In the cybersecurity industry, it is not always common that, after an attack, almost all the details of the attack are made public. However, last week, something significant happened that shed light on how cybercriminals launch a successful cyberattack and compromise multibillion-dollar industries. The attack, which targeted the ride-hailing multi-billion dollar company Uber, played out publicly, with the alleged attacker, who is believed to be a teen, boasting online about how he was able to hack the company. He laid out each step he took, including giving media interviews and contacting multiple security researchers and giving them an inside scoop of what had happened.
How was Uber hacked and its Cybersecurity Compromised?
According to multiple reports, including the attacker, the breach of Uber systems began with a single employee of the company, who the attacker repeatedly sent multifactor authentication (MFA) login notifications without hearing back from the employee. After an hour, the attacker took the initiative of contacting their target individual employee directly on Whatsapp, claiming to be from the IT department. To convince their target to approve the multifactor authentication, the hacker told the employee that these notifications would stop once the employee approved the login.
By the time the employee was getting contacted on Whatsapp, he was already at a point known in the cybersecurity industry as “MFA fatigue”, where “exhaustion” attacks are likely to succeed due to the victim’s willingness to end the pain. Therefore, as expected, after more than an hour of MFA notifications, the employee approved the login request, which set off a series of events that resulted in the company getting hacked. One of the reasons that made it easy for these cyber criminals to be able to get approval easily was due to how the MFA of Uber was made. Unlike other MFA that requires users to manually enter digits sent on their phones, Uber relies on push notifications, where you only need to press a button in order to approve a login request.
After getting access inside the company, the attacker alleges that he started going through the system and quickly stumbled upon scripts for Microsoft automation and management program PowerShell. It is in the PowerShell scripts that they were able to find a script which contained hard-coded credentials for an administrator account of the access management system Thycotic.
Accessing the Thycotic management system gave the hacker access to access tokens for Uber’s cloud infrastructure, including their Amazon Web Services, VMware’s vShere dashboard, Google’s GSuite, the authentication manager Duo and even access management service OneLogin.
The hacker was able to provide evidence of the said penetration into Uber’s system by leaking screenshots of some of these cybersecurity breaches, including a compromise to OneLogin. In fact, some cybersecurity experts have speculated that the process of hacking took days and might have started earlier last week and only become public last Thursday.
The most significant compromise was the OneLogin access, which gave the hacker access to all Uber Security systems. With the access, they could access almost every facet of Uber’s network with just a few clicks. One independent security engineer termed it as the golden ticket jackpot that escalated the attack.
Lessons from the Uber Cybersecurity Breach
Gaining access to virtually all systems that run Uber, a multi-billion dollar company which is used by millions of users on a daily basis, was a huge cybersecurity breach. However, what is most surprising is how easy the hacker was able to access their system.
As shown above, the hacker used a very popular method of social engineering, which started by first having access to one of the employees of the company. There are reports that the hacker picked his victim from the company’s Slack application, a messaging app used in many tech companies.
What is even more surprising is the alleged age of the hacker. Reports by the New York Times and other US media indicate the attacker was only 18 years.
As a veterinary practice, the Uber cybersecurity breach is another indication of humans being the weakest link. For a multi-billion dollar company to be compromised due to a single employee not following protocol, it also offered insight into how such an attack can unfold in your veterinary practice.
Using social engineering techniques, MFA fatigue and Exhaustion attack on the employee also proved to be a great ingredient for cybercriminals. It was also an indication that, despite the cybersecurity training your staff have gone through, at their weakest point, they are more likely to break and give access to cyber criminals.
Therefore, as a veterinary practice, there are a number of mistakes that Uber made that we should avoid. The most fatal was hardcoding their login details in a Microsoft Power Shell. Regardless of industry, it is advisable not to store your account details in the open as Uber did.
The second mistake was failing to have access control for their accounts. Reports indicate that once the hacker managed to access the OneLogin account, all their other accounts were accessible to them. If the company had access control, it would have prevented them from gaining access to most accounts, even if they had managed to compromise OneLogin.
Finally, Uber failed to train their staff properly. One single Whatsapp message was enough for the employee to approve a login. They did not even verify whether the person requesting access was an IT administrator, as they claimed. Therefore, as a veterinary practice, you should have policies on how to go about MFA and what to do if someone asks for verification to access their accounts.
Need Help Protecting your veterinary hospital from a cyber attack!?
Start by downloading our free eBook “5 Simple Steps to Protect Your Practice“. Which includes 5 FREE or almost free tools that you can implement yourself to start shoring up your cyber security.
Clint Latham