Insta-analysis: Industry reacts to major data breach at Uber

Sept. 16, 2022
Industry observers in the cybersecurity arena had plenty to say Thursday after Uber Technologies reported it was investigating an incident after its network was reportedly breached.

Industry observers in the cybersecurity arena had plenty to say Thursday after Uber Technologies reported it was investigating an incident after its network was reportedly breached. It forced the company to shut several internal communications and engineering systems.

According to news reports, a hacker compromised an employee's account on workplace messaging app Slack and used it to send a message to Uber employees announcing that the company had suffered a data breach.

It appeared the hacker was able to gain access to other internal systems, posting an explicit photo on an internal information page for employees, according to The New York Times.

"We are in touch with law enforcement and will post additional updates here as they become available," Uber said in a tweet, without providing further details.

Cybersecurity has been an issue for Uber in the past. It suffered a significant hack in 2016 that exposed the personal information of about 57 million of its customers and drivers. 

‘Hardly Surprising’

Sam Elhini, senior product manager for Cerberus Sentinel, said the incident is “hardly surprising” as is the method by which an Uber employee was exploited. He points to research conducted independently by IBM, TrendMicro and Stanford University that found anywhere from 80% to over 90% of breaches involve human error. 

“In this case, social engineering was employed by the hacker who claimed a false identity and obtained an Uber employees credentials. Yet again, data was lost due to weak identity management,” Elhini says. “Perhaps the future will hold biometrically protected keys used to sign everything from text messages to emails. Until then, starting with training and education, it is paramount that every organization strives for a culture of cybersecurity." 

While the extend of Uber’s losses remain to be seen, “a lot of IT systems may need to be reconfigured from scratch,” says Szilveszter Szebeni, chief information security officer for Tresorit. 

“With a sophisticated website even accounts with SMS or app-based 2FA protections can be hijacked and in turn cause enormous losses to an organization. Losses may even be the complete loss of all IT infrastructure from one day to the next,” Szebeni says. “Protection of credentials is the top priority, especially for admin accounts migrating to FIDO2 authentication will greatly reduce risk.” 

Abhay Bhargav, founder and CEO of AppSecEngineer, says the breach, “highlights both the power and downsides of centralization. 

“An employee account was compromised by being overwhelmed by Push Auth Notifications of Multi-Factor Authentication. This led to a PowerShell script getting discovered, with admin credentials to their Thycotic PAM (Privileged Access Management) tool,” explains Bhargav.

With all credentials being part of this PAM solution, the entire org was compromised because the PAM had access to AWS, Google Workspace, Slack and more. Often, even with best-in-class budgets or security tools, it comes down to compromising an employee with high privileges.”

Carmit Yadin, founder and CEO at DeviceTotal adds that having situations like this in the cybersecurity world, “makes us even more careful about protecting our data and devices that hold them. First, in order to protect them, we need to identify and assess the risk of the organization, where they’re vulnerable, and how we can mitigate and reduce the risk”

Yadin adds that most  CISOs today have many blind spots in their network and they forget that they are only as secure as their weakest link and that many digital assets tare not being monitored or assessed against their risk. 

“Our most naive devices can be the biggest open door to our network, and what if CISOs are blind to them, like in the case of unpatentable devices? CISOs’ work plan should include acting proactively and, in an automated way, eliminating cyber-attacks,” says Yadin. 

How to Stop It

If companies want to stop social engineering attacks, “they need to go beyond focusing on awareness training and instead increase employee-based protections against social engineering that begin with minimizing relevant public data hackers use to target them,” said Matt Polack, CEO and founder at Picnic Corp. 

“Attackers are opportunists who care about their ROI. By limiting personal information, it becomes more difficult and therefore more expensive for threat actors to succeed in social engineering attacks. Companies that recognize this fact pattern and take action to protect their employees will be more likely to avoid expensive and damaging breaches like this." 

Tessian CISO Josh Yavor. who hails from the Oculus/Facebook security team, notes that social engineering remains the predominant threat facing organizations, while MFA bypass is becoming an increasingly dangerous technique used to gain corporate credentials. 

Yavor says weak multi-factor authentication deployments are leaving large organizations that are attractive targets vulnerable to major attacks. “This is not to say that MFA doesn’t work. In this and other recent cases, attackers targeted an employee with techniques and tools to bypass MFA,” he says.

“We’re seeing an increased availability of free and accessible attacker tooling, which helps automate phishing and bypass of weaker MFA factors including push notifications. This, in turn, is leading to more compromises where attackers make MFA requests that trick the victim into approving access for the attacker.”

To reduce the risk of these attacks, Yavor adds, companies must realize that not all MFA factors are created equal. Factors such as push, one-time-passcodes (OTPs) and voice calls are more vulnerable and are easier to bypass via social engineering. 

“Security key technology based on modern MFA protocols like FIDO2 have resiliency built into their design, and we need to increase the adoption and use of these phishing-resistant factors globally,” Yavor says. 

“Finally, further defense in-depth is necessary to reduce the impact of MFA bypass events. Even with the best technology deployed, strategies to guard against MFA bypass are necessary, including the use of secure-access policies that enforce further device-based requirements before providing access. These types of secure access policies increase the complexity and cost of the attack and give security teams more chances to detect and respond.”

Yavor says it’s also noteworthy that various types of attackers (“sophisticated” hacking groups to individual teenagers) are using these techniques – which further reinforces that attackers will reliably use techniques that work and are low cost. 

“No matter the size or budget of the adversary,” he says, “they will always use the easiest and most cost-effective methods to compromise their targets. That’s why we keep seeing the same tactics play out regardless of the adversary or victim: adversaries know that people can be tricked into giving up their passwords, weak MFA is prevalent, and the tools to exploit this are free and relatively easy to use.”