The Uber & Rockstar Hacks - Why there is no magic bullet.

Let’s get straight to it – companies have been sold the idea that MFA is a magic bullet to prevent data breaches, it isn’t. It is simply a deterrent.

Social engineering is known to be a very effective way to bypass MFA. Most commonly, through MFA fatigue or pretending to be from the I.T department… With 323,972 social engineering attacks reported to the FBI between 2017-2021, it shouldn’t come as a huge surprise that a big juicy target like Uber & Rockstar were hit. Realistically, this number will increase dramatically, year after year.

Humans will always be the weakest link. You can be locked up like a fortress, but all it takes is a single clever attacker or an over-worked employee who is tired, for the attack to be successful. People naturally are less aware when their busy working, or if untrained, they aren’t equipped to spot the right signs of an MFA fatigue attack.

What is MFA fatigue?

An MFA Fatigue attack is when a malicious threat actor runs a script repeatedly, attempting to log in with stolen credentials again and again. This creates (what feels like) an endless stream of MFA push notifications, to be sent to the account owner’s device.

Their intention? To break down the target’s cyber security posture and inflict fatigue via the MFA prompts.

Training a user to report MFA prompts that they haven’t requested is pivotal in keeping your network secure. It should be best practice to teach all employees to ask questions like, “Why would I.T call me about this? Is this normal?”.

The Rockstar Attack.

With regards to the impersonation attack for Rockstar, people think this should be difficult to pull off in a big organisation, that is quite the opposite in my opinion. Smaller businesses know their employees. They know Dave from IT and they know that there is no John from IT. They know company practices and because work interrelationships are stronger, workers are more inclined to raise a concern when they have it.

In larger organisations, however, these can be lost. “I’ve never spoken to anyone in IT before, so John must work here…” – They don’t know what standard procedure is within IT departments and that’s likely because it’s not a part of their day-to-day job.

So what can you do?

• A good defence against this type of attack would be to implement MFA with physical security keys. This adds an additional obstacle to attackers as they need the physical keys to access resources, even if they manage to trick a user.

• A zero-trust model could have possibly slowed the attacker down once they gained initial access. This model is designed to limit access so that people do not have more privilege/access than they need. This would have made lateral movement more difficult for the attacker.

Questions IT departments need to be asking.

• How is our network segregated and do we have multiple, vital systems on the same subnets where a hacker would be to traverse them?

Immediate take-aways.

• Assume no one is safe, that you’ll be breached eventually and plan accordingly.

• Zero trust and rule of least privilege should be exercised wherever possible.

• Invest in your employees. They can be an extremely effective defence against attacks if they are properly trained.

• Teach employees how to report unwanted MFA prompts and suspicious phone calls – make it best practice.

My thoughts? Uber & Rockstar shouldn’t be condemned outright for this attack – unfortunately it’s true that most companies, big & small, could have fallen victim to this attack, and you’re only as strong as your weakest link…