Security analysis and research

Focus on global malware analysis and research


Recently, a hacker attacked Uber, and after hacking into Uber, he released screenshots of Uber’s AWS console, HackerOne admin panel, Slack server, etc., which showed that Uber may have been subjected to very serious hacking actions, as follows:

Uber has also issued a related statement, is responding to cybersecurity incidents, and is in contact with law enforcement to release more relevant updates when needed, as follows:

According to relevant information, the hacker of the attack claimed that they had administrator access to the Amazon Web Services and Google Cloud Platform and other company tools, the hacker claimed to be only 18 years old, hacked into Uber for fun, and is considering leaking the company’s source code, the hacker hacked into Uber, released relevant information to all Uber employees, but Uber employees did not know that they were attacked, thinking that they were joking, haha.

Not long ago, Cisco has confirmed by the Yualuowang ransomware virus attack, and leaked some data, fortunately Cisco in the process of in-depth attack by the hacker group in time to find, otherwise there may be more core data was leaked, the author previously released the “simple analysis of the Cisco hacked incident” related articles, which have mentioned that the hacker organization has been looking for the next attack target, never stopped, Any large enterprise has the potential to be the next target of a hacker’s attack.

For some information published by foreign security researchers @BillDemirkapi on the Internet, the author also conducted a simple analysis of the hacking incident, in fact, this is not the first time that Uber has been hacked, in 2016, Uber has been hacked, resulting in the personal data of 57 million users and drivers being affected, if the information published by the hacker group on the Internet is true, then Uber is undoubtedly another very serious hacking attack. I don’t know how Uber will face this attack activity later, and I sit and wait for Uber to update the information.


From the relevant information published on the Internet, the hacker conducted a social work against an employee of Uber, successfully obtained the employee’s login credentials, logged in to the enterprise through a VPN account, and conducted a horizontal scan and infiltration of the corporate intranet, and the attack process of obtaining the employee’s login credentials was restored by foreign security researchers, as follows:

1. Hackers use tools like Evilginx to set up a fake domain server to perform a man-in-the-middle interception attack on Uber’s real login server and get the employee’s login credentials.

2. After obtaining the employee’s login credentials, you can use the employee’s VPN access to enter the corporate intranet.

3. After entering the corporate intranet, the hacker just found a network sharing server inside the enterprise, which contains a PowerShell script with privileged credentials, and the privileged credential information contained in the script can access Uber’s DAD, DUO, Onelogin, aws, GSuite and other application systems.

Through the relevant screenshot information released by the hacker, if this information is true, then the hacker should have obtained a lot of access rights to Uber, including the AWS system, IAM portal, GCloud, VCenter, Slack, vSphere, and even the access rights of the internal EDR system of the enterprise. If the hacker exploits the EDR to provide a “backdoor” for the IR to enter the other employee machines of the enterprise through the “backdoor”, this may further expand the attacker’s access.

At the same time, during this attack, the hackers also obtained all vulnerability reports from Uber’s HackerOne vulnerability bounty project and commented on all the vulnerability bounty tickets as follows:

If the hacker actually gets all the vulnerability reports of the HackerOne vulnerability project, this may pose a more serious security risk to Uber, and it is likely that these vulnerabilities will be resold to other hacking groups for secondary attacks, and the information reported for these vulnerabilities is not yet clear.

Last year, HackerOne received an Uber vulnerability that allows it to take over an Uber account via voicemail, as follows:

Specific vulnerability information, you can go to search for relevant information, the public network may not be able to see, you can get the details of the vulnerability in some channels, as follows:

From the Slack screenshot information released by the hackers, it may be the manager engineer of Uber who may have been recruited, and the employee’s information was also exposed, as follows:

For this attack action is analyzed here, it can be seen that the attack process is not complicated, after all, the hacker is still young, and through this attack can also see that Uber’s security control may not be good, so that a script containing various privileged credentials is placed on the shared server, if all the screenshot information is true, this is indeed a very serious attack incident, the hacker is currently only publishing the relevant screenshot information, and has not published specific data information, Later need to continue to pay attention to this attack event, through the analysis of the attack activity, the hacker’s entry point is still to find the company’s employees for targeted phishing social workers, etc., get the login credentials of enterprise employees, this attack and the previous Cisco was attacked by the Yanluowang ransomware virus hacking organization into the enterprise intranet method is similar, this single point breakthrough attack method, in the attack against a large enterprise, even multinational enterprises attack is very effective, Because any enterprise can not guarantee that all employees have a high degree of security awareness, coupled with the high deceptive nature of social workers, any employee in the enterprise may become the target of the attack, and any employee may become the entry point of the enterprise to be hacked, the so-called dike of a thousand miles, destroyed in the ant nest, may be this reason, security confrontation is the confrontation between people, the attack on people is a very effective and deadly attack method, and people are the biggest security loopholes.


Targeted attacks on employees within the enterprise, including email phishing, watering hole attacks, social engineering and other ways, is a commonly used APT attack method by hacker organizations, starting from the employees of the enterprise, and then infiltrating the core data server of the enterprise step by step, Lazarus APT organization has repeatedly used this method to phishing social workers for the employees of the enterprise, and then hacking into the enterprise server to steal related data.

Hackers have never stopped the attack activities against major enterprises around the world, some APT attack activities may last for several months, this targeted attack action, in the future network security events will be particularly prominent, most of the attack activities of the entrance may be just a phishing email or a business email address, some leaked login credentials information, etc., and then hackers through a variety of social work means, get the entrance access rights of the enterprise intranet, and then horizontal infiltration, Until the core server of the enterprise is breached, if the enterprise can timely discover the hacker’s attack activities in this process, it can carry out emergency response in the first time to reduce the loss of the enterprise.

The author analyzes the real attack activities of a number of hacker organizations, including some APT hacker group targeted attack activities, most of which are still based on phishing social workers, using related vulnerabilities and other attack methods, phishing social workers This attack method is really invincible, there will always be people recruited, the cultivation of security awareness is not a day or two, people are the biggest security loopholes, anyone can not maintain a very high degree of vigilance at any time, it is possible to accidentally be recruited.

The author has been engaged in malware threat intelligence and other related security analysis and research work, including mining, ransomware, remote control backdoor, botnet, loader, APT attack samples, CS Trojans, rootkit backdoor Trojans, etc., involving a variety of different platforms (Windows/Linux/Mac/Android/iOS), the author’s interest in doing security research is to like to study some of the latest malware family samples. Tracking the attack samples involved in various security incidents reported at home and abroad, through the detailed analysis of the samples, vulnerabilities and attack techniques involved in various security attack incidents, you can understand the latest attack technologies and attack activity trends of global hacker organizations, etc., and at the same time can also deduce what they are about to do, what attack activities they are launched, and what harm customers may be subjected to. Dear readers and friends, if they encounter any new malware family samples or the latest family variants, they can send a private message to the author, thank you for providing the author with samples!

Do safety, do not forget the original intention, keep pace with the times, to have always!

Security analysis and research, focusing on the analysis and research of global malware, tracking the attack activities of global hacker organizations, welcome to pay attention.

Wang Zheng

Pen name: Panda Masamune

Malware researcher

Long-term focus on the analysis and research of various popular malware in the world, in-depth tracking of the attack activities of global hacker organizations, good at various malware reverse analysis technology, with rich experience in sample analysis, ransomware virus, mining virus, secret theft, remote control Trojan, banking Trojan, botnet, APT attack samples have in-depth analysis and research

Mental journey: from the safety cabbage that knows nothing, to the old cabbage with more than ten years of safety experience, the safe road is still very long, only do one thing in a lifetime, insist, focus, professional!