Lazarus group, if you're reading this, please give us an autograph. It would be super cool to have. Also, tell Mr. Kim Jong Un we said "Hello"
ðĪĢ140ðŦĄ32ð11âĪ7ð7ð3ðĪŠ3ð3
You've successfully identified every phishing attempt made against you or your organization, but then just across the horizon you spot the phishing final boss.
https://[email protected]/8bzuupbz
https://[email protected]/8bzuupbz
ðĪĢ80ð10ðĪ9ð6ðŦĄ6ðą5ð3âĪâðĨ2
This media is not supported in your browser
VIEW IN TELEGRAM
ðĪĢ179ðŦĄ20ðą14ðĪŠ9âĪ8ð5ð4ðĪ4âĪâðĨ3ðĨ2ð1
August 2023 (version 1.82) of Visual Studio Code now supports Port Forwarding to allow easier access from Threat Actors.
inb4 Visual Studio Code as a C2?
Very cool ð
More information: https://code.visualstudio.com/docs/editor/port-forwarding
inb4 Visual Studio Code as a C2?
Very cool ð
More information: https://code.visualstudio.com/docs/editor/port-forwarding
ðĪĢ110ð20ð8âĪ4ð4ðĨ2ð2ðĪŠ2ðĒ1ðŊ1
Let's talk about ransomware for a second.
Ransomware Threat Actors are opportunity driven. They do not have specific targets in mind. If you've got a dollar, they want it.
The reality of the matter, in the ransomware ecosystem, is initial access brokering is cheap and affordable, it is a worthwhile investment for ransomware affiliates to establish a good relationship with an initial access broker.
There is an initial access broker who will sell you roughly 1,000,000 misconfigured VPN's for $1,500. These 'misconfigured' VPNs typically will be companies which have accidentally set a VPN user login to something like 'test' as the username AND password. Although this may sound absurd, or unlikely, these are extremely common as companies may simply overlook small errors. However, these misconfigured VPNs are not curated. Ransomware affiliates might have to spend weeks, or months, sorting through the list determining which companies discovered have:
1. Money
2. Do not violate the rules of the ransomware group
3. Have insufficient security posture
4. Are outside with CIS (ex-soviet countries).
This is often how ransomware groups collide with each other. Two different initial access brokers may have identified (or gotten access) to the exact same organization and then sold this identified vulnerable organization, or access, to two different ransomware groups. There have been stories where ransomware affiliates gain access, only to discover upon entry the organization has already been ransomed!
Companies that have correctly configured EDRs (a detected blue team), a SOC, and have good policy and/or asset control will defeat most ransomware affiliates. More often than not, if an affiliate encounters a company that has a good EDR, or hardened machines, they may simply abandon the target all together (or sell it to a different ransomware operator) because it may not be worth their time. Metaphorically speaking, time is money to the Ransomware Threat Actor.
Regarding targets, there is another aspect often overlooked. Ransomware operators residing outside NATO often do not understand the culture or targets they have identified. For example, we have witnessed ransomware groups target public school systems, failing to understand how the United States allocates money for schools. They mistakenly believe tax-funded schools are ripe with cash and simply do not believe negotiators when they say the victim doesn't have the money. They rely on publicly available information (often wrong information) from places like Wikipedia or ZoomInfo. They see big numbers and believe that this is the profit margins.
tl;dr if you very seriously want to defeat ransomware, security companies need to understand the financial limitations many organizations face. They do not have the money, or man power, larger companies have to combat an ever evolving threat landscape.
NOTE: There are some caveats to this rant. Every ransomware affiliate will seek different avenues of gaining access. Blah, blah, blah.
Thanks for reading. Have a goodnight (or morning).
Ransomware Threat Actors are opportunity driven. They do not have specific targets in mind. If you've got a dollar, they want it.
The reality of the matter, in the ransomware ecosystem, is initial access brokering is cheap and affordable, it is a worthwhile investment for ransomware affiliates to establish a good relationship with an initial access broker.
There is an initial access broker who will sell you roughly 1,000,000 misconfigured VPN's for $1,500. These 'misconfigured' VPNs typically will be companies which have accidentally set a VPN user login to something like 'test' as the username AND password. Although this may sound absurd, or unlikely, these are extremely common as companies may simply overlook small errors. However, these misconfigured VPNs are not curated. Ransomware affiliates might have to spend weeks, or months, sorting through the list determining which companies discovered have:
1. Money
2. Do not violate the rules of the ransomware group
3. Have insufficient security posture
4. Are outside with CIS (ex-soviet countries).
This is often how ransomware groups collide with each other. Two different initial access brokers may have identified (or gotten access) to the exact same organization and then sold this identified vulnerable organization, or access, to two different ransomware groups. There have been stories where ransomware affiliates gain access, only to discover upon entry the organization has already been ransomed!
