Uber hack jolts outlook for MFA, cybersecurity regulations

Illustration: Si Weon Kim

A teenager believed to be associated with the Lapsus$ cybercriminal group hacked Uber last week, putting wind in the sails of U.S. efforts to enact stricter cybersecurity rules.

Last week’s Uber breach followed a familiar pattern: First, a teenager bought stolen credentials off a dark web marketplace. Next, he overwhelmed a contractor for the ride-hailing company with requests to approve a connection to its VPN. Finally, the attacker discovered admin credentials scattered about Uber’s intranet, giving him the keys needed to steal troves of sensitive corporate information while noisily announcing his presence on the company’s Slack.

“It sucks for Uber right now — and it’s kind of their own doing,” OpenText Security Solutions senior security analyst and community manager Tyler Moffitt told README, citing the company’s “atrocious” failure to implement more resilient security controls.

Uber isn’t the first company this year to see attackers exploit push-based multi-factor authentication. The playbook for “MFA fatigue attacks” is simple but startlingly effective. Once a user’s stolen login credentials are in hand, malicious hackers blitz them with so many login notifications that they ultimately give up and approve one. Similar techniques were used to compromise Twilio in August as part of what the Group-IB threat intelligence firm described as a campaign targeting more than 130 organizations that rely on Okta’s identity and access management platform.

Uber said its attacker is likely affiliated with the Lapsus$ group that used similar MFA bypass techniques to gain access to Nvidia, Microsoft and other tech companies earlier this year. When attackers send hundreds of MFA requests to a target’s phone, watch or other devices, people may hit “approve” just to stop dealing with pesky push notifications.

The Uber hack could compound pressure for other companies and even U.S. regulators to address known problems with certain types of MFA. Upcoming requirements from regulators such as the White House Office of Management and Budget, U.S. Securities and Exchange Commission and others could finally make companies adopt better security controls. Moffitt said that although the government “is way too slow to implement” these sorts of rules, “more compliance requirements” are needed to convince organizations to improve their defenses.

Still, it will take time for companies to implement solutions to address some of the weak points exposed by the Uber breach. Five years from now, Moffitt said, we could still be in “the exact same place of hellfire and brimstone” even though many of the risks have already been addressed from a technological standpoint.

Uber noted in a statement that there is no evidence the hacker disrupted the operation of its apps or stole customer or driver data, and that an investigation is ongoing.

Beating MFA fatigue attacks

Researchers have repeatedly warned that stolen credentials are being sold on the dark web, techniques for bypassing multi-factor authentication (MFA) have become increasingly common and, in Uber’s case, credentials for something called the “Security Response Break Glass Service Account” probably shouldn’t be remotely accessible. Uber did not respond to request for confirmation of publicly reported details of how the hack was carried out.

In this case, the hacker evidently convinced the Uber contractor to approve the sign-in request by sending them a message via WhatsApp claiming to be from the company’s IT department.

The attacker would have had a much harder time breaking in if Uber had implemented a more resilient form of MFA such as number matching or FIDO2-based solutions.

David Stewart/Flickr

Number matching asks push-based MFA users to enter a number shown on the protected account’s login page into their authenticator app. Duo introduced a number matching system after its parent company, Cisco, was compromised via an MFA fatigue attack in August. Microsoft Authenticator also supports number matching, as do other services.

“Human error comes into play” with forms of MFA such as SMS-based passcodes and push-based systems, FIDO Alliance executive director Andrew Shikiar told README. “We need to take the human element out of the equation and replace the passionate employee who’s just trying to do their job with a dispassionate algorithm that can’t be spoofed.”

Enter FIDO2. It technically encompasses two different specifications: the World Wide Web Consortium’s Web Authentication API (WebAuthn) and the FIDO Alliance’s Client-to-Authenticator Protocol (CTAP). It’s commonly associated with physical security keys, but it has also seen growing support from operating system developers and browser makers, Shikiar said.

Cost, cultural hurdles

More resilient forms of MFA are available. Why, then, aren’t companies rolling them out?

George Gerchow, the chief security officer and senior vice president of IT at Sumo Logic, told README there are two main obstacles to deploying these solutions: culture and cost.

“Developers do not want these extra steps and extra measures,” Gerchow said. “They see them as a nuisance — they want to move at lightning speed. So they always push back against these extra steps.”

Executives often share that desire to do their work as quickly as possible rather than be slowed down for the sake of security, he said.

That’s the cultural problem. The cost problem is even more straightforward: Providers often charge extra for more resilient forms of MFA. “There’s a serious upcharge at an enterprise level to get things like number matching in place,” Gerchow said.

But those problems aren’t restricted to these solutions. Bypassing MFA allowed the Uber hacker to gain access to the company’s network, sure, but that shouldn’t have been enough to move laterally throughout the network and gain control over additional services.

“There should not be — on a shared drive that’s accessible to that employee, who is not admin level — a PowerShell script with the credentials for an admin hardcoded into that script,” Moffitt told README. “Why are they doing that? And whose decision was it to have such a massive security gap there? Because that allows the hacker to move from one computer to God Mode.”

Moffitt and Gerchow both cited the need for improved access controls and logging in addition to adopting more resilient forms of MFA.

“It shouldn’t be game over because one employee was compromised,” Moffitt said.

Enter the compliance team?

U.S. regulators have made it clear that cybersecurity has become a focal point over the last few years.

OMB said in January that “for agency staff, contractors, and partners, phishing-resistant MFA is required” and “must be an option” for public users. The U.S. Cybersecurity and Infrastructure Security Agency has said that “the only widely available phishing resistant authentication is FIDO authentication,” but OMB will allow Personal Identity Verification as well.

The SEC, meanwhile, has proposed a rule for publicly traded companies that it said “ would require, among other things, current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.” That’s in addition to “periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; the registrant’s board of directors’ oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures,” it said.

Uber, Twilio and other companies have shown that organizations are likely going to continue to get hacked using relatively simple techniques until these defensive measures are put in place.

“I feel like a lot of times security folks want to do the right thing and then get such pushback from the org and be seen as naysayers,” Gerchow told README. “Now what we’re seeing is years and years and years of this risk acceptance internally being exposed because script kiddies are getting better, they’re being empowered more by real hackers, ‘phishing as a service’ has become a thing… I truly believe it’s a big problem, and we’re at the tip of the iceberg.”