CybersecurityEXP AcademySecurity

MFA Fatigue – The September 2022 Uber Breach [Video Blog]

What is MFA Fatigue?

MFA Fatigue (also known as Push Fatigue, MFA Spam, or Authentication Fatigue) is a type of cyberattack in which the attacker bombards the target with multi-factor authentication requests in hopes that the victim will eventually approve a request, granting access to the attacker.

If the initial wave of authentication requests is unsuccessful, the attacker may try to contact the victim directly via email, text message, or phone, impersonating a trusted source such as a supervisor or corporate IT department.

What was the Uber MFA Fatigue Breach?

In September of 2022 ride sharing service, Uber, suffered a breach. According to Uber, the attacker “accessed several internal systems.” Investigators and reporters referred to the breach as a “total compromise.” The attacker posted explicit images on an internal information page, and exposed email, cloud storage, and code repositories to third parties.

This video reviews the strategy and course of action that the attacker employed.

In the process we’ll illustrate what an MFA Fatigue attack looks like.

Finally, we offer 4 tips on how to avoid being a victim of this type of attack.

1) Don’t accept MFA requests that you didn’t initiate
2) If you suspect your password has been compromised, reset it
3) Don’t trust unsolicited text messages or calls from “tech support.” Validate!
4) Enlist the pros for help

Supplemental Resources:

Have I Been Pwned? 

FREE Security Awareness Training at EXP Academy

Early Reporting of the Uber Breach–“Uber investigating ‘cybersecurity incident after report of breach” Reuters

Video Transcript:

in September of 2022 Uber was hacked. Here’s what happened:

The target was an Uber driver. His corporate password had been compromised and was available on the dark web, and we’ll get to that part later, but the attacker attempted to log into the Uber corporate network using these stolen credentials.

The login attempt triggered a multi-factor authentication (MFA) request which the driver rightly ignored.

Then came the second phase in the attack.

The attacker continued with multiple login attempts. He was relentless!

This type of attack is known as “MFA fatigue.” It’s also called “MFA spam” or “push spam” or “push fatigue” or “authentication fatigue.”

What is MFA Fatigue?

MFA fatigue is a type of cyberattack where the attacker tries to overwhelm and exhausts the target with relentless multi-factor authentication requests.

In this case, reports are that the target resisted the attack and ignored these multi-factor authentication requests.

…But then came the third phase of the attack. The hacker contacted the victim directly claiming to be the Uber IT Department. He sent a text message via WhatsApp that said something to the effect of,

“Hey! This is the I.T Department we’ve noticed some weird and probably annoying activity going on on your account. Don’t worry! It’s just a glitch in our authentication system. Just accept the next authentication request that comes through and that will correct the glitch and the problem will go away.”

And that’s where they got him!

The target accepted a request. His corporate account was compromised. And from there the attacker rooted around on the network to see if there were other vulnerabilities that he could exploit, and there were!

According to Uber, the attacker accessed several internal systems. Investigators and reporters referred to it as a “total compromise.”

The attacker exposed email cloud storage and code repositories to security firms  and to the New York Times.

So let’s dive a little deeper into MFA fatigue…

Where does the hacker get cracked passwords?

Well, there are databases of cracked passwords available on the dark web. In this case, it is suspected that the victim’s cell phone had suffered an earlier malware infection that exposed password information to the bad guys.

Worried about your own passwords? There is a service that you can use to see if your passwords are in one of these databases. It’s a site called, “Have I been pwned?” Use that site at your own discretion. You know I’ll warn you…the site is legit but validating your own active passwords by typing them into a website is not without risk.

So once the attacker has a current good password, the MFA fatigue attack can start.

Like most attacks there are certain people that may be especially vulnerable. Uber drivers fit that profile. They work odd hours–when bars close late at night or when flights arrive at the airport early in the morning. They might be tired or distracted, and they can’t turn off and ignore their cell phone so repeated MFA requests are especially irritating for that group.

The target did the right thing by ignoring the MFA requests. The critical misstep was: not validating that the text message from the IT Department was authentic.

We want to help you to not be that guy, but I don’t want to put too much blame on the driver. There were vulnerabilities in the Uber computing environment that were the real reason why the attack was so successful.

Evading an MFA Fatigue Attack

So what can you do to protect yourself?

Don’t approve an MFA request that you didn’t initiate!

If you believe your password has been compromised, reset it!

Don’t trust calls from strangers claiming to be the IT department, even if the caller ID looks legit. Caller ID can be spoofed. If you are contacted by the IT department, take the time to validate that the call is legit. Call the IT department back on a number that you know you can trust.

Enlist the pros! If you think you are being attacked, contact your I.T department or EXP Technical for help