Companies that have correctly configured EDRs (a detected blue team), a SOC, and have good policy and/or asset control will defeat most ransomware affiliates. More often than not, if an affiliate encounters a company that has a good EDR, or hardened machines, they may simply abandon the target all together (or sell it to a different ransomware operator) because it may not be worth their time. Metaphorically speaking, time is money to the Ransomware Threat Actor.
Regarding targets, there is another aspect often overlooked. Ransomware operators residing outside NATO often do not understand the culture or targets they have identified. For example, we have witnessed ransomware groups target public school systems, failing to understand how the United States allocates money for schools. They mistakenly believe tax-funded schools are ripe with cash and simply do not believe negotiators when they say the victim doesn't have the money. They rely on publicly available information (often wrong information) from places like Wikipedia or ZoomInfo. They see big numbers and believe that this is the profit margins.
tl;dr if you very seriously want to defeat ransomware, security companies need to understand the financial limitations many organizations face. They do not have the money, or man power, larger companies have to combat an ever evolving threat landscape.
NOTE: There are some caveats to this rant. Every ransomware affiliate will seek different avenues of gaining access. Blah, blah, blah.
Thanks for reading. Have a goodnight (or morning).
âĪ127ð44ðŦĄ5ðĪŠ5ð4ðĨ1ð1ðą1ð1ðŊ1
Roblox is a popular game for children. Roblox has also been a hunting ground for child predators for years now.
Instead of improving the safety of the young userbase that plays the game, CEO David Baszucki announced Roblox will be launching an official Roblox dating app.
Instead of improving the safety of the young userbase that plays the game, CEO David Baszucki announced Roblox will be launching an official Roblox dating app.
ðĪĢ74ð49ðą23ðĪŊ22ðĒ9ð4ðŊ1
Although this says "17+ verified people", we have little faith in Roblox.
Especially when Roblox sued YouTuber Ruben Sim (in an attempt to silence him) for becoming a whistleblower and exposing Roblox developer Arnold Castillo for his pedophilia
https://www.justice.gov/usao-sdin/pr/new-jersey-man-federally-charged-enticement-minor-and-interstate-transportation-minor
Especially when Roblox sued YouTuber Ruben Sim (in an attempt to silence him) for becoming a whistleblower and exposing Roblox developer Arnold Castillo for his pedophilia
https://www.justice.gov/usao-sdin/pr/new-jersey-man-federally-charged-enticement-minor-and-interstate-transportation-minor
www.justice.gov
New Jersey Man Federally Charged with Enticement of a Minor and
ðĪŊ76ð11ð4ð2ðĪ2ðĒ2âĪ1ðą1ð1
Vodafone Ireland Twitter account compromised and they gave us a shout-out from it ðð
https://twitter.com/VodafoneIreland/status/1700519265940508690
https://twitter.com/VodafoneIreland/status/1700519265940508690
ðĪĢ80ðŦĄ15ð4ðĨ2ðĨ°2ðą2âĪâðĨ1âĪ1
Our giveaways winners are beginning to receive their books ðĨ°
ðĨ98ðĨ°28ð6âĪ3ðą3ðĪĐ1
"To get into malware development do I need to learn how to code?"
Uhhhhhhhhhhhhhh
Uhhhhhhhhhhhhhh
ðĪĢ155ð17ðĪ13ðŦĄ12ð5ðą4
No, you don't need to learn how to code. Most malware can be assembled by visiting your local toy store and purchasing a Lego Malware Development Kit.
The attached image is a never seen before photo of Conti ransomware group making their first ransomware variant.
The attached image is a never seen before photo of Conti ransomware group making their first ransomware variant.
ð150ðĪĢ63ðĨ°17âĪ8ðĨ7ðŦĄ5ðĪ4ðŊ3ð2ð2ð1
We will gift free vx-underground swag to the first person to write malware in MATLAB. MATLAB supports invocation of WINAPI functions by invoking loadlibrary.
- Must be open source
- Windows ONLY
- Code must work (compiled as .exe)
- Basic malware, nothing fancy, no ransomware
- Must be open source
- Windows ONLY
- Code must work (compiled as .exe)
- Basic malware, nothing fancy, no ransomware
âĪ91ðĪĢ37ð8âĪâðĨ3ðŊ2
NOTE: We have never seen malware written in MATLAB before. And, to the best of our knowledge, no vendor has written a report on this. It'll be something truly special!
*We don't have any papers on MATLAB in our 15,000+ malware analysis papers...
*We don't have any papers on MATLAB in our 15,000+ malware analysis papers...
ðĪ58âĪ9ð2