How the recent Uber social engineering attack unfolded:
- The attacker bombarded an employee with non-stop 2-factor-authentication requests.
- Messaged the employee via whatsapp claiming to be from their corporate IT department.
- Pressurized the employee to accept the authentication request.
- Managed to thus impersonate this employee and then get into Uber’s corporate IT.
- Looked around to seek other vulnerable attack surfaces, and found a powershell script lying around that contained the admin credentials of the PAM [Privilege Access Manager — can be thought of as a sophisticated id-password store that regulates access to various apps and services for an org].
- Once inside the PAM elevated the stolen privileges to admin roles across various applications, services etc.
- And then went onward to breach the public cloud accounts, even managing to get hold of org-wide slack, public cloud accounts, vulnerability scan data, and also the vulnerability bounty program.
Why YOU, the employee, are a golden target for such attacks:
“A team is only as strong as its weakest member.”
— Anon…
When we join as an employee to serve any organization, we automatically become an extension of that organization in the digital space. No matter how much we try and keep our personal and professional lives separate, most of us still end up using our office machines for doing personal errands — from paying bills to filing taxes.
Thus, for cyber criminals leveraging social engineering tactics, employees like us are the softest targets to hit as:
- Many of us are remote employees, and this keeps us away from the support of our IT departments.
- Not all employees are (equally) technically savvy.
- It is easy to sneak in compromised devices and apps via employees.
- Humans are not good at recognizing attack vectors such as phishing emails.
- Social engineering attackers keep reinventing themselves — it was email/phone spoofing at one point, and now has evolved to complex tactics involving various social media.
How to not get hacked as an employee in 2022:
Protecting data, users and privacy takes enterprise-wide (and coordinated) efforts. However, below are some tips that I personally follow that provide improved security and privacy on an individual employee level.
Be boring and follow rules:
Usually it is complying to some good ol’ rules about passwords, that can take YOU — the employee, really far in getting secure:
- Use unique, long and strong passwords containing a mix of characters — special, lowercase, uppercase, numeric across different accounts. Keep your passwords updated as per your organization’s stipulated policies. Here are the CIS best practices when it comes to passwords.
- Take your organization’s cyber awareness training(s) seriously and follow all mandated protocols strictly in your day-to-day. Consider joining a group like the SANS training community to understand how to maintain a good cyber security hygiene.
- Never keep ids and passwords across text files or scripts or code files.
Be gutsy and insist on better security standards for yourself and your teammates:
- Think before you click and never get intimidated. Feel free to verify and double-check any type of access or authentication requests you get from your colleagues (known or unknown) and always err on the side of caution.
- Use encryption for your email communications and use also use VPN to maintain privacy. Insist on using messaging services that offer end-to-end encryption to communicate within or outside your organization. Here is how to send an encrypted email via gmail. Here are comparisons of top vpn providers for 2022 by techradar.
- Learn to recognize social media-based attacks — here are some great tips from CISA on how to do that.
I would love to know any more such security protocols that you follow. Feel free to comment and add to my list!
Top comments (0)