Last updated on January 6th, 2023
Uber faced a significant cyberattack on 15 September, compromising the ride-hailing company’s internal systems and communications for several hours. According to their official statement, Uber has identified the attacker as the hacking group Lapsus$.
Uber is not the first MNC targeted by Lapsus$ recently. In 2022 alone, this group of supposed teenage “hacktivists” attacked industry titans like Microsoft, Cisco, Samsung, Okta, and Nvidia, according to reports by CSO Online.
If giants like Uber and Microsoft can be breached, you aren’t safe either. So, take a closer look at how the attack happened and note the measures you can take to protect your organization.
How did the Uber hack happen?
Uber became aware of the breach when the hacker posted a message on the company-wide Slack channel and reconfigured their OpenDNS system to display an explicit image to employees on various internal sites.
The attacker obtained the account credentials of a team member of Uber’s third-party contractor to gain initial access. The hacker then bypassed multi-factor authentication (MFA) by spamming the employee with approval request messages and eventually posing as someone from Uber’s IT team to gain access approval.
Once inside the network, the attacker breached several other Uber personnel accounts and gained elevated permissions to various internal tools and systems. That is how the hacker could post messages on the company’s main Slack channel and manipulate internal sites.
How did Uber respond?
Uber’s security team raced to shut down the compromised tools like Slack and G-Suite. They also identified potentially compromised employee accounts and blocked their access. Mandatory password changes were also instantly implemented for various employees.
Other post-attack recovery and remediation measures taken by Uber till now are:
- Disabling affected and potentially affected internal tools
- Key-rotation for various internal services
- Codebase lockdown, which prevented any new or unauthorized code changes
- Mandated access re-authentication for internal systems
- Extra security and behavioral monitoring of their internal environment
Attack vectors used in the breach
The Uber hack was a sophisticated attack with multiple attack vectors and escalations, per security analysts from Wired. Let’s take a closer look at the various attack tactics in the Uber hack.
As per the official statement of Uber, the hacker likely purchased the login credentials of the external contractor’s employee on the dark web. A malware attack on the contactor’s device could have exposed those credentials.
Compromised credentials fuel a vicious cycle of cyberattacks. One attack will expose credentials, and those leaked credentials will enable further data breaches and hacks.
MFA bombing / MFA fatigue
MFA fatigue is a psychological attack tactic that aims to disturb and annoy the target to the extent that it impacts their critical thinking faculties.
To bypass MFA, the hacker bombarded with employee MFA access approval notifications for more than an hour. While they initially ignored and rejected the requests, eventually, the hacker got access approval.
After an hour of MFA bombing, the hacker claims they contacted the target via WhatsApp. Posing as a member of Uber’s IT team, the hacker told the target that the notifications would stop once the authentication request gets accepted. The target approved the MFA request.
Social engineering worked because the target was already suffering from mental fatigue due to the MFA bombing.
Suggested reading: Human Hacking: All About Social Engineering Attacks
Third-party vendor compromise
With outsourcing and “-as-a-service” models gaining popularity, third-party vendor cyber risk management is now a core component of cybersecurity vulnerability assessment. Keeping a check on the cybersecurity practices of your own employees is difficult enough. The risks further enhance when third-party or fourth-party vendors have access to your organizational network.
In Uber’s case, the compromised third party was a Privileged Access Management (PAM) vendor called Thycotic.
The goal of privilege escalation is to spread an attack further and take it as deep inside the network as possible. Once inside the network, Uber’s hacker breached various employee accounts to access internal systems like Slack, Google Workspace, and Amazon Web Services (AWS).
How Can You Defend Against Multi-Vector Attacks?
The Uber attack highlights how organized and well-planned cybercrimes have become. Attackers have moved past run-of-the-mill ransomware attacks. Using a combination of attack tactics, hackers exploit the loopholes and vulnerabilities in IT networks.
There are several lessons to learn from the Uber hack.
Counter MFA vulnerabilities
Circumventing MFA is increasingly becoming a go-to technique for hackers. Companies must implement phishing-resistant forms of MFA for more robust account protection rather than time-based OTPs.
Eliminate weak passwords
Weak passwords are an obvious and common enabler of account takeovers and access abuses. Investigations of various Lapsus$ hacks show that employees continue to use extremely weak passwords. Employees usually use common words that are vulnerable to dictionary attacks.
Companies can create a custom database of words and phrases that cannot be used as a part of any password. Also, a firm policy that prevents employees from using passwords known to be leaked is now a necessary measure.
Prepare for social engineering and human error
Human error is still the most considerable cyber risk for every enterprise, irrespective of size or security posture. Unfortunately, your employees are your weakest security links. Such attacks call for a defense-in-depth approach to cybersecurity, which includes the human aspect of cybersecurity and doesn’t focus solely on technology. Regular cybersecurity awareness training programs and attack simulations are a need of the hour.
Regular vulnerability assessments
Vulnerabilities are a natural and dynamically occurring part of IT networks. Identifying holes in your network and the limitations of your security posture eliminates multi-vector attacks. Hackers exploit existing vulnerabilities to cause the most damage to your network. Regular vulnerability and risk assessments are crucial elements of strengthening cybersecurity.
If you’re even slightly worried about the holes in your security, you need a vulnerability assessment at the earliest.
Managed security service providers like ACE Managed Security Services understand the importance of thorough vulnerability assessments. This is why ACE offers zero-cost security consultations, where industry experts assess your existing security posture, highlight the vulnerabilities, and recommend the best way forward for you!
Chat With A Solutions Consultant