The cybercriminals have been busy recently. They’ve attacked a string of high-profile victims including Uber, Rockstar Games, and IHG.

While the security vulnerabilities the attackers exploited differed from attack to attack, there’s a common theme: the inadequacy of legacy cybersecurity solutions against the ever-evolving methods of hackers. 

Read on to learn about the most significant recent attacks, which vulnerabilities were exploited by the hackers, and what the fallout has been. 

Microsoft ADFS

When it happened

Ongoing

What happened 

Microsoft has warned that APT29, the notorious Russian state-sponsored cybercriminals behind the 2020 SolarWinds attack, has devised a new and highly sophisticated way of bypassing authentication. 

How the attack is carried out 

Dubbed ‘MagicWeb’ by Microsoft, the sophisticated post-exploitation DLL swap leverages a single privileged account with AD FS server access to establish persistence and allow subsequent authentications using any User Principal Name. Instead of targeting supply chains, as was done with SolarWinds, MagicWeb exploits admin credentials and enterprise identity systems like Microsoft AD FS (Active Directory Federation Server).

While the attack does not rely on supply chain compromise, the broad user impersonation ability that it facilitates represents a near limitless lateral movement risk that not only poses enormous risks during compromise, but also significantly complicates any subsequent forensics during post-detection recovery phases.

The fallout so far 

It is unclear as yet which organizations APT29 has hacked into; no specific details of attacks have been publicized. 

InterContinental Hotels Group

When it happened

September 5, 2022 

What happened 

InterContinental Hotels Group (IHG), hospitality giant and parent of storied brands such as Kimpton, Crowne Plaza, Hotel Indigo, and Holiday Inn, operates 6,000 hotels globally. The company suffered a damaging cybersecurity breach on September 5. The attackers, reportedly a couple from Vietnam, initially attempted to carry out a ransomware attack, but IHG’s cybersecurity defenses prevented this. Frustrated, the attackers then vindictively deleted large amounts of company data, according to their comments to the BBC.

How the attack was carried out

The attackers gained access to IHG’s internal IT system by tricking one of their employees into downloading malware from an email. They were then able to bypass IHG's legacy and phishable MFA using just social engineering.

After this, they gained access to IHG’s internal password vault, which had a password that was not only very weak—“Qwerty1234”—but available to all employees. This enabled them to enter the most sensitive areas of the company’s IT system.

The fallout so far 

IHG lost a significant amount of company data (although not consumer data), as well as experiencing significant disruption to booking and check-in systems. Furthermore, IHG is also now facing a class action lawsuit from franchisees over lost revenue resulting from cybersecurity negligence. 

Steam

When it happened

September 2022 and ongoing

What happened

Users of Steam, a leading online gaming platform, are being targeted by a “browser-in-the-browser” phishing attack. This was exposed in a report by Group IB, published on September 13. 

How the attack is carried out

Posing as hosts of a game, the attackers invite potential victims to visit a phishing site disguised as a genuine platform. This phishing site then presents visitors with a fake authenticator pop-up from Steam—the browser-in-the-browser—allowing the attackers to gain the Steam login details of those who fall prey to the scam. 

The fallout so far

Dozens, perhaps hundreds, of Steam users have become victims of browser-in-the-browser attacks like these. Some of these users have had hundreds, or even thousands, of dollars worth of games and downloadable content stolen from them. 

U-Haul

When it happened

September 9, 2022

What happened 

U-Haul, an American storage rental and moving company, experienced a significant breach of sensitive customer data over several months. The company disclosed this breach to affected customers—totaling 2.2 million customers—on September 9. The attackers gained unauthorized access to rental contracts, which contained data such as driver’s license information and state ID numbers. 

How the attack was carried out

The attackers were able to access the rental contracts by obtaining two passwords for their customer contract search tool. This was possible because U-Haul did not implement cybersecurity defenses, such as phishing-resistant MFA, on an application with large volumes of valuable and highly-sensitive information about their customers. 

The fallout so far 

U-Haul has provided affected customers with a year of Experian identity theft protection for free. However, the customers may have to remain vigilant against this threat for far longer than that. As a result, U-Haul is now facing a class action lawsuit for failing to protect customer data.

Uber

When it happened

September 15, 2022 

What happened

A hacker affiliated with the Lapsus$ group breached Uber’s computer network, forcing the company to take many of its internal and enterprise software systems offline. 

How the attack was carried out

Uber has said the attacker probably purchased password details of one of the company’s contractors on the dark web, which they then used to gain access to many of Uber’s computer systems. While Uber did implement MFA for these contractors, their push approach was easily susceptible to phishing attacks, and in this case only MFA bombing was necessary to access the systems. MFA bombing is the practice of logging into a system repeatedly using a compromised password to trigger a fatigue-inducing level of Push MFA approval requests.

The fallout so far 

The attack caused Uber to temporarily shut down a number of its internal systems, but fortunately, the attacker wasn’t able to steal sensitive customer data, affect public-facing systems, or alter Uber’s underlying software code. 

However, attacks like these damage the company’s reputation, exacerbated in this case by the provocative behavior of the attacker, who announced their presence in the company’s Slack and redirected some employees to an explicit image. 

Rockstar Games

When it happened

September 16, 2022

What happened

90 videos and images from the not-yet-published Grand Theft Auto 6, produced by Rockstar Games, were illegally accessed and downloaded by a cyberattacker, who then published them on GTAForums. The hacker claimed to be the same person behind the Uber attack, although this claim hasn’t yet been verified.  

How the attack was carried out

Neither Rockstar Games nor the attacker has shared details of how exactly the breach occurred. However, in a message on the GTAForum, the attacker hinted that they used similar MFA bombing tactics that were used in the Uber attack. 

The fallout so far 

Rockstar Games has released a statement saying that the leak will not cause long-term damage to work on GTA 6. However, in the short term, this attack has clearly caused significant disruption.

The attacker indicated that they are attempting to extort Rockstar games, posting "I will leak more if Rockstar/Take2 doesn't pay me" on the 4Chan forum. It is unclear if the hacker has actually obtained any data apart from that already leaked online.

Other hacking news

EvilProxy

A turnkey "phishing-as-a-service' offering that allows cybercriminals to bypass two-factor authentication is being sold on the dark web. It generates phishing pages that mimic the pages of major online services like Instagram and Google.

Joint CSA—#StopRansomware: Vice Society

Three government agencies—the FBI, CISA and MS-ISAC—have released a joint Cybersecurity Alert (CSA) detailing the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by Vice Society, ransomware attackers who primarily target the education sector. 

Preventing successful attacks

As many of these attacks demonstrate, passwords and legacy multi-factor authentication solutions are no longer enough to repel the increasingly sophisticated methods being used by cybercriminals.

Beyond Identity's always phishing-resistant MFA stops phishing attacks in their tracks replacing vulnerable passwords and one-time codes with three unphishable factors: 

1. Device biometrics and local PINs with anti-hammering protections
2. Cryptographic security keys stored in the Trusted Platform Module (TPM) of the device
3. Security checks of the user, device, application channel, and transaction at the time of login

Book a demo today to see how Beyond Identity’s zero trust authentication can protect your organization from cyberattacks.