Keep up to date with the experts

Get insights direct to your email inbox

Subscription Form exit intent popup

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager

Simon Darley

Trusted by industry leaders

Request a Quote.

First we need a few details.

Contact Form Primary popup

By continuing, you agree to our Terms & Privacy Policy

Expert Intel

The Uber & Rockstar Hacks - Why there is no magic bullet.

Expert: Ben E
Role: SOC Analyst
Specialises in: Threat intelligence
What you will learn:
Why MFA isn't the magic bullet we're all looking for.
With 323,972 social engineering attacks reported to the FBI between 2017-2021, it shouldn’t come as a huge surprise that a big juicy target like Uber & Rockstar were hit.

Let’s get straight to it – companies have been sold the idea that MFA is a magic bullet to prevent data breaches, it isn’t. It is simply a deterrent.

Social engineering is known to be a very effective way to bypass MFA. Most commonly, through MFA fatigue or pretending to be from the I.T department… With 323,972 social engineering attacks reported to the FBI between 2017-2021, it shouldn’t come as a huge surprise that a big juicy target like Uber & Rockstar were hit. Realistically, this number will increase dramatically, year after year.

Humans will always be the weakest link. You can be locked up like a fortress, but all it takes is a single clever attacker or an over-worked employee who is tired, for the attack to be successful. People naturally are less aware when their busy working, or if untrained, they aren’t equipped to spot the right signs of an MFA fatigue attack.

What is MFA fatigue?

An MFA Fatigue attack is when a malicious threat actor runs a script repeatedly, attempting to log in with stolen credentials again and again. This creates (what feels like) an endless stream of MFA push notifications, to be sent to the account owner’s device.

Their intention? To break down the target’s cyber security posture and inflict fatigue via the MFA prompts.

Training a user to report MFA prompts that they haven’t requested is pivotal in keeping your network secure. It should be best practice to teach all employees to ask questions like, “Why would I.T call me about this? Is this normal?”.

The Rockstar Attack.

With regards to the impersonation attack for Rockstar, people think this should be difficult to pull off in a big organisation, that is quite the opposite in my opinion. Smaller businesses know their employees. They know Dave from IT and they know that there is no John from IT. They know company practices and because work interrelationships are stronger, workers are more inclined to raise a concern when they have it.

In larger organisations, however, these can be lost. “I’ve never spoken to anyone in IT before, so John must work here…” – They don’t know what standard procedure is within IT departments and that’s likely because it’s not a part of their day-to-day job.

So what can you do?

  • A good defence against this type of attack would be to implement MFA with physical security keys. This adds an additional obstacle to attackers as they need the physical keys to access resources, even if they manage to trick a user.
  • A zero-trust model could have possibly slowed the attacker down once they gained initial access. This model is designed to limit access so that people do not have more privilege/access than they need. This would have made lateral movement more difficult for the attacker.

Questions IT departments need to be asking.

  • Are we prepared for insider attacks. Do we know how to respond and contain this type of incident?
  • How is our network segregated and do we have multiple, vital systems on the same subnets where a hacker would be to traverse them?

Immediate take-aways.

  • Assume no one is safe, that you’ll be breached eventually and plan accordingly.
  • Zero trust and rule of least privilege should be exercised wherever possible.
  • Invest in your employees. They can be an extremely effective defence against attacks if they are properly trained.
  • Teach employees how to report unwanted MFA prompts and suspicious phone calls – make it best practice.

My thoughts? Uber & Rockstar shouldn’t be condemned outright for this attack – unfortunately it’s true that most companies, big & small, could have fallen victim to this attack, and you’re only as strong as your weakest link…

find us on Youtube

The latest in cyber & IT news, now on youtube!

Our latest expert Intel

  • The Crucial Shift In Ransomware Tactics

    March 24, 2023
    Read full article
  • edge

    Why Microsoft Edge is the best browser for business

    March 13, 2023
    Read full article
  • Windows 11 Business Premium

    A Journey to Modern Endpoint Management

    February 3, 2023
    Read full article
  • What is Open Authorisation Exploitation?

    January 23, 2023
    Read full article
  • Building the Right Business Culture to Manage Human Error - Ryan Pullen X ESW

    January 26, 2023
    Read full article
  • The Uber & Rockstar Hacks - Why there is no magic bullet.

    January 26, 2023
    Read full article
  • Open-Source Intelligence (OSINT) - Why it matters.

    January 26, 2023
    Read full article
  • TEDx Talk: Ryan Pullen – How clicking a link can cost millions.

    January 26, 2023
    Read full article
  • LOLbins & LOLlibs: What are they and why do they matter?

    January 26, 2023
    Read full article