It's still unclear whether the breach of Uber's internal IT systems, revealed on Thursday, was anything more than embarrassing for the company.
But for businesses everywhere, the attack should serve as yet another reminder that certain security controls that we once thought were a panacea are no such thing.
Specifically, multifactor authentication. This security control, which requires a second form of verification for a user to log into a corporate network, is considered essential for keeping the hackers out. But lately, hackers have been finding clever ways to beat it.
In the Uber breach, the method employed by the hacker appears to be what's known as an "MFA fatigue" attack: The attacker (posing as someone from IT) sends repeated login notifications to an employee until the employee approves it. Basically, the attacker wears the employee down. But once approved, the attacker is in.
"We thought MFA was always the silver bullet," said Bryan Murphy, senior director for consulting services and incident response at identity security vendor CyberArk.
In the past, "the conversation was always 'MFA everything,'" Murphy said. "Now we're starting to see that attackers are finding ways around it."
Another recent high-profile breach, the attack on Twilio, was a different version of the same story.
According to a blog from Cloudflare, which experienced a similar attack to Twilio, the attackers who targeted Twilio most likely tricked employees into giving them the one-time password that was used as the second factor for verification. That's because the employees were actually entering the code into a fake site maintained by the attackers, allowing the attackers to intercept the code and bypass the MFA protections.
Notably, there is one form of MFA that is still considered "unphishable." Hardware security keys that comply with the latest authentication standard, known as FIDO2, serve as a second factor that can't be thwarted because they require the user to physically touch the key. Cloudflare, which provides its employees with YubiKey hardware keys, said the attackers were unable to get around its use of MFA through the use of the keys, preventing the company from getting breached.
Uber said Monday that it doesn't appear the attackers, which it claimed were operating as part of the Lapsus$ group, were able to access any personal customer data or make any changes to its source code.
This story was updated with Uber's blog post on some of the details behind the breach.
Climate TRACE's data show emissions at the facility-level.Image: Climate TRACE