What the Uber Hack Teaches us About the Importance of MFA
Ride-hailing platform Uber is currently in the midst of a major cybersecurity breach, with many sources reporting a total compromise of company systems via an elaborate social engineering attack.
On Thursday, Sept. 15, the New York Times reported that Uber had suffered a systems breach, claiming employees were unable to access internal tools like Slack in a breach that's ongoing today. Other reports claim the hacker has breached multiple internal systems and may now have access to the company’s cloud services in what some are speculating is a “total compromise” of corporate systems. It’s currently unclear whether customers’ and drivers’ personal data has been leaked.
How did the attacker gain access?
The alleged hacker told the New York Times he had sent a text to an Uber employee claiming to be corporate IT personnel asking for a password, to which the employee complied. With that access, the hacker was able to get into the VPN and gain access to the corporate network where they found “highly privileged credentials” on network file shares. This in turn gave them access to Uber’s production systems, Slack channel and corporate endpoint detection and response (EDR) systems, reports Kevin Reed, CISO at Acronis, in a LinkedIn post.
3 lessons the Uber hack teaches us about MFA
According to Reed, it isn’t currently clear how the hacker bypassed multi-factor authentication (MFA). Either the employee provided MFA access to the hacker as well, or there simply wasn’t any in place. Regardless, there are some clear takeaways from this event that organizations of every size should consider:
1) MFA on your VPN is a bare minimum protection
Multi-factor authentication (MFA) enforces users to provide two or more verification factors to gain access to a resource (such as a code sent to their phone, or a verified fingerprint). Uber hasn’t yet provided details on the hack and we don’t currently know if the employee’s VPN access was protected with MFA. Regardless, having MFA in place across critical systems like a VPN is a must in today’s security landscape.
Takeaway: Check your VPN! If it doesn’t have MFA set up, consider this a friendly reminder.
2) MFA should be configured to protect against lateral movement
For next-level-down protection, MFA should be configured across valuable assets to protect from a hacker’s lateral movement. In other words, if a hacker does bypass MFA and get access to your network, where is there sensitive information or systems that could use an additional layer of security?
In Uber’s case, once the hacker had gained access to the VPN, they were able to locate highly sensitive credentials on the network drive. If this information had been protected by an additional layer of MFA, it would have highly mitigated the risk of further damage.
Takeaway: Make a list of critical systems and sensitive information that need to be treated with special care, and consider where it makes sense to add additional MFA.
3) Even with the right technologies in place, we can’t bypass human error
"Uber is renowned for having some of the best cybersecurity in the business,” says Ian McShane, Vice President of Strategy at Arctic Wolf in a LinkedIn post. “Nobody’s perfect and even the best managed security organizations can be compromised.”
While we can’t speak to Uber’s security posture, we can say this: hackers will always take advantage of human error to bypass security measures. Cyber security is only as effective as the weakest link in an organization—meaning everyone is responsible, not just the IT team.
Takeaway: Develop a cyber-security awareness training course for your internal teams. This will train employees to seek out and recognize the signs of a phishing attack, dramatically reducing the risk to your organization.
Need guidance and support to protect your organization?
If you need help installing MFA across your systems or have questions about security best practices in general, our security specialists are here to support you. Stay up to date on the latest security incidents and recommendations on our blog—or reach out for support today.