Uber has suffered another breach that was the result of a social engineering attack. The attacker managed to get an Uber employees password and then used that password to login, however Uber uses MFA so the attacker called the Uber employee and pretended to be from the IT department and stated that the Uber employee should accept the MFA prompt.
Once the attacker was in the environment, they were able to find credentials in a script on a file share that happened to be administrative credentials to Uber’s PAM solution. Once the attacker had access to the PAM solution, they were able to get privileged credentials for other systems as well.
From Carly Page at TechCrunch:
Uber said in a statement given to TechCrunch that it’s investigating a cybersecurity incident and is in contact with law enforcement officials, but declined to answer additional questions.
The sole hacker behind the beach, who claims to be 18 years old, told the Times that he compromised Uber because the company had weak security. The attacker reportedly used social engineering to compromise an employee’s Slack account, persuading them to hand over a password that allowed them access to Uber’s systems. This has become a popular tactic in recent attacks against well-known companies, including Twilio, Mailchimp and Okta.
Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach,” the Times reports. The hacker also reportedly said that Uber drivers should receive higher pay. According to Kevin Reed, CISO at cybersecurity company Acronis, the attacker found high-privileged credentials on a network file share and used them to access everything, including production systems, Uber’s Slack management interface and the company’s endpoint detection and response (EDR) portal.
One of the main discussion topics in the community has been the abuse of push-based MFA, where an attacker who happens to know the password can repeatedly send push notifications until the user clicks accept. Attackers have been demonstrated to send these notifications in the early hours of the morning and the beginning of the workday to maximize the chance that a user may click accept on the MFA prompt.
Unfortunately, many MFA providers do not have the capability to detect these types of attacks or to reliably alert on these attacks to a SIEM platform. Microsoft’s Azure AD has recently enabled number matching where users must enter a number shown during authentication on their phone. While this does reduce the abuse of push-based notifications, it does significantly degrade the user experience when logging into an account.
