Like many other hacks, Uber’s main security breach started with a text message. Citing details provided by the alleged hacker, The New York Times reported that a fake text message caused an Uber employee to reveal his password details, triggering a sequence of events that led to a large-scale compromise of the ride-sharing company’s computer systems.
Even for a company with the resources of Uber, it is impossible to fully defend against these types of social engineering threats. No matter how good a company’s password policies are, whether sensitive information is properly stored or encrypted, and even whether multi-factor authentication is used – there’s always a chance that a human employee will be tricked into leaving the attacker enter through the front door.
Social engineering is an umbrella term for this type of attack: a wide range of techniques that trick targets into divulging sensitive information, using carefully tailored phishing campaigns or other psychological tricks. In its Quarterly Threat Report for Q2 2022, enterprise cybersecurity vendor ZeroFox assessed that “Social engineering remained one of the most frequently reported intrusion tactics in Q2, and it will continue to do so.” almost certainly the case for the foreseeable future”. For large corporations, this is one of the hardest attacks to protect against for the simple reason that human beings are gullible.
Josh Yavor, CISO at email security provider Tessian, agrees. “Social engineering is the predominant way businesses are breached, and adversaries know it works,” Yavor said.
In this case, it was the use of social engineering techniques that allowed the attacker to bypass multi-factor authentication processes that would typically prevent unauthorized login, even with username and password. pass correct.
Screenshot share conversations with the hacker give an idea of how the attack unfolded. The hacker claims that after obtaining the employee’s password, he repeatedly triggered push notifications in an authenticator app, then sent a WhatsApp message claiming to be from Uber’s IT department asking the employee to confirm that the login attempt was legitimate.
This gave them access to a VPN through which they could connect to Uber’s corporate intranet and from there scan the network for sensitive files and applications that would not be accessible to them. from a connection outside the VPN. In a PowerShell script (which is used to automate tasks on Windows machines), they allegedly found an administrator password to log into Thycotic: a privileged access management (PAM) tool that controlled access to other software used by the company.
“Using this I was able to extract secrets for all services,” the hacker wrote in a Telegram post.
Properly preparing businesses is a tall order, made more difficult by the exclusion of social engineering from most bug bounty reward programs. Social engineering attacks are rarely covered by these systems, which offer hackers a financial reward for revealing how they are able to break into systems. This was especially true in the case of Uber, which declared social engineering “out of reach” for its own bug bounty program – providing no incentive (at least, no monetary incentive) for the hacker to share the bugs. details of his exploit with Uber before going public.
JC Carruthers, president of Snowfensive, a cybersecurity firm that offers social engineering assessments, said The edge that excluding social engineering attacks from bug bounty programs is standard procedure, as to do otherwise would encourage attackers to target employees.
“The target is not an IP address or an endpoint – it’s a human,” Carruthers said. “From an organization’s perspective, they are allowing the bounty hunter to test someone for whom they may not have legal authority, or there may be ethical issues.”
Even more tenacious than the ethical challenge is simply the difficulty of dealing effectively with the problem. A software vulnerability can be fixed once it is revealed, but knowing that a company’s employees can be tricked by a particular type of request, security managers have few options to fix the problem. .
“The most important reason organizations don’t include social engineering in their bug bounty program is because they know a social engineering attack will work,” Carruthers said.
“The target is not an IP address or an endpoint – it’s a human.”
Typically, companies try to prepare their staff against such attacks with a “red team” – hiring a security company to attempt to compromise employee systems with phishing emails, text messages or other similar tactics and then provide a report on how they could improve. It’s a strategy that undoubtedly improves security, but may not mimic the deviousness and persistence of real-world social engineering hacks due to ethical constraints.
In terms of prevention, employee authentication can also be improved by requiring physical security keys to log in rather than app-based notifications. In a positive example, Cloudflare was recently the target of a sophisticated phishing scam, but was able to minimize the impact through the use of hardware token authentication. In the case of the attack on Uber, if the targeted employee had had a security key, the attacker could not have breached the VPN system without physical access to the key or the employee’s machine.
Ultimately, however, the versatility of social engineering means it’s impossible to completely eliminate the threat.
“When the attack vector is human in nature, you can’t just patch it,” Carruthers says.