Blame game follows Uber hack. Experts do not blame the employee.

by Arthur · January 28, 2023

In the wake of the Uber hack, allegedly by an 18-year-old who claimed he was dooming the company for lax security, the conversation in infosec circles quickly turned to how it could possibly have been so easy to compromise one of the world’s most valuable technology companies.

The alleged hacker did not respond to a request for comment Friday, but told The New York Times late Thursday that they had socially engineered an Uber employee to gain access to the company’s systems. Screenshots shared on Twitter and other platforms appeared to demonstrate the extensive access the attacker gained, including to Uber’s accounts with Amazon Web Services, Google Suite and HackerOne.

The attacker said Corben Leo, a researcher and developerthat they gained access to a privileged access management tool that, when asked, revealed their credentials for the range of services.

The relative ease, according to a number of experts sharing initial opinions online, shows that this is a structural system problem, not a problem at the level of the individual employee.

If phishing by a single employee can cause everything in your infrastructure to be compromised so easily, that employee is not to blame

— Ian Coldwater 📦💥 (@IanColdwater) 16 September 2022

Coldwater’s tweet received nearly 1,000 retweets and nearly 4,500 likes within hours, while others shared similar sentiments.

The irony of tech people blaming “stupid users” is infuriating. Get the technology to protect users upstream so the threat never gets to them!

Don’t blame the users, FIX YOUR TECH!

— Sherrod DeGrippo 📬 (@sherrod_im) 16 September 2022

Bill Demirkapi, a researcher and security engineer at Microsoft, pointed out on Twitter that “the scale of the attack demonstrates another problem with authentication centralization,” which is that “it can often be a single point of failure that can give attackers a wide range of access, as we’ve seen in this example.”

If the details are accurate about how the attacker gained accessfirst by spamming employees with push-based multi-factor authentication requests, Demirkapi added, then this is not just an Uber problem. “The practices that led to their compromise are shockingly common,” he tweeted. “Vulnerable MFA is used everywhere, >60% of sites don’t even support hardware tokens.”

Similar attack methods were used in the recent breaches of Twilio, Okta and about 130 other companies, according to Group-IB, and experts say it’s a tactic on the rise.

“Why are we seeing an increase in SMS-based phishing? Because it works, is increasingly well documented by attackers, and is now seen to make it easier to develop attacks to steal passwords and MFA codes,” tweeted Rachel TobacCEO of SocialProof Security.

Organizations of all kinds are affected by these types of attacks, Sam Rubin, vice president of Unit 42 Consulting at Palo Alto Networks, told CyberScoop on Friday. While not commenting specifically on Uber’s practices, Rubin said that while these attacks are not complex or sophisticated, “they are still proving to be very successful.”

Ultimately, “it comes down to educating employees to be aware of these tactics criminals use to gain access to organizations,” he said. “They also often use urgency and user fatigue to get people to click on these links. If you’re not sure if IT or your help desk really sent a text message, contact l directly to confirm.”

In addition, administrators could tighten MFA controls to reduce risk, he said, a suggestion many others made Friday.