Who would be an Uber secops employee today ...

Sinbad2000

Sinbad2000

Sinbad2000

Associate
Joined
19 Nov 2021
Posts
1,088
Location
Portsmouth
Looks like their entire infrastructure was owned via a social engineering attack, which allowed the actor to access their VPN. From there he found a network share with some powershell scripts - one of which had admin credentials for their password management system.
He got domain admin, google cloud admin, AWS admin, slack admin, HackerOne admin plus a whole bunch of other stuff.

From the PoV of someone in IT, this is terrifying to contemplate!

 
I dont understand how they got access to the VPN? The employee surely didn't just hand over those credentials or did they brute force it?
Feels like important parts of the story are missing, or its just a disgruntled employee.
 
Sinbad2000 said:
Looks like their entire infrastructure was owned via a social engineering attack, which allowed the actor to access their VPN. From there he found a network share with some powershell scripts - one of which had admin credentials for their password management system.
He got domain admin, google cloud admin, AWS admin, slack admin, HackerOne admin plus a whole bunch of other stuff.

From the PoV of someone in IT, this is terrifying to contemplate!

Click to expand...

Not saying this isn't bad but its not the worst. The attacker looks more like they are in it for the thrills given how open they are about it with media.
Imagine all this and add ransomware on top (don't ask me how i know, but i know the above feel + ransomware)
 
Gammawolf said:
Not saying this isn't bad but its not the worst. The attacker looks more like they are in it for the thrills given how open they are about it with media.
Imagine all this and add ransomware on top (don't ask me how i know, but i know the above feel + ransomware)
Click to expand...
This is true...
Challenge now being to prove that no PI/PCI data was exfiltrated, and that no nasty little surprises have been left lying around.
 
A malicious hacker could have bought a few OTM puts and then caused all sorts of chaos to uber rather than just taking a look around and demonstrating that he/she was able to get access.
 
This in entire thread is going right over my head.

I can still watch my music videos on YouTube andy beer is cold so all is good right?
 
Youd be surprised at some of the horrors I've seen over the years. One being a companies entire internal network exposed on a public unauthenticated FTP.

Yubikeys are so cheap nowdays, there's very little excuse for a company not to be using them for even low level access. Heck, this forum even has Yubikey/hardware authentication available should people wish to use it!
 
Last edited:
BUDFORCE said:
This in entire thread is going right over my head.

I can still watch my music videos on YouTube andy beer is cold so all is good right?
Click to expand...

Imagine you gave a key to your garage to someone that was working on your garage, but the rest of your house was locked. However, inside the garage you also had a cardboard box with the keys for everything you own.

Some other guy got the garage key and then found the cardboard box.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom