The rapid development of technology in every sector has entirely revolutionized society, but these drastic changes leave little time for adapting to new technology, which leaves several lacunas or gaps in societal fabric, which are exploited by the cyber criminals. The recent cyber attack on Transit service juggernaut Uber signifies the gravity of this issue.
The hacker, who claims to be 18 years old, informed security experts that he gained access to Uber’s systems by obtaining an employee’s password and fooling the employee into authorizing the attacker’s push notification for Uber’s multi-factor authentication, or MFA.
After gaining access to Uber’s network, the hacker claimed to have discovered a network share holding high-privilege credentials that gave them near-unrestricted access to the remainder of the company’s systems.
Uber reported on Monday that an Uber contractor’s user account had been infiltrated by a hacker who was associated with Lapsus$, a gang that earlier this year breached the systems of Okta, Microsoft, Nvidia, Globant, and Rockstar Games. Following the attack, Uber claimed it temporarily removed several internal tools, but that customer support operations were “minimally disrupted” and are now “back to normal.”
Although the full details of Uber’s last issue won’t be known for some time, security professionals are already analyzing how the hacker managed to bypass the MFA protection set up by the firm with apparent simplicity and get access to Uber’s servers.
Not all MFA choices are created equal; some are more secure than others. MFA is the extra step you must take after entering your username and password to confirm that you are the one logging in and not an attacker. Mobile authenticator applications, which generate continually changing random codes or provide push alerts that are very hard to intercept, have essentially replaced codes received via text messages, which may be intercepted or stolen. However, as assaults get more intelligent, some of the greatest MFA defenses are being overpowered by taking advantage of flaws in human psychology.
Multi Factor Authentication Hack
According to analysts, the employee’s credentials might have been obtained via password-stealing software like RedLine placed on the employee’s computer. Lapsus$ has also been observed using Redline to collect employee credentials. According to Uber, the hacker may have purchased the stolen passwords via dark web marketplaces.
Once the credentials were obtained, the hacker had to overcome Uber’s multi-factor authentication, which provides an extra barrier to prevent attackers from using stolen credentials to gain access to a company’s network.
The hacker revealed they socially engineered their way into Uber’s network by using the stolen credentials to send repeated push notifications to the employee for over an hour, then “contacted him on WhatsApp and pretended to be from Uber IT, told him if he wants it to stop he must accept it,” the hacker stated in a discussion broadcast to Twitter.
This is referred to as MFA fatigue, and it occurs when hackers take advantage of employees’ need to repeatedly log in and re-authenticate their access throughout the work day by bombarding the employee with push notifications, often outside of working hours, in the hope that the employee will eventually accept a login request out of frustration.
Following the employee’s acceptance of the push notification, the hacker could issue MFA push messages as if they were the employee, providing them persistent access to Uber’s network.
How to Resolve the issue
Cybersecurity experts unanimously agree that any amount of MFA is preferable than none, yet MFA is not a cure in and of itself. Uber is not the only corporation that has utilized multi-factor authentication and had its network hacked.
Hackers gained access to Twitter’s network in 2020 by fooling an employee into inputting their credentials onto a phishing website they had set up, which the hackers then used to send a push message delivered to the employee’s smartphones. According to a state government inquiry, the employee accepted a prompt, allowing the attackers to enter. Twilio, the SMS messaging behemoth, was recently hijacked by a similar phishing attempt, and Mailchimp was also hacked by a social engineering effort that duped an employee into turning over sensitive information.
Instead of focusing on the highly inspected systems itself for security issues, all of these attacks take advantage of the limitations of multi-factor authentication, frequently by directly attacking the individuals who are using it.
The gold standard of MFA security, security keys, are not without their own difficulties, not the least of which are the expense and maintenance of the keys. We spend a lot of time debating whether hardware security keys are necessary for everyone, but in the real world, some firms continue to fight for requirements for SMS two-factor authentication or MFA prompts for internal access.
Number Matching : for example, makes social engineering assaults significantly more difficult by presenting a code on the screen of the person checking in and requiring the code to be entered into an app on the person’s confirmed device. The attacker would require both the target’s credentials and their validated device, comparable to a security key.
MFA number matching is available from Microsoft, Okta, and Duo. However, as security researcher Kevin Beaumont pointed out, Microsoft’s solution is still in preview, while Okta’s number matching product is wrapped in a costly license tier. Uber uses Duo for MFA but was not apparently employing number matching at the time of the incident.
Setting alerts and limits : net defenders may also establish warnings and restrictions on the number of push messages a user can get. They can also begin by distributing security keys to a test group of users before expanding it every three months. In reaction to the hack, Uber stated on Monday that it was tightening its MFA standards.
Uber may still have a lot to answer for about how the hacker gained access to high-privilege credentials for the remainder of its crucial systems using just a contractor’s stolen password.
Author: Mr. Shrey Madaan, Research Associate, CyberPeace Foundation