In September, Uber’s internal network was breached by a self-described “18-year-old hacker,” who gained privileged access to the company’s environment and went on to do exactly what you’d imagine an 18-year-old hacker would do in that situation: send a boastful message to the company-wide Slack channel, then post a very NSFW image to a number of the company’s internal websites.
While that may have intended to be funny, Uber most certainly wasn’t laughing. While the ride-share giant has since confirmed the breach and provided a brief follow-up (in which they asserted that no signs of customer data compromise had been found), the full scope and severity of the attack have yet to be determined. But, one thing is certain — it was avoidable.
The Uber Hack at a Glance: Stolen Credentials, Weak 2FA Make Breaches a Breeze
In Uber’s Monday morning follow-up, their security team revealed that the initial vector appears to be an Uber contractor’s compromised credentials, most likely purchased on the dark web. With these long-lived credentials, the malicious actor — who may have been linked to the notorious Lapsus$ hacking group — went on to beat Uber’s SMS-based two-factor authentication (2FA) system by employing a common social engineering strategy known as “MFA fatigue” (in which an attacker inundates their target with SMS 2FA requests until they either slip up or give in simply to make the requests stop).
While bragging of his accomplishments on Telegram, the hacker behind the Uber breach claims to have spammed the target employee with SMS authorization requests for over an hour until he finally relented and accepted. Once equipped with the contractor’s credentials and one-time password (OTP), the hacker was able to use the employee’s existing access to pivot throughout Uber’s internal network.
There, it seems the hacker located shared resources that included scripts for Microsoft Powershell, one of which contained hard-coded, privileged credentials for the Privileged Access Manager (PAM), Thycotic. Once the attacker had these, it was effectively game over for Uber. The hacker was able to take a grand tour of Uber’s internal environment, including the company’s GSuite, Duo, OneLogin, AWS, Slack, Vcenter, and even their endpoint detection and response (EDR) portal, evading detection and without raising an incident response alarm.
When it Comes to Weak MFA, Uber is Far From Alone
While this is undoubtedly an embarrassing event for Uber, it’s important to note that very little about this breach is exceptional. The security standards and practices that allowed Uber to be so easily and thoroughly compromised are far from unique in today’s security landscape, with the majority of organizations still using forms of multi-factor authentication (MFA) that are highly vulnerable to adversary-in-the-middle (AiTM) attacks.
In his Twitter breakdown of the Uber breach, independent security researcher Bill Demirkapi was careful to point out that over 60% of websites today don’t even support hardware tokens, and that the vast majority of organizations still have not adopted phishing-resistant forms of MFA (such as FIDO2/WebAuthn). With that being said, even weak 2FA is better than no 2FA. And as of today, only a little more than half (57%) of the world’s businesses use any form of multi-factor authentication (MFA) at all, with small and medium-sized businesses maintaining even lower rates.
How Gradient Cybersecurity Mesh Addresses Weak MFA By Making Credentials Impossible to Steal and Abuse
Gradient was founded on the belief that today’s prevailing cybersecurity standards and infrastructure are fundamentally insufficient. As such we’ve fully reimagined how we go about things, beginning with the primary vector in the Uber breach, and the number one vector in all network breaches today — stolen credentials.
First off, by being passwordless, Gradient Cybersecurity Mesh (GCM) ensures there are no passwords to steal in the first place. What’s more, by leveraging the hardware roots of trust already present on most enterprise laptops, desktops, servers, and cloud instances, GCM makes credential theft virtually impossible.
For an added layer of security, GCM also makes those credentials ephemeral (i.e. short-lived and automatically updated) without breaking existing protocols such as TLS. GCM also allows users to anchor said credentials to a particular machine, or machine+user combination, enabling peer-to-peer level secondary enforcement and making the prospect of stolen credentials all but impossible.
And finally, GCM also speaks WebAuthn and SAML protocols (both phishing-resistant forms of MFA) and issues SSH keys, such that any token or credential format can be securely leveraged, across any platform or scale.