The "MFA fatigue attack" used in the Uber security breach

Attackers spam users with MFA push notifications, until they finally accept by error or just because they are overwhelmed. This is becoming more common way of bypassing MFA.

Uber suffered a data breach, that apparently allowed an 18 year old attacker to breach Uber's security.

The attacker had already compromised an employee's credentials, that would allow him to access the corporate VPN for entering the internal network. To achieve the second factor (MFA), he spammed the user with push notification requests, until the victim accepted one, allowing him to be fully authorized into Uber's network. This is called a "MFA fatigue attack".

The spamming of MFA push notifications is a technique that is growing, because it again targets the weaker element, that is the human to achieve an advantage for the attacker. As in phishing attacks, if users are not cautious when receiving an unexpected notification (be it an email, a push notification or even an SMS/Whatsapp or telephone call), their reaction to the notification could cause security to be severely breached.

It's good that companies add "MFA fatigue attack" within their security awareness training programs, to inform users of this new type of threat, that they should immediately report to their security operations department (SOC).

As to the Uber incident, it's important to note a few weaknesses that are worth learning from:

  1. VPN is an obsolete solution, providing broad access to an internal network. New solutions like ZTNA limit access only to specific resources, that are explicitly allowed in defined conditions;
  2. Security Awareness trainings should be quarterly updated with new emerging threats;
  3. Passwords should never be hard-coded in scripts or source code. Admin passwords should be protected via PAM solutions, that are managed with special attention.

The interesting article from Graham Cluley  
Post on LinkedIn by Mario Procopio