Recently, a prominent ride-hailing and food delivery company suffered a major cybersecurity attack; the hacker(s) managed to penetrate the organization’s internal network and gain access to their back-end systems, including the ones storing private and sensitive customer data. Data exfiltration was neither confirmed nor denied, but several internal services, including internal communications seem to have been disrupted, rendering them temporarily unavailable or unusable, according to various sources.
Knowing that the aforementioned company holds private customer data for about 57 million users gives an idea of the potential risk of such an attack, and the tremendous impact it had and could have had. This shows us that no organization, no matter its size, is safe from an attack, not only from foreign state-sponsored hackers, but single individuals operating “for fun” and/or monetary gains.
How Did This Happen?
After remediating an incident, once data has been recovered and services reestablished, the first step is to perform is a deep post-incident investigation to fully understand what exactly happened, how it happened, and what made it possible.
As usual in such a complex, advanced attack, it was not one single weak point that was exploited, but rather a chain of failures and weaknesses that were maliciously exploited, resulting in the hacker having privileged access to the internal organization’s network, services, and data.
The attack can be summarized in mainly three phases:
In the first phase, hackers leveraged compromised credentials from company employees or contractors, obtained using social engineering. Hackers tricked said employees into approving a Push Notification sent to their devices, which opened the door for them to get in.
Multi-Factor Authentication (MFA) is an authentication method in which a user is required to present two or more pieces of evidence (or factors) to authenticate. These factors include but are not limited to something a user knows, like a credential – such as a password or PIN – or something they physically possess, like a mobile device, hardware token, or Credit “Card Verification Value” (CVV).
MFA Fatigue is social engineering technique that sends an overwhelming amount of MFA notifications to drive the user to accidentally approve the login attempt or approving just to make the MFA notification prompts to go away.
In the second phase, once inside the corporate network, hackers performed what in cybersecurity is called a “lateral move,” which is jumping from one system to another internally, to get access to said system and the data on it, aiming to either steal data, render it unavailable, or both. In this case, hackers managed to steal the credentials from several employees’ accounts, with high security permission levels. Such accounts, known as “privileged accounts” or “super admin”, have full access on the systems they are associated with, and are only used by trusted, authorized personnel for specific implementation and administration tasks (e.g., system installation, updates, configuration changes) but not daily maintenance tasks, for which lower privileged accounts are used instead. These credentials should be stored securely, only accessible to a limited number of people, and access to said accounts should be highly audited and controlled using validation to ensure they are only used by the right people, for the right task, at the right time. These credentials, such as passwords and PINs, should also be rotated from time to time, so they are more resistant to potential exploits.
In the final phase, using these stolen privileged accounts, the hacker was able to get access to some of the company’s core services, including their secure communications platform, a financial invoicing tool, and a web dashboard used by the IT security team to internally report bugs and vulnerabilities.
A cyberattack of this magnitude can be devastating for a company, but there are steps you can take to ensure your infrastructure is optimally secured. In our next blog post, we will discuss how you can best protect yourself and your company from a major hack. In the meantime, if you have any questions about cybersecurity and how you can bolster your security posture, please contact us with any questions and we’d be happy to help.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group