18-Year-Old Hacker Breaches Uber Technologies

By Joe LaMura, Vigilant SOC Manager

A Vigilant Threat Alerts Series

To ensure you are aware of the latest high-profile attacks, Vigilant is highlighting a case study on the recent hack against Uber Technologies Inc. to get an understanding of what lessons can be learned to ensure the same doesn’t happen to your organization.

What Happened?

On September 15th, an 18-year-old hacker was able to access Uber’s internal systems and began posting messages in Uber’s internal Slack channels, as well as posting screenshots and information on social media. The threat actor claims he was working on his cybersecurity skills and broke into Uber’s information systems because the company had weak security.   How was an 18-year-old hacker able to successfully breach a multi-billion-dollar technology company by himself? Simply put, it was a combination of social engineering and MFA bombing. If you’re unfamiliar with the term, MFA bombing is when a threat actor repeatedly spams login attempts to push multi-factor authentication attempts to the actual user, in an effort to get the user to approve the login. In order for this type of attack to work, the attacker has to already have gained legitimate credentials to the user’s account in order to trigger the MFA notification. The credentials were likely purchased from the dark web or gathered through phishing of the user.   After spamming MFA notifications to the user for a period of time and not getting a response from the user, the threat actor reached out to the user directly and posed as someone from Uber’s IT team and coerced the user into permitting the login attempt.   Once inside the network, and after performing some basic reconnaissance, the threat actor was able to discover admin credentials on a network share that were used for Uber’s Privileged Access Management (PAM) solution.

Lessons Learned and How to Use This in Your Environment

Although Multi-factor authentication was an “attack vector” in this case study, MFA must be enabled for all user accounts accessing internal company resources. To make it more secure, configure MFA to require users to perform number matching as opposed to push notifications. By adding in the additional step of requiring the user to type in the number from their device into the login screen, it creates an additional obstacle for the threat actor to bypass in order to gain access to the user’s account.   Social engineering remains a relevant attack strategy and requires user awareness training. Ensure your users are equipped with the knowledge to identify social engineering attempts and create a culture and process that makes it easy to report these attempts. We’ve said it many times before, well trained users are “sensors” within the environment that notify on and detect attack attempts, making the security team aware that an incident is occurring and allowing them to respond with ample warning.   And the last lesson learned, don’t store admin credentials on network shares. In Uber’s defense, it turns out the credentials weren’t intentionally stored on the share, but they were hard coded into a PowerShell script that was accessible on the network share. Consider this as a possibility when evaluating what files are accessible to users on your network shares.

With the increasing cybersecurity threat landscape in the digital-first era, MFA prompt bombing can be one of the most challenging things to deal with. If your business would like to understand the risks associated with account takeovers through various attacks – including MFA prompt bombing – let the Vigilant team know, and we can talk to you about planning your overall security infrastructure accordingly.