The Uber Hack: MFA Fatigue is a Growing Threat to Enterprise Networks

Tom Badders
October 26, 2022 • 4 min read
Multi-Factor Authentication

Thanks to the recent high-profile Uber hack, you may recently have been introduced to the term “MFA fatigue.” Also called “MFA bombing” or “MFA spamming,” MFA fatigue attacks are receiving more notoriety as threat actors continue to up their game in an effort to bypass the protection of multi-factor authentication. 

MFA fatigue attacks take advantage of users whose login credentials have been compromised, bombarding them with authorization requests until they eventually give in and approve one. What’s especially insidious about MFA fatigue attacks is that they use people’s trust in MFA against them. 

When people attempt to log into MFA-protected resources, they typically receive a push notification or a code to confirm their credentials. Either way, users are trained to respond to these alerts, and to do so with confidence, believing they’re being granted permission to access critical resources.

But what if their MFA platform has been turned against them?  What if using their MFA system actually lets an adversary into their network? That’s a chilling prospect, because users who have been conditioned to use their MFA application assume that everything is in order, that they’re “doing the right thing.”  They don’t expect their organization’s MFA platform to betray them.

MFA fatigue attacks take advantage of human nature. 

Be careful before you say, “That’s crazy, I’d never accept an MFA prompt I hadn’t initiated.”  Human nature and conditioned responses are at work here, as they are in any social engineering exploit. People become stressed and distracted in their daily work. If they can be tricked into clicking on a link in a random phishing email, they can certainly be tricked into accepting a push notification from their employer’s own MFA app. 

In the Uber hack, the threat actor used an Uber contractor’s compromised VPN credentials to repeatedly attempt to log in, generating an MFA notification each time.  The adversary even reached out to the contractor on WhatsApp, pretending to be with Uber IT support, to encourage them to accept.  When they finally did, the attacker had access to the Uber VPN and tunneled further into the Uber network to breach critical systems such as the company’s email, cloud storage, and code repository.  

Note that in this attack, neither the VPN nor MFA saved Uber from being breached. In fact, the two were exploited together to enable the adversary to blow through the organization’s first line of access defense and enter the enterprise network.  Note also that there are MFA attacks that exploit technical vulnerabilities such as zero days and system misconfigurations. In other words, not all MFA hacks require social engineering or human weaknesses to be successful.

Critical assets need an additional layer of security.

The core message here is that you need failsafe measures when your MFA platform is breached or bypassed. Your greatest priority is ensuring that your most critical assets are protected – the data, information, and applications whose compromise could be an existential threat to your organization.

One effective solution is network obfuscation, which prevents digital resources from being visible within the enterprise network or on the public internet. Network obfuscation cordons off your crown-jewel assets in an “invisible vault” that keeps unauthorized users from even knowing they exist. Best of all, you can continue using your current cloud-based or on-premises server environment to host the assets. 

To learn more about enterprise MFA attacks and how network obfuscation can help protect your most critical assets, download the ebook: Multi-factor Authentication Requires a Fallback Plan.

Tom Badders
Senior Product Manager
Tom Badders is a Senior Product Manager at Telos Corporation.
Read full bio

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.