Archive for September 16, 2022

This Latest Uber Hack Seems A Lot Like Their 2016 Hack…. Which Is Really, Really, Bad For Uber

Posted in Commentary with tags on September 16, 2022 by itnerd

Earlier today I posted a story on Uber apparently getting pwned by an 18 year old who wants higher pay for Uber drivers. I’m not going to go down that rabbit hole, but instead I will go down another one. A white hat hacker named Corben Leo appears to have had an exchange with the hacker. And he posted it to Twitter:

So in short:

  • They social-engineered an employee to get their VPN and Slack login
  • Once on Slack, they found a link to a network share
  • The share contained Powershell scripts
  • One of these embedded the username and password of an Uber admin
  • Those credentials gave them access to everything else

The New York Times apparently spoke to the hacker and got similar details. Thus I think that this is legit. The thing is, the way that the hacker got in is incredibly similar to a 2016 incident where Uber was pwned. The hackers got the names, email addresses and phone numbers of 57 million riders. The hackers also nabbed the driver’s license numbers of 600,000 Uber drivers. Which of course is bad. Uber then went out of their way to cover up the fact that they got pwned by paying the hackers $100K to cover this up. And to top it all off, an exec was charged with covering this up. Now in this latest hack, we have a very similar attack profile because this is how the 2016 hack happened according to Bloomberg:

Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

This latest hack seems to have gone down in a similar manner. That is they got access using employee credentials, and then found enough information to allow them to move laterally inside Uber’s network. That implies that Uber didn’t learn anything from their 2016 hack. Which is why I suspect that a whole lot of people on Capitol Hill and law enforcement will be looking very long and hard at Uber. And seeing that this is an election year in the US, Uber will likely be called onto the carpet to explain why they don’t have their act together when it comes to cybersecurity.

It’s Friday, And I Have Another Extortion Phishing Email #Scam To Share With You

Posted in Commentary with tags on September 16, 2022 by itnerd

I have to admit that the readership of this blog is engaged. I say that because a reader sent me this latest extortion phishing scam email. From what I can tell, it’s similar to this extortion phishing email which makes me believe that it’s the same threat actor behind it. Here’s the email:

Hello there!

Unfortunately, there are some bad news for you.
Around several months ago I have obtained access to your devices that you were using to browse internet.
Subsequently, I have proceeded with tracking down internet activities of yours.

Below, is the sequence of past events: 
In the past, I have bought access from hackers to numerous email accounts (today, that is a very straightforward task that can be done online).
Clearly, I have effortlessly logged in to email account of yours (EMAIL ADDRESS REDACTED).

A week after that, I have managed to install Trojan virus to Operating Systems of all your devices that are used for email access.
Actually, that was quite simple (because you were clicking the links in inbox emails).
All smart things are quite straightforward. (^-^)

The software of mine allows me to access to all controllers in your devices, such as video camera, microphone and keyboard.
I have managed to download all your personal data, as well as web browsing history and photos to my servers.
I can access all messengers of yours, as well as emails, social networks, contacts list and even chat history.
My virus unceasingly refreshes its signatures (since it is driver-based), and hereby stays invisible for your antivirus.

So, by now you should already understand the reason why I remained unnoticed until this very moment…

While collecting your information, I have found out that you are also a huge fan of websites for adults.
You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun.
I have recorded several kinky scenes of yours and montaged some videos, where you reach orgasms while passionately masturbating.

If you still doubt my serious intentions, it only takes couple mouse clicks to share your videos with your friends, relatives and even colleagues.
It is also not a problem for me to allow those vids for access of public as well.
I truly believe, you would not want this to occur, understanding how special are the videos you love watching, (you are clearly aware of that) all that stuff can result in a real disaster for you.

Let’s resolve it like this:
All you need is $1450 USD transfer to my account (bitcoin equivalent based on exchange rate during your transfer), and after the transaction is successful, I will proceed to delete all that kinky stuff without delay.
Afterwards, we can pretend that we have never met before. In addition, I assure you that all the harmful software will be deleted from all your devices. Be sure, I keep my promises.

That is quite a fair deal with a low price, bearing in mind that I have spent a lot of effort to go through your profile and traffic for a long period.
If you are unaware how to buy and send bitcoins – it can be easily fixed by searching all related information online.

Below is bitcoin wallet of mine: [BITCOIN WALLET ADDRESS REDACTED]

You are given not more than 48 hours after you have opened this email (2 days to be precise).

Below is the list of actions that you should not attempt doing:

Do not attempt to reply my email (the email in your inbox was created by me together with return address).
Do not attempt to call police or any other security services. Moreover, don’t even think to share this with friends of yours. Once I find that out (make no doubt about it, I can do that effortlessly, bearing in mind that I have full control over all your systems) – the video of yours will become available to public immediately. 
Do not attempt to search for me – there is completely no point in that. All cryptocurrency transactions remain anonymous at all times.
Do not attempt reinstalling the OS on devices of yours or get rid of them. It is meaningless too, because all your videos are already available at remote servers.

Below is the list of things you don’t need to be concerned about:

That I will not receive the money you transferred.

– Don’t you worry, I can still track it, after the transaction is successfully completed, because I still monitor all your activities (trojan virus of mine includes a remote-control option, just like TeamViewer).

That I still will make your videos available to public after your money transfer is complete.

