September Snafus: Hackers Take Advantage of Unwitting Employees

Several large companies were hacked in the first half of September. The common theme? All of the attacks were carried out with relatively simple phishing and social engineering techniques.

So far in September, IHG, Uber, and Rockstar Games have all been victims of major independent cyber attacks. Though the attacks had different results for each company, the techniques and underlying vulnerabilities that were exploited shared a common theme. In the IHG hack, a couple from Vietnam claimed they were attempting to deploy ransomware on the network. Unfortunately for IHG, their IT Department was so good at preventing this ransomware attack that the couple became vindictive, deploying wiper malware instead. IHG’s booking sites and apps were unavailable for several days as a result. But how did the hackers even get on IHG’s IT network to deploy the wiper malware in the first place? Phishing and poor password practices. 

The couple claimed that they were able to trick an employee into downloading malware from a phishing email. Once they were in that employee’s account, they accessed Outlook emails, Teams chats, and server directories before locating the password to IHG’s internal password vault - “Qwerty1234” - which was apparently available to more than 200,000 employees. The password vault gave the hackers credentials to other areas of IHG’s IT network, allowing them to easily carry out the destructive attack.

A little more than a week later, Uber and Rockstar Games were also hacked, both by the same person. The hacker used another “easy” technique that goes after the weakest link in any company’s security - the employee. After getting an Uber employee’s login credentials, likely purchased from the dark web, the hacker then used social engineering to get around Uber’s multi-factor authentication.

But I thought Multi-factor authentication was supposed to stop these kinds of attacks?

There are many different types of multi-factor authentication - some are more susceptible to attacks than others. Multi-factor authentication using hardware tokens, or something the employee has to physically have in order to get into their account, is harder to bypass than multi-factor authentication that uses a push notification or one-time code. Using social engineering, like the hacker did with Uber, employees can still be tricked into providing details of their multi-factor authentication. In this case, Uber used a push notification authentication mechanism and the hacker took advantage of a relatively newer technique called “MFA Fatigue.” Every time the hacker tried to log in, the employee was spammed with a push notification. After an hour of repeated login attempts, the hacker directly contacted the employee pretending to be Uber IT Support, ultimately convincing the employee the push notifications would stop if they accepted one, thereby gaining access to the employee’s account. 

The hacker used the employee’s account to access shared resources on Uber’s IT network, which included some PowerShell scripts containing administrator credentials for the Thycotic access management system. Once in control of that account, the hacker also gained access to Uber’s cloud infrastructure, including AWS, GSuite, VMware vSphere dashboard, Duo, and OneLogin. The hacker used this unfettered access to reconfigure Uber’s OpenDNS to display graphic images on internal websites, get into Uber’s HackerOne dashboard to view vulnerabilities, and post about their breach in the company’s Slack. 

Within days of the Uber hack, Rockstar Games also fell victim to its own attack. The hacker is supposedly the same person who hacked Uber, though Rockstar Games has not yet confirmed. Few details about this hack have been released yet, but the hacker used similar techniques to gain access to Rockstar Games’ Slack and Confluence wiki to obtain details about the yet to be released Grand Theft Auto VI. After attempting and failing to extort the company, the hacker uploaded 90 videos from the test build of the new game to a gaming forum in what is considered to be one of the biggest leaks in video game history. The hacker also claims to have stolen source code and assets for Grand Theft Auto V and additional details for GTA VI that they have yet to release.

How can I make sure this doesn’t happen to my company?

Security Awareness Training is an essential way to help employees understand how to recognize and prevent phishing and social engineering attempts. To any trained professional, seeing a number of multi-factor authentication push notifications for logins you weren’t making yourself should be a red flag - especially when it’s followed up with unsolicited contact from someone you don’t know. Equipping your employees with the knowledge needed to recognize suspicious activity and resources to report that activity can help to prevent these data breaches.

Hackers know that the employee is the weakest link, so it’s important to combine training with secure practices and configurations as well. If feasible, companies should consider using alternate forms of multi-factor authentication that don’t rely on push notifications, or limit the number of login attempts allowed within a specified timeframe. These practices reduce the risk of MFA fatigue attacks, and continue to employ multi-factor authentication to keep accounts secure.

Not sure where to start or curious to know more? Hive Systems can help develop and deliver fully managed Security Awareness Training tailored to fit your organization no matter the size. We can also provide in depth risk assessments to help understand your organization’s weak spots and provide recommendations to bolster your security to reduce your risk. Reach out today to see how Hive Systems can help you! Click the logo below to get started.

Follow us - stay ahead.

Read more of the ACT