Category Archives: Hacker

Uber Investigating Breach Of Its Computer Systems



Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack, The New York Times reported.

The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.

According to The New York Times, an Uber spokesman said the company was investigating the breach and contacting law enforcement officials. Uber employees were instructed not to use the company’s internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly.

Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, “I announce I am a hacker and Uber has suffered a data breach.” The message went on to list several internal databases that the hacker claimed had been compromised.

Uber tweeted on September 15, 2022: “We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.”

The Verge reported that the alleged hacker, who claims to be an 18-year-old, says they have administrator access to company tools including Amazon Web Services and Google Cloud Platform.

When contacted by The Verge for comment, a spokesperson for Uber declined to answer additional questions, and pointed to its statement on Twitter.

The Washington Post reported that after the hacker posted a message on Uber’s Slack, it was followed by a flurry of reaction emoji, including several dozen showing what appeared to be a siren symbols. Because of the hack, people said, some systems including Slack and internal tools had been temporarily disabled.

The Washington Post obtained internal screenshots that showed the hacker claiming to have wide-ranging access inside Uber’s corporate networks and appeared to indicate the hacker was motivated by the company’s treatment of its drivers. The person claimed to have taken data from common software used by Uber employees to write new programs.

According to The Washington Post, the hacker’s ominous posts were met with reactions apparently depicting the SpongeBob character Mr. Krabs, the popular “It’s Happening” GIF and queries as to whether the situation was a prank.

The Wall Street Journal reported that a hacker, identified only by the Telegram handle Tea Pot, gained control of Uber’s account with HackerOne, a firm that helps companies work with security researchers, according to the company and researchers on their platform. The hacker provided security researchers with screenshots that appeared to show widespread access to a range of administrative accounts that manage Uber’s technology systems, including the Amazon Web Services and Google clouds, as well as VMware systems, the researchers said.

Other than the HackerOne account compromise, The Wall Street Journal couldn’t verify Tea Pot’s other claims.

At the time I am writing this post, Uber has not provided any updates on their Twitter account. Perhaps they will later today. That said, if you were planning to go somewhere via Uber today – there’s a good chance that you won’t be able to obtain a ride from the company’s drivers. Consider Lyft or the local bus service wherever you are.


Europol Announced the Arrest of Two Ransomware Hackers



Eurpol announced in a press release that a coordinated strike between several law enforcement agencies resulted in the arrest in Ukraine of “two prolific ransomware operators known for their extortionate demands (between €5 and €70 million)”.

The law enforcement groups involved included the French National Gendarmerie, the Ukranian National Police Force, and the United States Federal Bureau of Investigation, with the coordination of Europol and INTERPOL.

According to Europol, the results of this included: 2 arrests and 7 property searches; seizure of US $375,000 in cash; seizure of two luxury vehicles worth €217,000 and asset freezing of $1.3 million in cryptocurrencies.

From the Europol press release:

The organized crime group is suspected of having committed a string of targeted attacks against very large industrial groups in Europe and North America from April 2020 onwards. The criminals would deploy malware and steal sensitive data from these companies, before encrypting they files.

They would then proceed to offer a decryption key in return for a ransom payment of several millions of euros, threatening to leak the stolen data on the dark web should their demands not be met.

The Record reported the arrests of the two members of a ransomware gang took place on September 28, in Kyiv, Ukraine’s capital. Of the two suspects who were arrested, one is a 25-year-old believed to be a crucial member of a large ransomware operation.

The names of the two suspects who were arrested have not been released. The Record reported that officials declined to name the suspect’s affiliation to any particular ransomware gang, citing an ongoing investigation. That information came from a Europol spokesperson.

It seems to me that this investigation is just beginning, and that Europol (and the rest of the assisting law enforcement agencies) are intending to continue their efforts. If the agencies are able to determine who else was involved in these crimes, I hope that those people face whatever legal consequences are appropriate.


Syniverse Was Hacked in 2016



Have you heard of Syniverse? In short, it provides a service that works in the background and enables people to use their smartphones to call or text their friends and families. That’s exactly why it is a very big deal that Syniverse got hacked.

According to Vice, Syniverse is a critical part of the global telecommunication infrastructure used by AT&T-Movile, Verizon, Vodafone, China Mobile and others.

In a Filings Report with the U.S. Security and Exchange Commission, Syniverse pointed out that it had been hacked in 2016. Here is a small portion of that section of the report:

…For example, in May of 2021, Syniverse became aware of unauthorized access to its operational and information technology servers by an unknown individual or organization… Promptly, upon Syniverse’s detection of the unauthorized access, Syniverse launched an internal investigation, notified law enforcement, commenced remedial actions and engaged the services of specialized legal counsel and other incident response professionals. Syniverse has conducted a thorough investigation of the incident.

The results of the investigation revealed that the unauthorized access began on May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers…

Daring Fireball pointed out that 235 customers doesn’t sound like a lot. But then realized that Syniverse’s “customers” are carriers, not people. Another problem pointed out on Daring Fireball was that Syniverse discovered the data breach in May of 2021, but the hack began in May of 2016.

It seems to me that it is possible that a lot of people’s data and information could have been stolen and used for nefarious purposes. This is really bad. I think Syniverse should have publicly mentioned the data breach years ago, instead of attempting to quietly let their investors know about it in 2021.


