🐈 Hackers give Uber a 5 star rating ⭐️⭐️⭐️⭐️⭐️

Ride time: 5 minutesChuckles: 14

Hi again, it's meoward – your inbox's weekly dose of security. Did you miss me? This Welcome Back edition is brought to you by the 🌮Mexican Pizza🍕. That's right, it’s back at a Taco Bell 🔔 near you.

Trips this week:

• 🚙 Uber was hacked: the official word – no customer data was compromised. Unofficially, the hackers are getting a lifetime of free Uber Eats.

• 💬 Microsoft Teams is terrible: in general, but also because it stores its authentication tokens in cleartext.

• 🥬 Healthy snacks: time to lay off the donuts and learn how to evade GuardDuty in AWS, recover filenames deleted by sdelete, and more!

Chop, chop. Look lively now.

Mudge: New hair style, same ol' message.

The Uber Hack (according to Twitter)

I announce i am a hacker.

If you're like me, you spent Thursday night and Friday refreshing Twitter to see the latest on the Uber hack. If you aren't like me, here's the TL;DR:

1. 18 year old hacker tricks an Uber employee into providing their password.

2. Hacker uses the password to VPN into Uber's networks.

3. Hacker finds the password that protects all the passwords.

4. Hacker posts screenshots to prove their access.

5. Sad day for Uber's security team.

This is absolutely my worst nightmare – working a security incident that's being live-tweeted to the world. Absolutely brutal.

Before we dive into the details, let me first start with a caveat – the majority of the information being used to tell this story is unconfirmed. It will likely be months before we get any sort of detailed statement from Uber. Investigations like these take a long time.

So here's the alleged hacker's story:

Initial access

The New York Times writes "The person who claimed responsibility for the hack told The New York Times that he had sent a text message to an Uber worker claiming to be a corporate information technology person. The worker was persuaded to hand over a password that allowed the hacker to gain access to Uber’s systems."

Based on the hacker's claim, it sounds like Uber protected access with 2FA via push notifications. After spamming the employee for an hour, they were able to social engineer the Uber employee into approving one of the push notifications.

In one of the hacker's screenshots posted by vx-underground, you can see two files the hacker recently downloaded:

The cybersecurity company Group-IB Global make an interesting claim about these files. They claim that these files originated from infostealer malware and were sold on an underground marketplace just a few days before this hack became public.

If these files are legit, it appears that at least 2 Uber employees (from Indonesia and Brazil) were infected by Racoon and Vidar infostealers.

It's possible that before social engineering their way to an approved 2FA push, this alleged hacker purchased infostealer logs from this underground marketplace to get Uber employees' passwords.

Tactics like these are very similar to the ones used by the LAPSUS$ hacking group, who also use password stealers (RedLine, Racoon) or buy credentials from underground forums.

Teapot hits the Jackpot

The alleged hacker now has access to Uber's internal network through VPN. They start scanning and what do they find? The keys to the kingdom.

Oh no.

They also gained access to a security engineer's account at Uber and used it to login to Uber's HackerOne account.

My hope is that Uber will get those reported vulnerabilities fixed a bit faster than originally planned.

So there you have it. It's bad. And there's a lot to investigate. Uber's last public update came out Friday afternoon:

To my fellow incident responders at Uber – I hope you're holding up, being treated with respect, and get some much needed PTO once everything settles down.

Remember, if you get too exhausted from investigating, you can always take Twitter's approach:

Ran Microsoft Teams, CPU caught on fire

Despite Microsoft Teams introducing a remix of their default ringtone, the desktop app still doesn't encrypt its authentication tokens.

A little background:

• Teams is what uncool companies use instead of Slack (come at me, M$ bros).

• Teams is a mind meld 🖖 of Microsoft products, including Skype, SharePoint, and Outlook.

• The enterprise version of Teams is an Electron-based app.

• Electron is a framework that basically turns a web browser into a desktop app.

• Electron doesn’t support encryption or file system protection as standard.

Security researchers at Vectra were poking around the Teams desktop app and stumbled across these two databases:

The leveldb stores plaintext access tokens for both Outlook and Skype APIs. (I found the easiest way to explore this database was to use Plyvel and Python.) 

The sqlite Cookies file stores Teams authentication tokens, including for MFA-enabled accounts.

None of these files require any special permissions to access.

Microsoft probably won't fix this. Teams 2.0, a complete rewrite that drops Electron for Edge WebView2, is in the works. Until the 2.0 release ("when it's ready"), Vectra advises people to only use the web-based Teams client inside Microsoft Edge.

I suggest not using Teams. At all. Ever.

Snacks

• 🍿 [youtube] Evading AWS GuardDuty and Network Firewall. Just one of the great talks from this year's fwd:cloudsec.

• 🔎 [blog] A quick forensics write-up on sdelete, the artifacts it leaves behind, and how to recover the original file names. APT29 loves using sdelete for defense evasion.

• 📚 [library] MITRE ATT&CK still doesn't have enough Cloud content. Enter Hacking the Cloud, a collection of attacks, tactics, and techniques specific to AWS, Azure, and GCP. I love this website! This site gets a big MEOW!

Incredible how much space I saved with this tip!