Uber hack jolts outlook for MFA, cybersecurity regulations
A teenager believed to be associated with the Lapsus$ cybercriminal group hacked Uber last week, putting wind in the sails of U.S. efforts to enact stricter cybersecurity rules.
Last week’s Uber breach followed a familiar pattern: First, a teenager bought stolen credentials off a dark web marketplace. Next, he overwhelmed a contractor for the ride-hailing company with requests to approve a connection to its VPN. Finally, the attacker discovered admin credentials scattered about Uber’s intranet, giving him the keys needed to steal troves of sensitive corporate information while noisily announcing his presence on the company’s Slack.
“It sucks for Uber right now — and it’s kind of their own doing,” OpenText Security Solutions senior security analyst and community manager Tyler Moffitt told README, citing the company’s “atrocious” failure to implement more resilient security controls.
Uber isn’t the first company this year to see attackers exploit push-based multi-factor authentication. The playbook for “MFA fatigue attacks” is simple but startlingly effective. Once a user’s stolen login credentials are in hand, malicious hackers blitz them with so many login notifications that they ultimately give up and approve one. Similar techniques were used to compromise Twilio in August as part of what the Group-IB threat intelligence firm described as a campaign targeting more than 130 organizations that rely on Okta’s identity and access management platform.
