Uber's Breach and Flawed MFA - ThreatWire (Patreon)

By Shannon Morse 

Uber vaguely posted about investigating a cybersecurity incident on Twitter on Thursday last week, at which time the company took their internal systems for communications and engineering offline. According to reports, the attack happened due to a compromised employee Slack account. This employee was social engineered by the attacker who posed as a corporate IT person, getting them access to the employee’s password. From there, the attacker started posting messages throughout the company’s Slack, saying Uber experienced a data breach, and spreading a lewd photo on an internal information page.

2FA was enabled on this employee’s account, but the attacker bypassed it by mass spamming the employee with push alerts and sending them prompts on WhatsApp at the posted Uber IT department. From there, the attacker found credentials just chillin’ on a network file share, stole those and used them to access the corp EDR console (for endpoint detection and response), production systems, the slack management, and more. Of note, the attacker claimed to also have access to the company’s HackerOne account and vulnerability disclosures and reports which are usually kept confidential until a patch is in place.

Uber posted a bulletin on their website about the breach, and at the time stated this didn’t involve any access to sensitive user data like trip history, all apps are operational, and law enforcement was notified.

Security experts believe this attack is bigger than the one that happened in 2016, which at the time Uber tried to cover up by paying the hackers $100,000 and not disclosing, but it eventually became public knowledge. This one is worse because the attacker had access to internal systems, as well as their AWS and Google Cloud systems.

Interestingly, the attacker claimed they are an 18 year old who was straight forward about most questions pertaining to the attack, and they went so far as to send screenshots to the New York Times and disclose the company was hacked on the Uber Slack.

This attack shows a flaw in push notifications for multi factor authentication - MFA fatigue. In this case, the attack sent so many notifications that eventually the employee got tired of seeing them and finally accepted and approved the new device. A better option, posed by many cybersecurity experts, is physical tokens for 2FA or sending codes to an app that doesn’t continually pop up notifications on a phone. But for what it’s worth, if you’re experiencing continuous MFA notifications to approve or deny a new device, you may be a target of an attack.