In this article, we have explored how Uber got hacked using MFA and what can be done to prevent such hacking attacks in future. Any company can fall for this attack.
Table of contents:
- What happened? [In short]
- How to fix this? and prevent such hacks.
- Some more details
- Impact of the hack
Learn the System Design of Uber
Uber was hacked on 16th September 2022 giving access to majority of their internal tools include AWS to the hacker involved. Turns out hacker used both social engineering and technical skills to achieve this.
Uber tweeting that they are fighting a cyber-attack:
We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.— Uber Comms (@Uber_Comms) September 16, 2022
What happened? [In short]
In short, the main points are as follows:
- Got access to internal work environment of Uber (available to employees)
- Main question is how they broke Multiple Factor Authentication (MFA)
- Uber used Push notification MFA* This is vulnerable to MiTM attacks
- Hacker can setup a copy of Uber's login page with a fake domain and can relay the authentication
- Phishing resistant form of MFA like FIDO2 is a solution to this but Uber did not use it* Once access is acheived, a hacker can use the employee's VPN to get into internal network. Internal traffic is less audited compared to external traffic (another loophole)
- Hacker found scripts with priviledged credentials in the internal network and this gave access to a wide range of tools like Duo, OneLogin, GSuite and more.
- Uber's AWS was hacked as well with administrative access.
- Hacker either used a backdoor to the empolyee's MFA or reset it with administrative access he got.
- Gained access to Multi-Factor Authentication (MFA) of multiple accounts of Uber's empolyees by social engineering
- Used this to register hacker's device for MFA*
How to fix this? and prevent such hacks.
- Problem is vulnerable MFA.
- Use Phishing resistant form of MFA like FIDO2.
- Industry should move to hardware tokens.
- MFA providers should lock accounts temporarily if several prompts are generated in a specific time period. Hacker made 10 failed attempts in 15 minutes.
- Sensitive credentials should be protected. In case of Uber, it was unprotected in employee's device.
- Move to centralize key management and rotate regularly.
- Limit scope of key and credentials as much as possible.
Some more details
Uber uses Push Notification MFA (Multi-Factor Authentication). How does this work? Push MFA utilizes smartphone notifications to assert authentication. This puts push MFA in the category of “something you have,” as the user will need to have their smartphone on them to use push notifications as a second factor. After inputting their username and password, end users simply need to unlock their phone and then press a button to either approve or deny the access request.
How did the hacker get around this ? The hacker did not have any of the employees device. MFA protects against an attacker who has the credentials. But, it is still prone to Man In the Middle Attack.
An attacker can setup a fake domain that relays Uber's real login page with some tools. The only difference is the domain name they are visiting, which is easy to miss as no one looks at the address bar. For most MFA, nothing stops the attacker from relaying the authentication process. This is how even your instagram/facebook or any other account can be hacked. The most common thing is fake bank messages which have this mirrored bank login page. I have seen it first hand for people circulating for SBI. So, please never forget checking the address bar.
Once the attacker compromised an employee credentials, they used that victim's existing VPN access to pivot to the internal network. Internal infrastructure is often significantly less audited and evaluated compared to external infrastructure.
As a proof, the hacker publically shared multiple screenshots of Uber's internal work environment such as Uber's GDrive, VCenter, Slack, sales metrics and EDR portal.
The hacker sent a slack message after attacking. Employees thought it was a joke. But, it was actually their worst nightmare.
Impact of the hack
- Uber claims no damage as no sensitive user information has been leaked.
- Proved that MFA is not safe even in case of corporation.
- Hacker posted screenshots of the internal work environment. No confidential information is visible but hacker may have access to sensitive information and have bigger plans to use this.
- Uber stock dipped from $34 to $30.96 observing a small impact.
Uber claiming no sensitive data has been leaked but hacker claimed otherwise:
Uber getting hacked is scary but you got to learn from it.