Who did enjoy yesterday? That seems like sort of 100%, so good. Second day will be even better and we know that it always takes a bit of time to get into the mood of a conference like that. Short introduction, Carsten Fischer, I'm the Deputy CISO for Deutsche and will moderate this morning and I think tomorrow we'll see us again. But more importantly, I want to talk about the first two guys who will create a bit of fun. Max said that it will be funny, it will be entertaining and I'm pretty sure it will be. The first two speakers today will talk about hacking.
Hacking Uber, Okta, Las Vegas casinos and all of them have something in common. They were hacked by GenZ, by groups that are sort of generated out of the generation Z. They have a slightly different approach than others and we will learn about their approach today from Michael Geschwender. Michael is a seasoned cybersecurity professional. I was pleased to see that he started as a hacker and is still sort of hacking in different roles, different companies.
For example, member of the Allianz für Cybersicherheit, as we say in Germany, and a member of that and really a lot of skill set around cybersecurity. He's currently the lead of offensive security at Bitmark and Bitmark is a provider of health IT infrastructure in Germany. Switching over to Max, Max Mut, Max is an Infosec reporter for Germany's largest newspaper Süddeutsche Zeitung. I learned something this morning, the largest newspaper, I thought that would be a different one, but congratulations.
Shrinking, constantly shrinking, but large. But large. He started in studying philosophy in Munich and Birmingham and then I think he started with ARD, German broadcast, but joined Süddeutsche in 2008 already and ever since, focusing on stories about nation state hackers, cybercrime and emerging technologies. So welcome on stage. The stage is all yours and please entertain us. We'll try. Yeah. Good morning. I hope everyone had a coffee. I just had one. It was nice. We'll start by chatting about us. He did most of that, but I'll give it away for Michael. Good morning.
First of all, that kind of works. I have to get used to microphones. I usually don't use them. So good morning to you as well. I want to introduce to you my friend Max who is standing over here with this short slide. Max is working at Süddeutsche. I like his quote over here, which is that it is the constantly shrinking, but still biggest German newspaper. As you can see, Max is a fan of the mustache.
On the left, you can see his profile picture currently in use at Süddeutsche, which looks kind of weird to me because he always has his mustache and he only shaves it like every three years around like that. So he says he has a lot of hobbies for middle-aged men. I asked him yesterday and I don't think it's that much hobbies, but it's like three or four and he has kids. I don't have kids, so maybe that's a lot. I cannot judge that. But most importantly, Max is like a really, really seasoned guy.
I'm a full-time hacker and it's kind of hard to find people to openly talk in in-depth discussions about complicated international cyber topics and Max is one which you can do that. So a really, really competent, well-read and really seasoned guy in the cyber realm, I would say.
Okay, so this is Michael. Michael is pretty special because he's got a PhD in astrophysics and then said, oh, that's boring. Let's go to cyber. Because he has been a hacker for 21 years now, since he was nine and got a Pentium and didn't like it.
So he, I guess, broke it down and hacked some stuff. He's working as a red teamer, which means he's hacking your company if you pay for it. And in his free time, he's interested in stuff like ransomware. So his hobby is threat research and he's a hacker by trade. So you should definitely listen to what he has to say next. I love the timing.
Okay, so now I'm going to talk to you about hacking. Two things first.
One, it's early for me and it's too early for me. And I'm looking into really bright lights, so I will walk around a little and seem confused. So please keep with me and accept it just for now. It's just how I am and how I have to cope with being alive at this hour and talking to people in a room. The next is, I'm an honest guy and I speak for reality because someone has to speak for reality. And my job is, you have a company, you have all these products, and then you get hacked and you ask, how did this happen? We had all these products.
And then this is where I and people like me come into play, the hackers. So when talking about hackers, honesty is key. Because otherwise, if we are not honest to ourselves, reality will make us honest. So let's look at reality. This is from press statements of Uber. You might have heard of this company. It's a quite big one. And Uber had several security incidents. I'm just going to talk about one, which is the one here. And we just tell Uber's story. This is the story from how Uber said the hack went down and what actually happened.
So in Uber's own words, there was an external contractor, passive, and he had his account compromised, passive, it just happened. There's nothing you can do, it just happened, compromised, passive. And then from this account, several other employees' accounts were accessed, privilege escalation, like lateral movement, all these terms you heard from hacking, basically spreading inside the company, posting something in the Slack channel, and then security stopped it. So you know the wording, maybe you read these press statements yourself.
It was just stopped by quickly moving security posture, all the wording. Okay, so that is what Uber said, what was happening. But luckily, we have another story. This is the story from White, which is the guy who hacked Uber. What you see here is his chats. I'm not the only guy who has these chats. I show them because they are right now, I consider them common knowledge at the point, I say everything is common knowledge at the point when VXUnderground post them on Twitter, and they have 100,000 followers, so I can show that to you as well. So in the story of White, it goes a little different.
So White says he actually contacted, this was during the pandemic, a person working from home, and contacted this person because he had the number, he also had the password of the person previously obtained via a leak. He then tried to edit his device to the devices of this person, which created a multi-factor authentication prompt, an MFR prompt. So this person gets these prompts about 100 times a day, which is a lot, but some of you in companies you work, you will get MFA prompts like three or four times a day, so it's kind of common.
But this person was not accepting the MFA prompt, but they were going continuously. Then he contracted the person by another number and said he is from Uber IT, and there's a problem with his account, which means he has to accept the MFA prompt, which he did in order to get working again. And also because it was a process that happens all the time like this. After that, for the technical people, White added his own device via Intunes, device code phishing is the method, it's pretty common, it's an old one, it's still used today, nothing fancy about it. Then he was in.
So inside it was pretty easy, you just click the shares, you know, just the Windows shares. And in the shares, it's the same every time, in the shares there's just a password, there's always a password. Password is in the credentials files, a password is in the config files, there's a password. So this password gave him access to their identity management PAM system, where all the accounts are stored. So from there, he just takes the accounts, and then that's it. So the question is, now we have two conflicting stories, who is actually right?
We have a company who has everything, a lot of money, a huge IT budget, and deploys everything that one thinks you have to deploy, like every endpoint protection, everything you can think of, done by people with security knowledge, security certifications, all of that, all of them non-hackers, but all of them with a lot of money. And on the other hand, we have a guy who's 15 years old, holds a fish in his hand, and actually uses a node VPN, which he isn't even paying for because he just uses the free one, which means he has access to free IP addresses, which are also common knowledge.
So who is right? Who wins? The 15-year-old or the big company?
Well, yeah. I have to go back because that's really the best slide. I'll go back to that a couple of times.
Okay, you do that. Okay, so that's why I say I deal in reality. So do not believe these people. So you know the thing about Wright, when he was active, he's not active anymore, he's like in an institution now. He streamed that all live, and the people in the node just watched. I'm one of them. So this is a live stream of Wright doing all of that, he said. He just hacked Uber.
So what we see here, I don't know how good this is viewable from your point of view, I have to get really close here, is right now he's admin in Google users, and you see up there, there are a lot of tabs open, like a lot of tabs. Every single tab is a compromised system.
And also, if you have kids or grandkids, maybe you can see the icon right there in the bottom, the check of all trades. This is a Discord notification, because Wright was doing this hack in Discord and streaming all of it. I have to move a little faster now, because time runs out, because I talk too much. So this is just him being in all of their storage, which I think funny on this picture is, if you look at all of their storage, there's actually one guy, which is Carsey Head, who has 5.17 terabytes, and this is more than their whole security department has stored file, just like this one guy.
I don't know if Uber actually looked at that and knows what this guy is doing. I checked him out, he has a marketing company, and he does really weird stuff. I don't think he was allowed to use that amount of storage there, but I'm not a compliance officer here. So we move along.
Okay, so this is how deep he actually was. He pivoted everywhere. This is their internal revenue streams and all of that, and this is also how I know exactly how much they paid for which security stuff, and how I came to the number in the previous picture.
Next one, please. And this is just to, I don't think it is, I don't have the time now to explain this fairly to you. So just maybe believe me or don't, but this is a typical common picture. This is just Sentinel One. I just picked it because it's in the screenshot, but this is just your typical endpoint protection, whatever. And you see, it's all green. It sees nothing. And right is the guy who hacked everything. He's just logged in. Why does it see nothing? Because there's nothing to see. There was no malware deployed. There was no DOS attacks, no fancy whatever.
He just had a password, logged in, and now he's in the system. So he's in the process, how it's supposed to work. And this is what you really have to understand about hacking. This is always what you do. This is why we hackers don't care about these systems, because in order for your company to work, your own processes have to work. If your own processes are bad and we abuse them, security cannot help you. Because if security would stop your own processes, your company would stop working. This is the most integral point to take from here. Okay.
So this is quite depressing, but I don't know, maybe it's going to get more depressing even. So White was part of a group called Lapsus, but this is not the only group that is threatening your companies out there. Let's talk about who's threatening your companies. So who are the attackers coming from the internet? We've got ransomware, we've got APTs, and then we've got kids like White. The 15-year-old guy with fish. That picture actually got leaked by his enemies, I believe. So let's talk about ransomware shortly, because I think we can do a little heuristic here.
So ransomware actors attack you not because you are you, but because you have money. So if your security posture is well done, it's possible that they just check you out and move on if they can't hack you. They do whatever works for them. They don't do whatever needs to be done. This is different with APTs. Advanced Persistent Threats, I believe you heard that before. In this case, it's about you. They want to get your stuff. They want to get your information, your intellectual property. They want to disrupt your company, or they want to sabotage something.
