Social Engineering and VPN Access: The Making of a Modern Breach

Originally published by Lookout.

Written by Hank Schless, Senior Manager, Security Solutions, Lookout.

In what seems to be a constant drip of headlines about large enterprises experiencing security incidents, the world most recently learned of a successful data infiltration of rideshare and delivery company Uber. In a blog update, Uber attributed the attack to the infamous Lapsus$ group that has made a name for itself over the past year with successful breaches of household names including Microsoft, Rockstar Games, Samsung, Nvidia, Ubisoft, and Okta.

Luckily, corporations have become better at disclosing compromises, and Uber was no exception, promptly providing details of what happened. As a result, the security community knows about the tactics used in this attack and are better positioned to defend their organizations.

According to news reports and Uber’s own blog, a third-party contractor’s credentials were compromised either by social engineering (according to Lapsus$) or by purchasing the credentials from the Dark Web (according to Uber). Either way, the threat actor bombarded the user with multi-factor authentication (MFA) requests and was able to convince them, pretending to be an Uber IT staff, to accept the login. Once the threat actor was in, they moved laterally and found privileged credentials hard-coded into some automation script. From there they gained additional access to a myriad of cloud apps and data inside the company’s network.

Uber was the target this time around, but the broader lesson here is that the threat landscape continues to evolve. This attack illustrates the tactics that continue to be effective, which will help security and IT teams across the globe to better understand what proactive steps they can take to avoid being next.

VPN: Basic authentication and network-wide access

Nowadays, a wide range of users need anywhere access to your infrastructure — whether its employees, partners or contractors. And the default method of connecting them has often been virtual private networks (VPN). But this can be a problem; and I’m not just talking about the poor user experience created by network hair-pinning.

Basic authentication methods that are prone to social engineering

VPN relies on basic security controls: passwords and MFA. But just because someone entered the correct username and can produce an MFA token, doesn’t mean they’re legitimate. But without additional telemetry, such as user behavior analytics, organizations have no way of telling whether an account has been compromised.

Because threat actors only need to get past the login process to compromise an infrastructure, social engineering has become very effective. This is especially true with the increased usage of mobile devices, where there are countless channels to deliver credential-stealing phishing attacks, including SMS and iMessage, third-party messaging apps, and social platforms such as social media and dating apps.

Network-wide access makes lateral movement easy

Another risk VPNs create is that they grant users more access than what they need, also known as overprovisioning. Once someone logs onto a VPN profile they often have access to a wide range of systems within that network. If the profile is compromised, this enables the attacker to perform discovery operations to see what other opportunities there may be and move laterally in what’s called a “land-and-expand” operation.

How to protect your organization: three key actions to take

It’s tough to find the silver lining in any security incident, but we can always do our best to learn from each one. Let’s take a look at what we can glean from this incident.

Limit access to your VPNs, especially for third-parties

Enabling seamless collaboration with third parties is critical to any business, but you need to do so with security in mind. To minimize breaches, ensure that your users only have access to what they need to get their job done, also known as “just-enough-privileges.” You may also want to limit the amount of time someone gets access with “just-in-time” access.

To get this level of segmentation, you should look beyond VPN and its all-or-nothing access controls. This not only limits a threat actor’s ability to move laterally, but it also reduces the risk from phishing attacks. Look for technologies, such as zero trust network access (ZTNA) that can address these additional requirements.

Don’t just rely on passwords and MFA

Strong passwords and MFA are solid security baselines, but they alone aren’t enough. Given the variety of devices, networks, and locations your users may be connecting from, it’s incredibly difficult for traditional security tools to differentiate between legitimate users and malicious actors.

This is where additional telemetry needs to be taken into account, such as user behavior or the risk level of the device they’re using. For example, if a user logs in from an anomalous location on a device they don’t typically use or tries multiple times to connect from different networks, those should be flagged. You also need to detect when privileges change, as that’s one of the first things an attacker will attempt to do so they can gain even greater access to your network.

Protect your employees from social engineering

An entire attack chain often can’t be executed without an initial foothold, which is most commonly achieved with a compromised credential. Gone are the days of brute force attacks. It’s much easier to purchase a phishing kit on the Dark Web or create a proxy that reroutes the targeted user to a fake-version of their corporate login.

As attackers get better at launching social engineering scams, you need to protect your employees across all devices. The first step is to ensure your users are properly trained, especially when it comes to modern phishing attacks coming through from mobile-related channels. Next, you need the ability to block phishing attacks and malicious network traffic across your mobile devices, laptops, and desktops. Being able to detect inbound and outbound internet connections means you can block malicious sites from reaching your users, as well as preventing any data from leaking out.

No security problems can be solved in isolation

As an industry, we’ve been conditioned to think of different aspects of security as standalone problems. In reality, a breach can only be stopped if each of the steps outlined above work in unison.

For example, you should be able to restrict or block a user’s access from any endpoint if it becomes compromised. And if an account is taken over, you should be able to actively monitor their behavior, so you can quickly restrict or eliminate access. To enforce these consistent and dynamic policies, you need the ability to automate responses based on telemetry of device, user, app, and data.

Just as no cloud apps reside on an island, no security problems can be solved in isolation. To truly reduce risks and protect your data, you need a unified platform that thinks about your security holistically.