It was the worst-case scenario for Uber, the popular ride-sharing app, when the company suffered a major data breach in early September. While the extent of the damage, and the data potentially stolen, is still being uncovered, the attack — and the methods used to execute it — can be examined and used to teach other organizations what (and what not) to do.
How Uber Was Breached
Social engineering found success again with this incident. The attacker, who is claiming to be a single 18-year-old hacker, stated that they were able to gain access by targeting an employee and repeatedly sending them a multi-factor authentication (MFA) notification. The hacker then contacted the employee via WhatsApp, claiming to be an Uber IT employee, and told the user that the notifications were valid and would stop once he clicked on them. This kind of social engineering attack is often referred to as “prompt bombing” or a “MFA fatigue.”
From there the hacker was able to get through shared network access points, ultimately finding a way into the company’s OneLogin and obtain credentials to their privileged access management system. This, in non-hacking terms, would be the same as finding the skeleton key to a house. Everything unlocks itself once you have that credential access.
What Is Prompt Bombing?
Prompt bombing is a social engineering attack that utilizes repeated attempts to gain credentials through a multi-factor authentication prompt. It is also called a “MFA fatigue” attack. While a simpler MFA-focused social engineering attack may ask for credentials one or two times, this method prompts the user repeatedly, hoping the fatigue and frustration will lead to the user giving in and making a rash decision. In the case of Uber, the hacker also followed up with a false text message, giving legitimacy to the prompt.
According to Arctic Wolf’s The State of Cybersecurity: 2022 Trends Report, 90% of attacks target organizations’ employees. A prompt bombing attack is the perfect example of why employees are so heavily targeted — it works.
How Security Training Can Prevent This Kind of Attack
If employees are targeted consistently, then security awareness training should happen consistently as well. Employees are the first line of defense, and whether they’re targeted by a hacker or make a legitimate mistake, their actions can be the difference between safety and danger.
Security awareness training should not be a box that an organization checks off every year, but an on-going effort that utilizes engagement, gamification, and micro-learning to ensure that users are not only absorbing the training but are able to make the best decisions if an incident occurs.
Prompt bombing, specifically, is a newer tactic that hackers are using, so if your security awareness program is relying on outdated content, your employees won’t be able to recognize the threat landscape in front of them. Organizations should periodically evaluate their security awareness program to make sure their users are getting the best possible training for their security needs.
Training Tips to Prevent a Prompt Bombing Attack
- Never authorize an MFA request you did not originate.
- Reach out to your IT team if you get a suspicious MFA request
- Regularly update your credentials, as they may be known outside your organization
The tips above seem simple, but as this attack shows, a small moment of complacency, frustration, or fatigue can lead to a major breach.
As we learn more about this attack, and how much of Uber’s system the hacker was able to breach, it highlights another important security point: A layered defense is the best approach. Security awareness training is critical, but it’s not the only approach an organization should take.
Proactive Security Paired with MDR Can Limit Attack Surface
With this attack, once the hacker got into Uber’s system, they were able to snoop around and find a document that, according to what the hacker posted online afterward, had the credentials to the system’s privileged access management solution. This solution, referred to as a PAM, is where an organization stores their most valuable credentials (usually encrypted through various methods). The credentials to the PAM solution were kept in a plain text document, unencrypted, on a shared network.
It’s not known what solutions Uber has in place or what their IT environment looks like from a cybersecurity perspective. However, when it comes to a credential-focused attack, both a managed risk and a managed detection and response solution are designed to proactively and reactively defend an organization.
This is where having a managed risk and a managed detection and response (MDR) solution would be critical. A solution like Arctic Wolf ® Managed Risk works with an organization to uncover vulnerabilities and harden the IT environment. It also contextualizes organization’s specific attack surfaces and assess what risks are present and what steps should be the top priority for cybersecurity posture improvement. With this solution, organizations can impact their security in meaningful ways that can prevent the next attack from ever occurring.
An MDR solution is there to quickly detect and respond to immediate threats, thereby limiting the attack surface, incident time, and overall damage. Arctic Wolf® Managed Detection and Response combines cutting-edge technology with 24×7 monitoring and broad visibility to assist organizations with their threat detection and response. This goal is not only to detect a threat but stop it in its tracks, and then identify what happened and how to prevent this kind of threat in the future.
Learn more about how vulnerability visibility increases security posture with our webinar, “You Can’t Protect What You Don’t Know: The Importance of Asset Discovery and Classification.”