In the aftermath of a major network breach at Uber last week – the cyber incident forced the ride-hailing company to shut down several internal communications and engineering systems – some early reports point to how the attacker was able to breach their environment.
While the accuracy of this information hasn’t yet been confirmed, regardless of whether the specific details available are true, they provide a reminder of good practices to consider for your environment. I would encourage any organization to consider these regardless of what specific security tools are used in your environment.
Hopefully, we’ll all eventually know more about the specifics of the incident so organizations will be able to apply lessons learned to help improve their security. In the meantime, let’s consider how this incident apparently unfolded:
- A successful phish took place in capturing an employee’s username and password by contacting an Uber user, claiming to be from Uber IT, and directing the user to access what appeared to be an authentic Uber application.
- Uber appears to use Duo multi-factor authentication (MFA) with push notification to an app on the user’s phone. The attacker spammed login attempts, causing many push notifications on the user’s phone for an hour. The attacker followed up with a “message from IT” that indicated a system issue was ongoing and the user needed to accept the notification to stop the issue from affecting them.
- After the user accepted the authentication attempt, the attacker was able to add their device to the user’s account. This allowed the attacker to add their device to the user’s Duo setup and authenticate as the user without the user’s input going forward.
- The attacker then used the compromised account to get into Uber internal tools and the intranet to perform reconnaissance and scan the environment.
- The attacker reportedly discovered scripts within Uber’s intranet that contained a clear text username and password for an account with administrator authorization. From here, the game is up as an attacker will usually be able to capitalize on administrator access to compromise the majority if not the whole environment.
Here are five takeaways based on what reportedly occurred in the Uber incident:
Takeaway #1: Make sure you have designed your suite of controls assuming users will fall for phishing attacks. KnowBe4 has found that when designing security controls, all organizations should expect that 3-5% of users in a well-trained userbase will still fail any given phishing attack that makes it to their inbox.
Take away #2: Short term, make sure your MFA tool is configured to prevent brute force authentication attempts. As this incident shows and our Rehmann Penetration Testing team has seen, you cannot assume that a user will sufficiently protect their end of the MFA process. You can consistently rely on humans failing at any given task once done enough times. We therefore need to also make sure that the MFA process is configured to block an attack as much as possible. MFA tools like Duo can be set to lock out the account after a certain number of invalid attempts which could have helped stop the brute force spam notifications sent to the user.
Takeaway #3: Long term, deploy a “man-in-the-middle” attack-resistant MFA solution.
Not all MFA is created equal. There are many different forms and they each provide different levels of security. Attackers are already using phishing attacks that link to a man-in-the-middle (MitM) attack which would fool most users into thinking they are logging into a real page from Google, Amazon, Microsoft, or a custom login page. It appears a tool like this may have been used as a part of the Uber breach to capture the user’s credentials. These tools are publicly available for free and can be stood up in minutes. Some MFA is definitely still better than no MFA. However, we need to start thinking about moving away using one-time passcodes, push notifications, or another method susceptible to a MitM attack. The future will likely look like a FIDO2 compliant authentication process using hardware tokens like a Yubikey.
Takeaway #4: Make sure you are keeping cybersecurity best practices consistently in front of your users. A Usenix study has shown that users stop applying best practices about four months after receiving training, meaning that at minimum, you should be training your employees three times a year. I personally am a fan of tools that can easily provide frequent and short reminders on cybersecurity best practices – ideally, five- to 10-minute courses delivered monthly.
Takeaway #5: Do not store usernames and passwords within clear text, to include hard coding them into scripts. It seems like an age-old lesson to “not write down your username and password.” In today’s world of automation, we need to be careful that we do not overlook situations where a username and password gets written into the programming of a script or custom developed tool.