They have lots of funds because they're state-funded most of the time. They have tools. They have custom malware, which they can use if they want to. And basically, if they got a boss telling them, hack these guys, then they will do that for as long as it takes, and they will get in.
Okay, so we got these two groups. This is fun. What else do we have? We have the kids. People think they look like this, but they actually look like this. This is a guy called Noah Michael Urban. He was apprehended by police in Florida, I think last year. He's a member of a group called Scattered Spider. We got lots of vendors who study this group because they've got some interesting things about them. I talked to some analysts, and they said, oh, they're the worst. This guy...
Oh, no. That's not...
Oh, yeah. Oh, yeah. I forgot the slide. The kids are interesting because they behave like APTs. They got limited funding. They don't have malware. They don't have money to spend. They can't really bribe people, but they've got unlimited time. Do you have kids? So they got lots of time on their hands, and if they talk to each other who they hack on some forum, and one gets in and the other one not, so they get bragging rights. So these kids, for example, stole a GTA trailer by a really big gaming company just to show it on the internet. So Scattered Spider...
Max, just for the fun of it, throw in there how they actually did that. The GTA stuff? Yeah. You do that. You're the hacker. Okay. The GTA stuff was done by the same guy we just showed, and he was already under police investigation, and he had no computer left. So he was in a hotel room, and he bought an Amazon Fire Stick and plugged it into the TV, and he hacked Rockstar Games from the TV. Cool. Yeah. Good guy. So the Scattered Spider group, they say they're the worst, and that's got to do with a recent development of that.
But so this group, they started out in, as far as we know, we don't know everything, but analysts monitor groups by hanging out in underground forums. And there's one forum called The Calm, which is either Discord or Telegram or all of that. And they meet there to talk about SIM swapping, basically. So this is like the gateway drug of youth hackers now. SIM swapping where you get phone companies to give your number, no, someone else's number to you to get over MFA prompts. And I mean, the most easy and interesting way if you want to get money with SIM swapping is cryptocurrency.
So if you know someone who has crypto and has it protected by MFA, you get their number and not your keys, not your coins. So you get their coins. But if you hang around in a forum where people talk about SIM swapping to get great Instagram account names or hack music artists to get new unreleased music, you'll get to talk about other things, too. So in this forum, which Google and I think Palo Alto think could be between 500 and 1,000 people hanging out there, there are the guys who are recruiting promising young hackers to do more serious stuff.
And from estimates from some vendors and cybersecurity companies, it could be that Scattered Spy is actually just 6 to 10 guys. What they do is they do supply chain attacks, basically. And supply chain attacks for SIM swapping. They hacked Twilio, MailChimp, T-Mobile, LastPass. But only as a starting point to be able to basically get every phone number they want at any time, which is really smart if you have the information about who has money. So from there, they go and steal a lot of crypto.
But recently, we had this development that they not only do that, but last year around this time, must be a little long ago, somebody called the Financial Times and told them, I'm Scattered Spyder, and we just hacked MGM and Caesars, two big casinos in Las Vegas. One actually paid the ransom, $15 million, and the other one paid a lot more money. I think $100 million was what they told people that the attack cost. And what happened is basically what happened with Uber. The group did some recon and then called the IT help desk and talked them into resetting the password.
I think that was MGM, the one that didn't pay. And what it turned out to be was Scattered Spyder, these young kids that know how to do sim swapping, how to socially engineer people in the English-speaking world, teaming up with Alf V, also known as Black Cat, which is a pretty notorious ransomware actor. So now we have this perfect combination of English-speaking young guys teaming up with notorious ransomware actors. Cool. So we've got APTs, ransomware, and we've got kids with APT, all out there to hack you. Isn't that fun? So what can we do about this? I don't know.
I think we should maybe talk to a hacker. Maybe ask around if there's a hacker. Do we have hackers in the room? Just raise your hands. I see one hand. That's amazing. One hand? That is one hand more than usually. You can come up if you want. But where could I find a hacker?
Oh, there's a hacker. So let's talk about this. I'm a company. I hear everything's bad out there. I want to secure my stuff. What do I do?
I mean, I heard there's great new technology out there. Do I just buy the best AI to secure my company? I think that triggers him.
Yeah, I'm sorry. He actually did. We had a few questions planned to get this started. This was not one of them, which I love him. So always get your friends stressed in high-pressure situations.
Honestly, no, definitely not. There is some bad news and some good news here. It's always been like that. It's just like now this scene has come to light, and we talk about that a lot more. But it's always basically been like that. There's no new threats emerging. It's the same. We just have new names for them, or a lot of names.
