𝐇𝐨𝐰 𝐃𝐢𝐝 𝐭𝐡𝐞 𝐁𝐫𝐞𝐚𝐜𝐡 𝐇𝐚𝐩𝐩𝐞𝐧?
They set up a man-in-the-middle MFA portal, claiming to be from Uber’s IT department, and tricked this person into revealing his authentication credentials.
The hacker then logged into the corporate VPN and browsed the network for targets, along with a PowerShell script with administrator access to a privileged access management platform. One destination was Uber’s HackerOne bug bounty reports, which could be very damaging because they would know about unresolved vulnerabilities and could fetch a premium payout if shared on the dark web.
𝗛𝗲𝗿𝗲 𝗮𝗿𝗲 𝘀𝗼𝗺𝗲 𝗸𝗲𝘆 𝘁𝗮𝗸𝗲𝗮𝘄𝗮𝘆𝘀 𝘁𝗼 𝗸𝗲𝗲𝗽 𝗶𝗻 𝗺𝗶𝗻𝗱 𝗳𝗼𝗹𝗹𝗼𝘄𝗶𝗻𝗴 𝘁𝗵𝗶𝘀 𝗯𝗿𝗲𝗮𝗰𝗵:
1. All MFA techniques are not created equal.
Uber was not encrypting its most sensitive internal accounts with FIDO2 passkeys and hardware tokens. These are more resistant to phishing attacks like the one described here. Attackers can easily create bogus login pages to collect sensitive information from unsuspecting employees.
2. Social engineering is still a serious threat.
You can have all kinds of security systems in place, but combating basic human nature is still difficult. It was easy to see how the hacker gained the employee’s trust and compromised him. “Many organizations and cultures continue to believe that their members are too smart to fall for phishing attacks,” writes Ars Technica. They like the comfort of authenticator apps as a comparison to FIDO2 forms of MFA, which require the ownership of a phone or physical key. These types of breaches will stay a reality of life until this mindset alters.
3. Administrator login information should not be hardcoded anywhere.
Certainly not in scripts. This basically means you have zero-factor authentication since anyone reading the script can figure out the credentials.
4. It is critical to have a backup communication channel.
To communicate among your breach response team, this channel should be outside of your network’s band. After the hacker compromised Slack, they sent various messages claiming the feat which weren’t taken seriously by Uber security staffers, who thought this was a prank (it wasn’t).