hacker stock1 2040

Uber’s hack shows the tenacity of social engineering

Like many other hacks, Uber’s major security breach started with a text message. Quoting details provided by the alleged hacker, The New York Times A fake text message reportedly tricked an Uber employee into revealing their password details, triggering a chain of events that led to a large-scale compromise of the ridesharing company’s IT systems.

Even for a company with the resources of Uber, it’s impossible to fully protect against these types of social engineering threats. No matter how good a company’s password policies are, whether sensitive information is properly stored or encrypted, and whether multi-factor authentication is used – there’s always a chance that a human employee could be tricked into letting an attacker in. front door

Social engineering is a big term for this type of attack: a variety of techniques that trick targets into revealing sensitive information, using carefully crafted phishing campaigns or other psychological tricks. In its quarterly threat report for Q2 2022, enterprise cybersecurity provider ZeroFox predicted, “Social engineering remained one of the most frequently reported intrusion tactics in Q2 and will likely remain so for the foreseeable future.” For large companies, this is one of the hardest attacks to defend against for the simple reason that humans are gullible.

Josh Yavor, CISO at email security provider Tessian, agrees. “Social engineering is the main way companies are vulnerable to breaches, and adversaries know it works,” Yavor said.

In this case, the use of social engineering techniques allowed the attacker to circumvent multi-factor authentication processes, which would normally prevent unauthorized login even with the correct username and password.

Screenshots shared Conversations with the hacker give some sense of how the attack was carried out. The hacker claimed that after they obtained the employee’s password, they repeatedly triggered push notifications on the authentication app — and then sent a WhatsApp message purporting to be from Uber’s IT department instructing the employee to verify that the login attempt was legitimate.

This gave them access to a VPN through which they could connect to Uber’s corporate intranet and, from there, scan the network for sensitive files and applications that could not be accessed from a connection outside the VPN. In a PowerShell script (which is used to automate tasks on Windows machines), they found the admin password to log into Thycotic: a privileged access management (PAM) tool that controls access to other software used by the company.

“Using this I was able to collect secrets of all services,” the hacker wrote in a Telegram message.

A big challenge is getting companies adequately prepared by excluding social engineering from most bug bounty reward schemes. Social engineering attacks are rarely covered by those schemes, which offer a financial reward for revealing how hackers can break into systems. This is especially true in the case of Uber, which has declared that social engineering is “out of scope” for its own bug bounty program — giving a hacker no incentive (at least, no monetary incentive) to share the details of their exploit with Uber before leaving. public

JC Carruthers, president of Snowfensive, a cyber security firm that provides social engineering assessments to the edge Standard procedure is to exclude social engineering attacks from bug bounty programs, as doing so encourages attackers to target employees.

“The target isn’t an IP address or an endpoint — it’s a human being,” Carruthers said. “From an organization’s point of view, they’re authorizing a bounty hunter to test someone they don’t have legal authority for, or there may be ethical concerns.”

Even more difficult than the moral challenge is the difficulty in solving the problem effectively. A software vulnerability can be patched once it’s disclosed — but knowing that company employees can be tricked by a certain type of solicitation leaves security officials with few options for addressing the problem.

“The most important reason organizations don’t include social engineering in their bug bounty program is because they know a social engineering attack works,” Carruthers said.

“The target isn’t an IP address or an endpoint — it’s a human being.”

Typically, companies try to prepare their staff against such attacks with “red teaming” — hiring a security firm to try to compromise employees’ systems with phishing emails, text messages or other similar tactics, then providing a report on how they can improve. This is undoubtedly a security-enhancing strategy, but may fail to mimic the insidiousness and persistence of real-world social engineering hacks due to ethical constraints.

As far as prevention goes, employee authentication can be improved by logging in physical security keys rather than app-based notifications. In one positive example, CloudFlare was recently targeted by a sophisticated phishing scam, but was able to mitigate the impact by using hardware token authentication. In the event of an attack on Uber, if the targeted employee has the security key, the hacker cannot breach the VPN system without the key or physical access to the employee’s machine.

Ultimately, however, the versatility of social engineering means that it is impossible to completely eliminate the threat.

“When the attack vector is human nature, you can’t patch it,” Carruthers said.

Leave a Comment

Your email address will not be published.