And also, you don't need all this complicated technology. If you look at the hack that we showed, the piece of reality, what it actually came down to was there's a password stored in a share that everybody can see. And I don't do the occasional hacking. I hack every single day for six years or more now, contracted by companies. This is my daily life. It's always like that. It's always like that. It's always the basics. So the good news here is, no, you actually can do the basics yourself. But somebody has to do it, and it's a lot of grinding work.
But the good news is, again, it's not that pricey. You don't have to flip your whole company on the head. We do not need new quantum computers for us to actually have the idea. You talked about MGM Caesars. What happened there was it's always the same. It's just one compromised account of one poor person who just tries to do their job. And after that, there is no security anymore. After you're in the company, you just go through the shares. You find all the information. There's no monitoring anymore.
Most of the time, companies have no idea what they even have, because there's no asset management. And I know most of you will now look at me, and you will tell me, but we have all that. We have all that for years. We have all that for decades. My job always starts with that. And then I do my hack, and it turns out, not 100% of the time, that would not be honest, but 90, that's actually not true. You missed something. And this is always the case.
So no, you don't. Somebody has to do security. Somebody has to do the basics, the cleanup, to get these passwords out of the shares, know what people can actually access. Like why should somebody working in marketing have access to your shares from development? And the next thing is, understand what happens in your companies. If I just point a finger to somebody here and tell them, like, your contractor, insert name, was hacked yesterday. So now the question arises, what actually can they see? What are their accounts doing? What is their access? And how do we work that?
And these questions, they get asked constantly. And just cut in. Yeah.
So, but all these hacks, they started, like with MDM or Uber, they started with people getting prompts or whatever, and they accept them. If I were to train these people better, can I just not make everything secure? Yeah. Okay. I see where this is going. Loaded question. Imagine you have a nuclear power plant. And obviously a nuclear power plant, you have to have safety. Imagine in this nuclear power plant, Hans-Jörg van der Hasen is a guy working in your, I don't know, Department for License Management, and he spends a lot of time on LinkedIn.
And let's say he gets 50 LinkedIn messages a day. And if one malicious LinkedIn message gets through, your nuclear power plant gets a meltdown, explodes, everybody dies. You would have questions at this point. You would say, well, how could that happen? Where are your safeguards? Where is your multilayered structure defense? What is happening here? You would not say, oh my God, we have to train every single person living on planet Earth to never accept a malicious communication. So this outsourcing to the people on the front lines who just doing their job, and they have actually no impact.
Because the guy who was phished on Uber, he has no idea that in the shares lies the password for everything. He doesn't know that. And even if he did, he couldn't change it. So awareness always starts on the top. So if you want to do phishing awareness, you do it for management. You talk about a process that a person is forced to accept 50 to 100 MFA bonds a day. Your process is bad. That's why I tell you it's a process hacking part. And I think we have to finish now. But this last point here, the head desk, that's not social engineering.
Somebody calls you with the number, the real number of the person working for you, and tells you, hey, I just have a presentation, but my laptop is locked in the car, and I need to access that now. Please, can you add this laptop so I can access the SharePoint for this presentation? That happens in companies a lot of the time, and that's a process. These people on the head desk have no idea that by doing that, there can be device code phishing in the back end, there can be connections to the tenants, there can be trust guest relationship on Microsoft Teams. They don't know that.
It's just a process that somebody decided on, but nobody ever asked the question, well, what can go wrong? Do we want that? What can happen? So you have to change the process. Time. Perfect. So I can say one thing about that. So I'm a journalist. I get lots of emails. I get emails by sources. I get emails by weirdos, but always there's links in there. Always there's PDFs.
If you told me I cannot open another PDF in my life, I cannot do my job, so you can't awareness train me, and if you want to do security rights, because we're in the service industry here, we made this beautiful permit, and as you can see on top of that, the glowing bits, it's glowing because that's marketing, I believe, is all the stuff that you should probably do last, and down there at the bottom, it was a prompt. It was AI, and I said, give me a glowing cyber permit. This is what it came up. And I want to have it on the record. I was against using that. I think it looks ugly. Okay.
So on the bottom there, you have all the stuff that you have to get right before you do any of the other stuff. You can take a picture.
It's free, and if you don't, you probably are already doing everything right. Thank you very much. I needed to take the free picture.
Yeah, so we're going to be hanging out there if anyone has questions because the Q&A, just no time. That's perfect. I have to say we are unfortunately running out of time for questions, but this was super interesting. I learned I probably need an Amazon Fire Stick for my next business travel, and I can confirm what you said about training and awareness. I did 52 sessions across all of our business lines and infrastructure on phishing. The questions I got during Q&A made me believe that we will never win that war around making people aware, so I fully agree. Thanks both. Good luck. Thank you.
Thank you.
