In the aftermath of a major network breach at Uber last week 鈥 the cyber incident forced the ride-hailing company to shut down several internal communications and engineering systems 鈥 some early reports point to how the attacker was able to breach their environment.
While the accuracy of this information hasn鈥檛 yet been confirmed, regardless of whether the specific details available are true, they provide a reminder of good practices to consider for your environment. I would encourage any organization to consider these regardless of what specific security tools are used in your environment.
Hopefully, we鈥檒l all eventually know more about the specifics of the incident so organizations will be able to apply lessons learned to help improve their security. In the meantime, let鈥檚 consider how this incident apparently unfolded:
- A successful phish took place in capturing an employee鈥檚 username and password by contacting an Uber user, claiming to be from Uber IT, and directing the user to access what appeared to be an authentic Uber application.
- Uber appears to use Duo multi-factor authentication (MFA) with push notification to an app on the user鈥檚 phone. The attacker spammed login attempts, causing many push notifications on the user鈥檚 phone for an hour. The attacker followed up with a 鈥渕essage from IT鈥 that indicated a system issue was ongoing and the user needed to accept the notification to stop the issue from affecting them.
- After the user accepted the authentication attempt, the attacker was able to add their device to the user鈥檚 account. This allowed the attacker to add their device to the user鈥檚 Duo setup and authenticate as the user without the user鈥檚 input going forward.
- The attacker then used the compromised account to get into Uber internal tools and the intranet to perform reconnaissance and scan the environment.
- The attacker reportedly discovered scripts within Uber鈥檚 intranet that contained a clear text username and password for an account with administrator authorization. From here, the game is up as an attacker will usually be able to capitalize on administrator access to compromise the majority if not the whole environment.
Here are five takeaways based on what reportedly occurred in the Uber incident:
Takeaway #1: Make sure you have designed your suite of controls assuming users will fall for phishing attacks.听that when designing security controls, all organizations should expect that 3-5% of users in a well-trained userbase will still fail any given phishing attack that makes it to their inbox.
Take away #2: Short term, make sure your MFA tool is configured to prevent brute force authentication attempts.听As this incident shows and our 熊猫视频 Penetration Testing team has seen, you cannot assume that a user will sufficiently protect their end of the MFA process. You can consistently rely on humans failing at any given task once done enough times. We therefore need to also make sure that the MFA process is configured to block an attack as much as possible. MFA tools like Duo听after a certain number of invalid attempts which could have helped stop the brute force spam notifications sent to the user.
Takeaway #3: Long term, deploy a 鈥渕an-in-the-middle鈥 attack-resistant MFA solution.
Not all MFA is created equal. There are many different forms and they each provide different levels of security. Attackers are already using phishing attacks that link to a man-in-the-middle (MitM) attack which would fool most users into thinking they are logging into a real page from Google, Amazon, Microsoft, or a custom login page. It appears a tool like this may have been used as a part of the Uber breach to capture the user鈥檚 credentials. These tools are publicly available for free and can be stood up in minutes. Some MFA is definitely still better than no MFA. However, we need to start thinking about moving away using one-time passcodes, push notifications, or another method susceptible to a MitM attack. The future will likely look like a听using hardware tokens like a Yubikey.
Takeaway #4: Make sure you are keeping cybersecurity best practices consistently in front of your users.听础听听that users stop applying best practices about four months after receiving training, meaning that at minimum, you should be training your employees three times a year. I personally am a fan of tools that can easily provide frequent and short reminders on cybersecurity best practices 鈥 ideally, five- to 10-minute courses delivered monthly.
Takeaway #5: Do not store usernames and passwords within clear text, to include hard coding them into scripts.听It seems like an age-old lesson to 鈥渘ot write down your username and password.鈥 In today鈥檚 world of automation, we need to be careful that we do not overlook situations where a username and password gets written into the programming of a script or custom developed tool.