An IBM hacker breaks down high-profile attacks
On September 19, 2022, an 18-year-old cyber attacker known as “teapotuberhacker” (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they stole over 90 videos of the upcoming Grand Theft Auto VI game. They then posted these videos on the fan site GTAForums.com. Players were given an unsanctioned sneak peek of gameplay footage, characters, plot points and other critical details. It was a game developer’s worst nightmare.
In addition, the malicious actor claimed responsibility for a similar security breach affecting ride-sharing company Uber just a week before. According to reports, they infiltrated the company’s Slack by tricking an employee into giving them access. The employees then spammed multi-factor authentication (MFA) push notifications until they gained access to internal systems, where they could browse the source code.
Incidents like the Rockstar and Uber hacks should serve as a warning to all CISOs. Proper security must consider the role information-hungry actors and the public can play when handling sensitive information and intellectual property.
Stephanie Carruthers, Chief People Hacker for the X-Force Red team at IBM Security, broke down how the incident at Uber happened and what helps prevent this type of attack.
“But we have MFA”
First, Carruthers believes that a potential and even likely scenario is that the person targeted by Uber could have been a contractor. The hacker likely purchased stolen credentials belonging to this entrepreneur on the dark web – as a first step in their social engineering campaign. The attacker likely then used these credentials to log into one of Uber’s systems. However, Uber had multi-factor authentication (MFA) in place and the attacker was asked to validate his identity multiple times.
According to reports, “TeaPot” contacted the target victim directly with a phone call, pretending to be IT, and asked them to approve the MFA requests. Once they did, the attacker logged in and was able to access various systems, including Slack and other sensitive areas.
“The key lesson here is that just because you have measures like MFA in place doesn’t mean you’re safe or that attacks can’t happen to you,” Carruthers said. “For a very long time, a lot of organizations said, ‘Oh, we’ve got the MFA, so we’re not worried.’ That’s not a good mindset, as shown in this specific case.”
As part of her role at X-Force, Carruthers performs social engineering assessments for organizations. She has been doing MFA bypass techniques for clients for several years. “That mindset of having a false sense of security is one of the things I think organizations still don’t understand because they think they have the tools in place so it can’t happen to them.”
Social engineering tests can help prevent this type of attack
According to Carruthers, social engineering tests fall into two buckets: remote and on-site. She and her team look at phishing, voice phishing and smishing for external tests. The on-site work involves the X-Force team showing up in person and essentially breaking and entering a client’s network. During the testing, the X-Force teams attempt to coerce employees into giving them information that will allow them to breach systems – and note those who try to stop them and those who don’t.
The team’s remote test focuses on an increasingly popular method: layering the methods together almost like an attack chain. Instead of just running a phishing campaign, this adds another step to the mix.
“What we will do, just as you saw in this Uber attack, is follow up the phish with phone calls,” Carruthers said. “Targets will tell us the phish sounded suspicious, but thank us for calling because we have a friendly voice. And they will actually comply with what the phishing email asked for. But it’s interesting to see attackers who start to layering social engineering approaches instead of just hoping one of their phishing emails works.”
She explained that the team’s chances of success triple when they follow up with a phone call. According to IBM’s 2022 X-Force Threat Intelligence Index, the click-through rate for the average targeted phishing campaign was 17.8%. Targeted phishing campaigns that added phone calls (vishing or voice phishing) were three times more effective, yielding a click from 53.2% of victims.
What is OSINT – and how it helps attackers succeed
For bad actors, the more intelligence they have on their target, the better. Attackers typically gather intelligence by scraping data readily available from public sources, called open source intelligence (OSINT). Thanks to social media and publicly documented online activities, attackers can easily profile an organization or employee.
Carruthers says she spends more time on OSINT today than ever before. “Actively getting information about a company is so important because it gives us all the pieces to build the campaign that’s going to be realistic in terms of our goals,” she said. “We often look for people who have access to more sensitive information, and I wouldn’t be surprised if that person (in the Uber hack) was chosen because of the access they had.”
For Carruthers, understanding what information is out there about employees and organizations is crucial. “The digital footprint can be leveraged against them,” she said. “I can’t tell you how many times customers come back to us and say they couldn’t believe we found all this stuff. A small piece of information that seems innocuous can be the cherry on top of our campaign that makes it look much more realistic.”
Strategies for preventing specific hacks
Although multi-factor authentication can be bypassed, it is still a critical security tool. However, Carruthers suggests that organizations consider distributing a physical device as a Fido2 token. This option shouldn’t be too difficult to manage for small and medium-sized businesses.
“Then I recommend using password managers with long, complex master passwords so they can’t be guessed or cracked or anything like that,” she said. “These are some of the best practices for applications like Slack.”
Of course, no hacking prevention strategy that addresses social engineering would be complete without security awareness. Carruthers advises organizations to be aware of attacks in the wild and be ready to address them. “Companies need to actually review and assess what is included in their current training and whether it addresses the realistic attacks that are happening today against their organization,” she said.
For example, the training might teach employees not to give their passwords to anyone over the phone. But when an attacker calls, they may not ask for your password. Instead, they may ask you to log in to a website that they control. Organizations will want to ensure that their training is always fresh and interactive, and that employees remain engaged.
The final piece of advice from Carruthers is that companies should refrain from relying too heavily on security tools. “It’s so easy to say you can buy a certain security tool and never have to worry about being phished again,” she said.
The main takeaways here are:
- Incorporate physical entities into MFA. This builds a significant roadblock for attackers.
- Try to minimize your digital footprint. Avoid oversharing in public forums such as social media.
- Use password managers. In this way, employees only need to remember one password.
- Strengthen security awareness programs with a particular focus on social engineering threats. All too often, security awareness misses this key element.
- Don’t rely too much on security tools. They can only take your security position so far.
Finally, it’s important to reiterate what Carruthers and the X-Force team continue to prove with their social engineering tests: a false sense of security is counterproductive to preventing attacks. A more effective strategy combines quality security practices with awareness, adaptability and vigilance.
Learn more about X-Force Red penetration testing services here. To schedule a free consultation with X-Force, click here.