Lessons Learned from the Latest Social Engineering Breaches

October 11, 2022 | 3 min read

Tom Huckle

Director of Information Security and Compliance EMEA

Huckle

Multi-factor authentication can help enterprises be more secure but has recently become a target for cybercriminals. Here’s what to know about the latest breaches that have targeted the likes of Uber and Rockstar Games.

In the wake of recently reported cyber attacks, in which hackers gained access to companies’ internal networks by using social engineering to compromise multi-factor authentication (MFA), enterprises should look at how they are managing this complex cybersecurity area.

Social engineering attacks, when attempted by someone competent, are extremely hard to defend against as they target our human vulnerabilities rather than trying to bypass technology security. Multi-factor authentication (or MFA) requires users to provide two or more verification factors to gain access to an account or resource and is a recognized and highly recommended way to layer security controls. However, the recent attacks against Uber and Rockstar have proven that, even with MFA in place, this additional security layer can be bypassed.

What Do We Know About The Recent Attacks?

In mid September, Uber reported a network breach that led to shutting down some of its internal communications and locking its codebase to prevent any new code changes. The attacker reportedly targeted a contractor by sending multi-factor authentication login messages, according to Uber. The attacker allegedly sent multiple notifications, sometimes called “MFA fatigue,” until the contractor accepted. Once the contractor accepted one fake two-factor login approval, the attacker was able to successfully log in. Uber says no public-facing systems or customer data was accessed but that its investigation is ongoing.

Several days later, video game maker Rockstar Games announced it recently suffered a network intrusion from an unauthorized third party. The company says the attacker was able to gain confidential information, including early development footage for its blockbuster game, Grand Theft Auto. The company said work on the new game will continue as planned.

Reportedly, the attacker behind both attacks is a 17-year-old. He was arrested by the City of London Police in late September.

How To Protect Yourself

Despite the recent attacks, MFA remains an important part of cyber defense strategy. The best defense for companies is a holistic cybersecurity program that is appropriately resourced and one that continuously reviews the threats against the business, adapts to them, and promotes a culture of awareness and healthy skepticism among its staff. Security is fluid and never static. What may work one day as a defense may fail the next.

Today, flexibility and the confidence to adapt with evolving threats is a key tenet to security nowadays. Unfortunately, there is no magic technology that can protect against all the current and future threats.

It must be noted, though, that Uber believes that the password was scraped from the dark web and not actually obtained through social engineering, as the attacker claimed. This highlights the need for enterprises to not only monitor their own networks, but also their vendors and suppliers, and to even go further outside the wire. All organizations should consider monitoring for their data and credentials or the clear, deep, and dark web as these can alert them to a potential data breach or to accounts that need to be reset.

These types of attacks, which have also been linked to Lapsus$, only add to the lessons around MFA that came to light following a series of Lapsus$ attacks earlier this year. The March attacks illustrated how push notifications in MFA can easily open an organization up to human error, and the Uber attacker’s claim of bypassing MFA with social engineering is now highlighting how businesses can go one step further to improve MFA’s effectiveness.

Authentication methods like using number matching, a method in which users must enter codes from authentication applications, and offer more secure verifications than codes sent via text or email, which are more easily intercepted. Another option is switching to a physical authentication key for employees.

Once aware of the breach, Uber demonstrated a great incident response, which included rotating keys to reset access. Now, as they work with the FBI and United States Department of Justice to analyze how the breach took place, it is important that enterprises and IT teams stay vigilant for any lessons that can be gleaned from the last weekend.

Tom Huckle serves as BlueVoyant’s Director of Information Security & Compliance EMEA.