Just like you, I stumbled on the news about the massive data breach suffered by  Uber last week. The attack was attributed to the notorious Lapsus hacking group, which has been increasingly active in recent months. Researchers say the incident has highlighted the risks associated with overconfidence in the use of multifactor authentication (MFA), as well as unmanaged risk around cloud-service adoption.

A well-known tactic that the Lapsus hacking group has been known to use is co-opt MFA-circumventing tools into its attack chain. In a statement released by Uber yesterday, it was noted that the attacker who breached its network last week had first obtained the VPN credentials of an external contractor, likely by purchasing them on the Dark Web. The attacker then repeatedly tried to log in to the Uber account using the illegally obtained credentials, prompting a two-factor login approval request each time.

Sad to note that this can happen to any organization, hence, it is important to focus our lens on learning how to protect against such attack scenarios for our various organization rather than be caught unawares or worst still, play the blame-game.

Here is what an expert- Reet Kaur, a Board Member and Advisor to Cisco highlights the following as controls to be taken amongst other expert opinions:

1. Consider Implementing zerotrust (ZT) -
   ZT can address these types of attacks by authenticating every transaction.
2. Enable redteam / pentesters to work as hackers-
   Uber has a great pen test team, but most security teams are forced to be restricted to being on the offensive to avoid disruption to the operations. A hacker would have no such limitation. While allow a hacker to uncover your organization’s vulnerabilities with damages more disruptive than that to your daily operations. Your reputation is at risk.
3. Implement multiple-layer security controls-
   Security is a people processes and technology play. Implement security controls at multiple layers so that if one control plane fails, another one protects. Continue providing training to employees but don’t expect flawless execution from them all the time as security is only 1 % of their job responsibilities and human error is always present.
4. Implement change management | Separation of Duties | Dual Control-
   This is to make sure that NO ONE privilege account can disable critical implementations like MFA without going through proper verifications and approvals.
5. Set exhaustion limits on MFA-
   Failed attempts for more than 5-6 times should disable the account & require call back to enable the account which may reduce risk of MFA getting compromised.
6. Implement CASB and cloudsecurity posture management solutions-
   It is easy to drift out of compliance if you don’t have full visibility into the cloud. Implementing automated monitoring, detection and response can help get an alert or automatically deny unapproved policy changes.
7. Plan for out-of-band communication-
   In case your internal communication channels (Slack) get breached.

In addition to the above, Patrick Tiquet, vice president of security and architecture at Keeper Security, says the Uber attack highlights a fundamental misconception around MFA's strength as a method to secure access. "Use of SMS text messages as MFA should be discouraged and never used as MFA for high-value assets," Tiquet says. "The use of an authenticator app, security key, or biometrics are stronger and more effective methods to protect your accounts."

Although, some organizations may have implemented some of the controls above, however, it is pivotal to ensure we stay ahead with these multiple strategies in order to avoid being outplaced by the sprawling complexity of modern threats and the actors.

What is the Multifactor Authentication in use at your company? Do you require immediate assessment of these?

Reach out to us today via our email:  info@techspecialistlimited.com or phone number:09 2911443