What the Uber Hack can teach us about navigating IT Security

Uber’s security compromise earlier this month is an unfortunate result of concerns left over from an attack the company sustained in 2016 when a pair of hackers outside of Uber accessed user data that was stored on a 3rd-party server.

The hack could not be circumnavigated by IT workers and essentially made it impossible for Uber drivers to complete their jobs.

Uber has released statements that make the following claims:

• No customer data was compromised
• All services are fully operational
• Law enforcement was notified
• Internal software disabled for security was back online

While this is the ideal situation after an attack, understanding the root cause of modern-day social engineering attacks is even more important when it comes to attack prevention. In this post, we will dive a bit deeper into how the attack was perpetrated and what you can do to avoid falling prey to a similar attack.

A hack in three parts: breached credentials, MFA fatigue, and social engineering

Although Uber uses multi-factor authentication (MFA) push notifications for their employee communications, it didn’t deter the hacker from getting around these authentication protections in order to leverage social engineering to get access to the network's assets and operate as an authorized user.

While MFA can guard against attacks using stolen credentials, that doesn't protect against what could happen if a hacker has credentials and uses them for a more advanced attack.

Uber later divulged that the attacker who breached its network had first obtained the VPN credentials of an external contractor.

These stolen credentials were used to attempt an MFA Fatigue attack where the user is bombarded with MFA verification notifications. In this particular hack, the end-user denied the verification attempts until the attacker contacted the target on WhatsApp posing as tech support, telling the person to accept the MFA prompt. This added element of social engineering is what pushed the attack from attempted to successful.

Bottom line

The attacker rendered the incident response team obsolete by combining stolen credentials, an MFA Fatigue attack, and social engineering (posing as tech support), to breach the system.

The key issue is that a single, central point of authentication resulted in access to various cloud-based IAM services and accounts that could have led to one of the greatest data leaks of all time.

More on social engineering cyber-attacks

Social engineering attacks exploit the trust of people working for a specific company in order to obtain passwords, screen names, and other information needed to gain user access to a network.

Social engineering attacks come in at least five recognized forms, but can be done in any way that accomplishes what the following techniques achieve:

• Phishing: The most common form of social engineering attack, phishing entails drafting an email that looks credible and using it to obtain information from a user. For example, an attacker might pretend to be a friend, relative, coworker, or partner of the company.

• Watering Hole Attacks: In this type of attack, the hacker finds websites where employees spend time. He or she will try to engage in conversation with the employee and glean access information or clues that can lead to accessing information.

• Business Email Compromise (BEC): A form of phishing attack at its core, a BEC attack exploits an employee's fear of punishment or desire to ingratiate their superiors. The attacker will usually spoof the bosses' email and request information. In some cases, a BEC attack might be accomplished by actually impersonating a supervisor or c-level executive over the phone.

• Physical social engineering: PSE attacks are done the old-fashioned way. It can be done by pilfering through drawers, breaking into a company vehicle, distracting a receptionist, and so on, in an effort to obtain access information.

• USB Fraud: This type of attack can be the simple theft of a USB stick or it can be swapping one out for one with malware on it. Infected USBs can also be left on a desk, in the hope that an employee will plug it in and infect the network. As these attacks take place within the office, they have a high probability of being committed by a disgruntled employee.

The Uber attack demonstrates just how sophisticated hackers have become when it comes to exploiting authorization mechanisms through social engineering, especially phishing. It's important that your MFA procedure is truly multi-factor, and not just two factor. It’s a good idea to require different types of verification methods, include biometrics, to really ensure security.

Bolstering your IT security

Regardless of the technical details surrounding social engineering, the strongest defense against these kinds of attacks is a culture of vigilance and automated prevention. Employees must be made aware of all types of social engineering attacks as well as be able to see them coming. Training teams to recognize potential threats is still the best defense against these cybersecurity attacks that will only become more prevalent in the future.

Automated layers of protection

Of course, these hackers are advanced, so it’s a best-practice to layer in automated stopgaps in your IT security protocol to prevent end-user error from endangering your network if they are compromised.

 By using password policy enforcement tools, organizations can better automate the development of higher quality passwords that close up vulnerabilities that could leave their system open to attack. Advanced password policy tools like Specops Password Policy also have built in defenses against the use of breached credentials, which would have been particularly helpful in this Uber scenario.

Another prevention method could have been Specops Secure Service Desk which automated the verification of an end user’s identity before allowing password reset. And because it’s a zero-trust system, help desk employees won’t be burdened with the option of “just trusting” that the caller is who they say they are—it's all up to the automation.

Sponsored and written by Specops.