09.19.22

Corvus Threat Intel

Uber is Hacked, Record-Breaking DDoS Attacks, & Phishing Attempts

Uber is hacked, record-breaking DDoS attacks hit Europe, and threat actors exploit the Queen's passing. 


Uber Compromised through Social Engineering

Ridesharing giant Uber Technologies suffered a data breach which may have given a hacker access to its Slack server, AWS, source code, vulnerability reports, and more. How the hacker claimed to have gained access follows a pattern many top companies have fallen victim to already. After getting an Uber employee’s username and password in a phishing attempt, the attacker spammed the user with multi-factor authentication (MFA) requests for over an hour. The threat actor expedited the process by contacting the user via Whatsapp claiming to be from Uber IT and convinced the employee to accept the MFA request. This gave the attacker access to the network via Uber’s VPN service. Once inside the network, the attacker found a Powershell script with a hardcoded administrative username and password which enabled them to pivot around the network, getting access to additional data. The breach is still being investigated so additional details are likely to surface in the coming days.

Why This Matters

This is yet another example of a large, sophisticated corporation’s external security unraveled due to social engineering on a single account. MFA is an excellent security control but it is quickly becoming clear that traditional MFA shortcomings are proving costly. Organizations should look to phish-resistant MFA for ways to mitigate against simple but effective forms of MFA bypass.

Additional Information:


Another record-breaking DDoS attack in Europe

A new distributed denial-of-service attack (DDoS) earlier this week shattered a previous record reported by Akamai in July. The attack was designed to overwhelm the victim’s servers with false traffic and requests, rendering systems unavailable for legitimate customers and web traffic. Akamai states that the threat actor was the same as in July’s attack and has been constantly bombarding the same unnamed Eastern European victim. What’s different about this week’s attack is that threat actors increased their efforts, bombarding the target’s network with 7% higher traffic than in the previous July peak. In addition, the threat actors spread the attack over six data centers instead of the single one targeted earlier. This makes September’s attack the new DDoS record for Europe. Akamai reports that 99.8% of the assault was pre-mitigated.

Why This Matters

As we well know, Eastern Europe is a conflict zone, so we may have a reasonable guess as to where the victim is and why these attacks are being carried out. It’s important to remember that no organization is too small or too large to be immune to DDoS attacks. Fortunately there are many compensating controls which can help mitigate against this, with numerous vendors offering advanced traffic filtering and DDoS protection to suit various needs.

Additional Information:


Phishing Attempts Using Queen Elizabeth II's Passing to Steal Your Login

Threat actors read the news too. In a recent attempt to capitalize on the passing of Queen Elizabeth II, Proofpoint has detailed a phishing campaign that aims to steal Microsoft credentials. The email claims to be from Microsoft and invites participants to take part in a fake “interactive AI memory board” to honor the late Monarch. The phishing campaign is built on the EvilProxy platform we reported on last week, which is designed to automate MFA bypass. The UK’s National Cyber Security Centre (NCSC) warned, “As with all major events, criminals may seek to exploit the death of Her Majesty the Queen for their own gain.” Past events such as COVID-19 similarly saw phishing campaigns used to trick the masses. Researchers reported a 220% increase in phishing traffic at the height of the COVID-19 pandemic, with threat actors exploiting both public altruism and self-interest.

Why This Matters

We reported on EvilProxy earlier as an alarming development in productizing MFA bypass. It’s even more alarming to already be seeing this platform used to distribute such noteworthy phishing campaigns. As always, user awareness is tantamount, particularly as threat actors capitalize on current events for timely social engineering attempts. In addition, the need for phishing-resistant forms of MFA is becoming increasingly apparent.


 

This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.