Uber has suffered a safety breach which allowed a hacker to interrupt into its community, and entry the corporate’s inner paperwork and programs.
The incident, confirmed by the corporate in a tweet, and reported by the New York Occasions, left Uber instructing staff to not use its inner Slack messaging system, and resulted in different programs being made inaccessible.
The hacker, who has shared screenshots of inner Uber programs to substantiate his unauthorised entry, claims to be 18-years-old. He says that he merely – having already decided a sound username and password – tricked an Uber workers member into granting him entry to inner programs by bombarding them with a spate of multi-factor authentication (MFA) push notifications.
So-called “MFA fatigue assaults” repeatedly spam push notifications to victims till the person is so overwhelmed/irritated/fed-up that they merely grant entry to cease them.
Having gained entry through the socially-engineered worker to Uber’s VPN, the hacker is stated to have scanned the corporate’s community, and located a PowerShell script containing hardcoded (doh!) credentials for a Thycotic PAM admin account, which then helped unlock entry to lots of Uber’s inner programs.
Uber’s safety staff can’t be feeling too good proper now, and the hacker poured salted into the wound by posting a message on the corporate’s Slack saying that the agency had been breached.
Hello @right here
I announce i’m a hacker and uber has suffered an information breach.
Slack has been stolen, confidential information with Confluence, stash and a couple of monorepos from phabricator have additionally been stolen, together with secrets and techniques from sneakers.
#uberunderpaisdrives
The reality is, in fact, that many many different corporations are most likely liable to falling for the same trick, and should nicely have workers who’ve made the error of hardcoding login credentials into their PowerShell scripts.
Sadly, some workers assumed the message posted by the hacker was a joke.
Many MFA suppliers permit permission to be granted by receiving a cellphone name and urgent a key, or accepting a cell app push notification. Though this may be handy, hackers can problem a number of MFA requests till their request is lastly accepted.
Because the LAPSUS$ hacking gang, one other group which has exploited MFA fatigue, has beforehand defined:
Signin with password will problem MFA by means of a cellphone name or authentication app. Nonetheless no restrict is positioned on the quantity of calls that may be made, name the worker 100 instances at 1am whereas he’s making an attempt to sleep and he’ll greater than doubtless settle for it.
Multi-factor authentication is mostly a wonderful extra stage of safety to have in place, however it could possibly’t be carried out in isolation to different safety measures, and it also needs to be fastidiously configured to maximise the extent of safety it could possibly deliver.
Discovered this text attention-grabbing? Observe Graham Cluley on Twitter to learn extra of the unique content material we put up.