How did it happen? Why did it happen? Can it happen to you? How can you prevent this?
Uber got hacked and the hacker told uber that they are hacked with class and no one believed it.
1. Uber uses Push Notification MFA(Multi-Factor Authentication). How does this work? Push MFA utilizes smartphone notifications to assert authentication. This puts push MFA in the category of “something you have,” as the user will need to have their smartphone on them to use push notifications as a second factor. After inputting their username and password, end users simply need to unlock their phone and then press a button to either approve or deny the access request.
2. How did the hacker get around this? The hacker did not have any of the employee's devices. MFA protects against an attacker who has the credentials. But, it is still prone to Man In the Middle Attacks.
3. An attacker can set up a fake domain that relays Uber’s real login page with some tools. The only difference is the domain name they are visiting, which is easy to miss as no one looks at the address bar. For most MFA, nothing stops the attacker from relaying the authentication process. This is how even your Instagram/Facebook or any other account can be hacked. The most common thing is fake bank messages which have this mirrored bank login page. I have seen it firsthand for people circulating for SBI. So, please never forget to check the address bar.
4. Once the attacker compromised an employee's credentials, they used that victim’s existing VPN access to pivot to the internal network. Internal infrastructure is often significantly less audited and evaluated compared to external infrastructure.
5. The attacker shared several screenshots of Uber’s internal environment, including their GDrive, VCenter, sales metrics, Slack, and even their EDR portal.
6. The hacker sent a slack message after attacking. Employees thought it was a joke. But, it was actually their worst nightmare. The question is how to prevent this.
7. Bill Demirkapi, an independent security researcher, tells a solution to this. He said that the kind of MFA that Uber seems to have used is not the most secure kind. Instead, Demirkapi suggests the use of FIDO2, which bills itself as a “phishing-resistant” form of authentication. FIDO2 is a web authentication mechanism that, unlike more standard forms of MFA, verifies that the origin of the MFA prompt came from the real login server, Demirkapi said, “If an attacker created a fake login page and prompted for FIDO MFA, the U2F device wouldn’t even respond, preventing the authentication from continuing”.
Key takeaway from this: Never open unknown links or links from unknown people. Even if you open them, at least verify the address in the address bar. You can lose all your money if someone accesses your bank account in the same way the hacker hacked Uber. Even your Instagram can be hacked in the same way.