Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Group-IB Global Profile picture
@GroupIB
Sep 16, 2022 9 tweets 5 min read Read on X
Hello @Uber! We know breaches suck. Wanted to reach out and support with some interesting information on the #uberhack. If you need any more details, feel free to contact us.

#FightAgainstCybercrime
On September 16, vx-underground posted screenshots with evidence of access to #Uber internal systems, including #SentinelOne, #Slack and #AWS. The screenshots have been attributed to the threat actor teapots2022. Image
During Group-IB’s analysis of the screenshots, interesting artifacts have been found in the recently downloaded files tray. First 2 files are zip archives and have the same format: "LOGID-\d{7} with names LOGID-4952307" and "LOGID-4953756". Image
The name format of these files allowed Group-IB researchers to identify them as logs from #stealers that were sold on one of the underground marketplaces.
Group-IB identified that these logs were put up for sale on September 12 and 14, which means that this was very fresh data, because the hack that utilized them was revealed from 15 to 16 September.
As shown below both of these logs contain authorization data for uber.onelogin.com — an identity and access management provider. These logs indicate that at least 2 Uber employees (from Indonesia and Brazil) have been infected by stealer #malware: Racoon and Vidar stealers. Image
The version of @Uber hacking through the purchase of logs that contained data for authorization on uber.onelogin.com is confirmed by the same screenshot, where you can see that the very first tab in the browser is called "OneLogin". Image
In addition to the #logs shown in the screenshot, the attacker could also have purchased logs to enable them to sort through all the accounts in search of accounts with privileged access to critical internal network resources.
These other logs also contained multiple access credentials to other resources, including Slack, Facebook, Google, Instagram etc. These credentials could have been used by the attacker to advance through Uber’s network using social engineering.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Group-IB Global

Group-IB Global Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GroupIB

Group-IB Global Profile picture
Sep 16, 2022
Crypto giveaway scams continue to soar: Group-IB has noted a fivefold increase in the number of domains used for #crypto giveaway #scams that involve fake #YouTube streams in the first half of 2022: bit.ly/3eWN0eL

#CryptoGiveaway
According to Group-IB, 63% of the new fraudulent domain names were registered with Russian registrars, but the #fake websites are primarily designed to target English and Spanish-speaking #crypto investors in the US and other countries: bit.ly/3eWN0eL
In the first six months of 2022, @CERTGIB identified more than 2,000 domains registered explicitly to be used as #fake promotion websites. This figure increased almost five-fold compared to the second half of 2021 and 53-fold in comparison with H1 2021: bit.ly/3eWN0eL
Read 5 tweets
Group-IB Global Profile picture
Aug 19, 2022
About a week ago, @TalosSecurity team shared some insights related to a recent cyber attack on @Cisco. According to Indicators of compromise, mentioned in this article (bit.ly/3K76lFJ), we have known this group of attackers since the beginning of 2022.
Group-IB's researchers has discovered their TTPs in a series of attacks using #CobaltStrike, #Sliver and #Covenant tools. Our internal name of this group is #TridentCrow.
One of the domains that was published by @Cisco (ciscovpn2[.]com) has a self-signed SSL certificate with unique values. According to Group-IB Threat Intelligence database, out of more than 2 billion certificates, only 39 have similar values and mimic well-known IT companies. Image
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(