Earlier this week, Uber disclosed that the recent breach it suffered was made possible through a multi-factor fatigue (MFA) attack where the attacker disguised themselves as Uber IT.
MFA attacks are a form of social engineering consisting in spamming a target with repeated MFA requests until they eventually authorize access. This kind of attacks is possible when the threat actor has gained access to corporate login credentials but cannot access the account due to multi-factor authentication.
According to Uber,
It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware.
To make sense of the likeliness of an MFA fatigue attack to succeed, security researcher Kevin Beaumont recalled on Twitter this is the same technique used in the recent LAPSUS$ attacks, about which the attacker allegedly explained: “call the employee 100 times at 1AM while he is trying to sleep and he will more than likely accept it”.
In Uber’s case, the approach was different, though. As reported by Lawrence Abrams for Bleeping Computer, security researcher Corben Leo got in touch with the hacker behind the breach and learned they contacted the targeted contractor on WhatsApp claiming they were from Uber IT and that the only way to get rid of the unstopping notifications was to accept one.
Once the attacker got their device authorized for access to Uber intranet, they began scanning the corporate network until they found a PowerShell script with admin credentials for the platform Uber uses to manage its login secrets, including DA, DUO, Onelogin, AWS, and Gsuite. This allowed them to grab source code and, more worryingly, to get access to Uber’s HackerOne bug bounty program. This in turn gave the attacker information about vulnerability reports that have not been fixed yet.
In conversation with InfoQ, Cerby’s chief trust officer Matt Chiodi stated that “if what’s being reported is true, this would be an unprecedented level of access, even when compared to SolarWinds”. One way to mitigate the impact of such incidents, according to Chiodi, is applying a Zero Trust strategy, consisting in trusting no device, even within corporate network boundaries.
Zero Trust principles can greatly contain the blast radius. For example, IBM found in its research that when Zero Trust principles are implemented by a company, the cost of a breach is reduced by 42%.”
Varun Badhwar, founder and CEO of stealth-mode startup Endor Labs, released a statement for InfoQ hinting at the resurgence in social engineering and phishing attacks of late.
According to the 2022 Verizon Data Breach Investigations Report, 82% of breaches last year involved the human element. That’s astronomical number, and it demonstrates humans are still the weakest link in cybersecurity.
In Badhwar’s view, this further reinforces the idea of applying zero trust and least privilege principles for securing employee access to sensitive data and code.
Uber’s investigation into this recent breach is not complete yet and it will likely bring more light into it. InfoQ will continue informing as new detail emerge.