– Believe me, it is meaningless for me to keep on making your life complicated. If I indeed wanted to make it happen, it would happen long time ago! 

Everything will be carried out based on fairness!

Before I forget…moving forward try not to get involved in this kind of situations anymore!
An advice from me – regularly change all the passwords to your accounts.

If you check out the post that I linked to above, it has very similar hallmarks. The only difference is that the proof that the threat actor is using to get your attention is that they spoofed your email address and reinforced it by including it in the body of the email. The rest of the playbook is exactly the same. And the language used is similar. Which is why I think it’s the same threat actor behind this. Finally, I checked the BitCoin wallet and there’s nothing in it. That implies either this scam isn’t working for the threat actor, or it hasn’t worked yet.

If you see this email hit your inbox, delete and go on with your life.

Uber Has Been Pwned…. Apparently By An 18 Year Old Who Wants Higher Pay For Uber Drivers

Posted in Commentary with tags on September 16, 2022 by itnerd

I woke up this morning to find that Uber has apparently been pwned by hackers:

There’s no additional info beyond what I posted above. At least not from Uber. The broader media however does have more details:

A hacker gained control over Uber’s internal systems after compromising the Slack account of an employee, according to the New York Times, which says it communicated with the attacker directly. Slack, a workplace messaging service, is used by many tech companies and startups for everyday communications.

Uber has now disabled its Slack, according to multiple reports. Shares of Uber declined nearly 4% in premarket trading Friday.

After compromising Uber’s internal Slack in a so-called social engineering attack, the hacker then went on to access other internal databases, the Times reported.

A separate report, from the Washington Post, said the alleged attacker told the newspaper they had breached Uber for fun and could leak the company’s source code in a matter of months.

Another report provides insight as to why they were hacked:

The hacker who claimed responsibility for the breach said he was 18 years old, according to the New York Times, and called for Uber drivers to receive higher pay. He claimed to have been able to access to the company’s email and cloud storage systems, and said the firm had weak security standards.

So on the surface, this seems like “hacktivism” where someone hacks a company for a political or social reason. I’m not quite ready to buy into that just yet as the details on this hack are still emerging. But I am going to guess that this hacker got in via some sort of social engineering attack based on what I have read. And Darren Williams, CEO and Founder of BlackFog has some commentary on that:

 “Social engineering is becoming a more popular tactic for cybercriminals as it really provides the keys to the castle, as we can see from the recent attack on Uber. Once in, the focus is always going to be data exfiltration, ultimately leading to extortion, data breaches and class action lawsuits. When it comes to cyber defence in the modern age, protecting the perimeter alone simply isn’t going to cut it. Organisations must make the assumption that the bad guys are going to find their way in so the focus must be on preventing them from leaving with the crown jewels – the data. IT leaders need to stay at least one step ahead of the bad guys by adding newer technologies like anti data exfiltration to their security stack. Leveraging newer technologies that focus on preventing exfiltration is critical as it puts an end to data theft and extortion.”

Watch this space as this is an evolving story that is sure to get updates.

UPDATE: Yaron Kassner, CTO and Cofounder of Silverfort has additional commentary:

  “As with any developing attack, while Uber has admitted compromise – the details are yet to be confirmed. However, the information shared by the alleged attacker underlines that just using MFA is not enough to protect against the kind of lateral movement the attacker says took place.

Organizations need to make sure they are using MFA capable of protecting against lateral movement. For example, the attacker says they accessed a shared folder containing credentials used for scripts. This is exactly the kind of resource that would benefit from multi-factor authentication. 

According to the details being shared, these maliciously obtained service account credentials were then used to compromise a PAM solution giving the attacker the keys to the kingdom and access to many sensitive systems. This stresses the fact that service accounts must also be protected, and that protecting access to the PAM with MFA is insufficient. One must also protect access with the secrets extracted from PAM.”

Toby Lewis, Global Head of Threat Analysis for Darktrace also had this to say:

Details of the Uber breach are still emerging, but early reports suggests this may be a threat actor more likely seeking notoriety and fame than any kind of financial gain. Regardless, an attack like this can have long lasting effects in terms of restoring systems to trusted operational states as well as reputational damage.

It would be difficult to speculate too much at this early stage but an interesting component in the attack appears to be in the exploitation of their Multi-factor Authentication, by using Social Engineering to persuade employees to blindly approve the attacker’s actions.

This proves that the existence alone of MFA is not a silver bullet, and should form part of a wider strategy incorporating other technologies and mechanisms to identify and prevent malicious activity. This includes limiting the damage that can be done with a compromised account, which is a basic yet effective measure – for example not giving every member of staff administrator-level privileges, and granting even those that really need those permissions limited use for designated tasks.

Christopher Prewitt, Chief Technology Officer of Inversion6 adds this:

Many view these large service providers and social media companies as being extra secure or having state of the art security programs, but often suffer from some of the same issues as other corporations. Social engineering is still the primary entry point for successful breaches, but the attackers are always looking to elevate privilege to increase impact and monetization.

Once again identity and privileged identity are the root cause for a breach. Once inside an organization with valid accounts, it can be difficult for defenders to differentiate an attacker from a standard employee or contractor.

System administrators and engineers are trusted to do the right thing for security but can be just as careless as anyone else. The alleged issue were credentials that were left cleartext in some scripts. At this point the attackers were already within the environment, and likely would have found a number of other ways to elevate privilege.