“Gigabites of Data” Accessed from Web Host Epik



You may have heard of Epik (the web host – not Epic the gaming company). According to Gizmodo, Epik the web host and domain registrar provides services to Gab, Parler, and Bitchute (which Gizmodo described as “conspiracy-theory-laden YouTube wannabe), and The Donald (a President Trump fansite).

Epik also recently hosted the Texas whistleblower website – which was intended to allow people to “snitch on Texas residents who want abortions.” Gizmodo reported that Epic forcibly removed the Texas site from the platform after determining it had violated Epik’s terms by non-consensually collecting third-party information.

Those sites seem to end up on Epik after breaking the terms of services of whatever mainstream hosting company they started with.

TechCrunch reported that hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik. The hackers did not say how they obtained the breached data or when the hack took place. TechCrunch says that, according to time stamps, the most recent files suggest the hack “most likely” happened in late February.

It appears that the hackers have now released the information that was in the Epik data breach. TechCrunch reported what was in the data breach, based on a statement from the hackers.

What kind of information was in the data breach? TechCrunch reported that a statement was sent to a torrent file of the dumped data this week. It included a “decades worth” of company data, including “all that’s needed to trace actual ownership and management” of the company. The hackers claimed to have customer payment histories, domain purchases and transfers, passwords, credentials and employee mailboxes.

According to TechCrunch, Epik initially told reporters it was unaware of a breach but an email set out by founder and chief executive Robert Monster on Wednesday altered users to an “alleged security incident.” To me, it sounds like the damage had already been done before users were alerted to it by email.

This is a really good example of why you need to be absolutely certain that the web host that is hosting your content is a reliable one.


Ukraine picks up six hackers behind Clop ransomware



It’s been a rough spell for hackers, one was just extradited from Mexico to face charges in California for a DDoS attack on the city of Santa Cruz. 

Now six members of a group responsible for the Clop ransomware were picked up in a raid in the Ukraine. It is not clear if these were all the members behind it or just one cell. The search of the home resulted in the seizure of hundreds of thousands of dollars and expensive vehicles such as an AMG 63 and a Tesla. 

A Ukrainian report states that “[in] 2021, the defendants attacked and encrypted the personal data of employees and financial reports of Stanford University Medical School, the University of Maryland and the University of California.” 

As S Korea and the US were also in on this roundup and have charges pending for hacks in both countries, it’s unclear where things go from here. 


U.S. Department of Justice Seized $2.3M in Bitcoin from Ransomware Hackers



The U.S. Department of Justice announced that it seized 63.7 bitcoins currently valued at approximately $2.3 million. According to the Department of Justice, “these funds allegedly represent the proceeds of a May 8, ransom payment to individuals in a group known as DarkSide.” This is the group that targeted the Colonial Pipeline, causing it to shutdown.

As alleged in the supporting affidavit, by reviewing the Bitcoin public ledger, law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins, representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the “private key,” or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address. This bitcoin represents proceeds traceable to a computer intrusion and property involved in money laundering and may be seized pursuant to criminal and civil forfeiture statutes. 

The Wall Street Journal reported a quote from Stephanie Hinds, acting U.S. attorney for the Northern District of California (where the seizure warrant was obtained). “The extortionists will never see this money. This case demonstrates our resolve to develop methods to prevent evildoers from converting new methods of payment into tools and extortion for undeserved profits.”

The Wall Street Journal also reported that the FBI officially discourages victims from paying ransoms because doing so can become a booming criminal marketplace and often won’t actually result in the restoration of the frozen computer systems.

Krebs on Security reported that Colonial Pipeline stated that the hackers only hit its business IT networks – not its pipeline security or safety systems. Colonial Pipeline shut down its pipeline as a precaution.

According to Krebs on Security, DarkSide (which is described as a “ransomware-as-a-service” syndicate) shut down on May 14, 2021, after posting a farewell message to affiliates. The message said that its Internet servers and cryptocurrency stash were seized by unknown law enforcement entities.

Personally, I find it interesting that the U.S. Department of Justice has the ability to seize cryptocurrency from thieves who received it after inflicting a company with ransomware. Perhaps this will serve as a warning to those who are interested in obtaining cryptocurrency through illegal means.


Passwordstate was Compromised by Supply-Chain Attack



As many as 29,000 users of Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, Click Studios told customers. Ars Technica reported that this was a supply-chain attack.

Click Studios began developing Passwordstate in March of 2004, and released it in August that same year. According to Click Studios, Passwordstate is used by more than 29,000 customers and 370,000 security and IT professionals globally, many being from Fortune 500 listed companies. Industries using Passwordstate include defense, banking and finance, media and entertainment, space and aviation, education, utilities, retail, mining, automotive, service providers and IT security integrators.

It is easy to see why companies who were relying on Passwordstate might be upset by this supply-chain attack. TechCrunch reported that an email sent by Click Studios to customers said the company had confirmed that attackers had “compromised” the password manager’s software update feature in order to steal customers passwords.

Click Studios has created an Incident Management Advisory on its website. It is where to find regular updates detailing the best information about available at that point in time. Click Studios recommends that people periodically check it for the latest updates.

Personally, I think the safest way for individuals to protect their passwords is to write them down on paper and store that information at home. Paper is entirely immune from supply-chain attacks, and it lacks the code that nasty hackers seem to feel entitled to mess around with. This solution might be insufficient for large businesses, though. Unfortunately, that means these kinds of shenanigans will continue to happen.