
Uber claims to have taken the following steps to stop similar approaches from being used in future breaches:
- Any employee accounts that were affected or might have been compromised were found, and we either disabled their access to the Uber systems or ordered a password reset.
- Many internal tools that were impacted or might have been impacted were disabled.
- We changed the keys on many of our internal systems, effectively resetting access.
- We restricted access to our source to stop further code additions.
- We asked users to re-authenticate to regain access to internal tools. Additionally, we are enhancing our multi-factor authentication (MFA) guidelines.
We could keep all of our public-facing Uber, Uber Eats, and Uber Freight services operational and running smoothly. Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal. — Uber
Is there a solution?
MFA is not an antidote on its own, but security experts believe that any level of MFA is better than none. Uber is not the only business whose network has been penetrated despite using multi-factor authentication.
By luring an employee into submitting their credentials to a phishing page, they had set up, which the hackers then used to generate a push notification delivered to the employee’s smartphones, hackers hacked into Twitter’s network in 2020.
According to an inquiry by the state of New York, the employee acknowledged a prompt, allowing the hackers to enter. More recently, a social engineering attempt that conned a worker into giving up their log in information led to another hack of Mailchimp.
Instead of focusing on the highly inspected systems for security issues, all of these attacks use the limitations of multi-factor authentication, frequently by directly attacking the individuals using it.
Cloudflare is the only company targeted in a recent wave of cyberattacks that successfully prevented a network compromise because it employs hardware security keys, which cannot be phished.
Even though some employees “did fall for the phishing messages,” Cloudflare acknowledged in a blog post that its use of hardware security keys—which require employees to physically plug a USB device into their computers after entering their credentials—had prevented the attackers from accessing its network.
According to Cloudflare, the attack “targeted personnel and systems in a manner that we believe would make it probable that most firms would be compromised.
Experts Advice MFA
The gold standard of MFA security, security keys, are not without their limitations, not the least of which are the expense and maintenance of the keys. We spend much time debating the necessity of physical security keys for everyone.
However, Tobac noted that some firms still push for mandated SMS two-factor authentication or MFA prompts for internal access.
As Uber’s breach shows, MFA by randomly generated code or push notification is far from ideal. Still, according to Richard Luna, CEO of Protected Harbor, ” Putting the good before the perfect is not a good idea.” Minor adjustments over time have a significant impact.
One notable advance is MFA number matching, which makes social engineering attempts much more challenging by presenting a code on the user’s screen and requiring them to enter it into an app on their verified device. The notion is that, similar to a security key, the attacker would need both the target’s credentials and their confirmed device.
Microsoft, Okta, and Duo offer MFA number matching. However, as security expert Kevin Beaumont pointed out, Okta’s number matching service is wrapped in an expensive licensing tier, while Microsoft’s solution is still in preview. Uber uses Duo for MFA, but it is said that at the time of the incident, number matching was not being used.
According to Tobac, network defenders can also set alerts and restrictions on the number of push messages a user can receive. They can also begin by distributing security keys to a test group of users before expanding it every three months.
In reaction to the hack, Uber stated on Monday that it is strengthening its MFA standards. Uber may still have many questions to answer regarding how the hacker gained access to high-privilege credentials for the remaining vital systems of the company using just a contractor’s stolen password.
Stay up to date with patches, upgrade your software, and apply the latest security fixes. Install an antivirus program and keep it up to date. Use a VPN to protect your traffic from being monitored and encrypted communication to protect your data from prying eyes.
Stay vigilant and aware of any trends or changes in the threat landscape, and react accordingly. Stay informed by reading best practices and security blogs and keeping up with the news to stay on top of all the latest threats.
Protected Harbor security experts recommend enabling multi-factor authentication, using encryption, and activating Identity and Access Management. These tools will help to maintain data integrity, protect private and confidential information, and keep your customers safe from identity theft and data breaches.
Identity and Access Management solutions allow you to delegate the right level of access to the right people, thereby limiting the risk of data breaches. Encryption is essential to protect data in transit and at rest. It is recommended to use TLS protocol for secure data transfer and a FIPS-certified cryptographic module for data at rest.
Get a free security IT Audit and Penetration Testing today from Protected Harbor. Contact us now!