Multi-Factor Authentication Fatigue Key Factor in Uber Breach

Earlier this week, Uber disclosed that the recent breach it suffered was made possible through a multi-factor fatigue (MFA) attack where the attacker disguised themselves as Uber IT.

MFA attacks are a form of social engineering consisting in spamming a target with repeated MFA requests until they eventually authorize access. This kind of attacks is possible when the threat actor has gained access to corporate login credentials but cannot access the account due to multi-factor authentication.

According to Uber,

It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware.

To make sense of the likeliness of an MFA fatigue attack to succeed, security researcher Kevin Beaumont recalled on Twitter this is the same technique used in the recent LAPSUS$ attacks, about which the attacker allegedly explained: “call the employee 100 times at 1AM while he is trying to sleep and he will more than likely accept it”.

In Uber’s case, the approach was different, though. As reported by Lawrence Abrams for Bleeping Computer, security researcher Corben Leo got in touch with the hacker behind the breach and learned they contacted the targeted contractor on WhatsApp claiming they were from Uber IT and that the only way to get rid of the unstopping notifications was to accept one.

Once the attacker got their device authorized for access to Uber intranet, they began scanning the corporate network until they found a PowerShell script with admin credentials for the platform Uber uses to manage its login secrets, including DA, DUO, Onelogin, AWS, and Gsuite. This allowed them to grab source code and, more worryingly, to get access to Uber’s HackerOne bug bounty program. This in turn gave the attacker information about vulnerability reports that have not been fixed yet.

In conversation with InfoQ, Cerby’s chief trust officer Matt Chiodi stated that “if what’s being reported is true, this would be an unprecedented level of access, even when compared to SolarWinds”. One way to mitigate the impact of such incidents, according to Chiodi, is applying a Zero Trust strategy,…