Updates to vx-underground:
Malware collections:
- InTheWild.0128
- Bazaar.2024.06
- Virussign.2024.07.03
- Virussign.2024.07.04
- Virussign.2024.07.05
- Virussign.2024.07.06
- Virussign.2024.07.07
- Virussign.2024.07.08
- Virussign.2024.07.09
- Virussign.2024.07.10
- Virussign.2024.07.11
- Virussign.2024.07.12
Administrative:
- Black Mass Volume III is being developed
- Large addition of malware papers in queue
- The new Eminem album is almost not bad
Malware collections:
- InTheWild.0128
- Bazaar.2024.06
- Virussign.2024.07.03
- Virussign.2024.07.04
- Virussign.2024.07.05
- Virussign.2024.07.06
- Virussign.2024.07.07
- Virussign.2024.07.08
- Virussign.2024.07.09
- Virussign.2024.07.10
- Virussign.2024.07.11
- Virussign.2024.07.12
Administrative:
- Black Mass Volume III is being developed
- Large addition of malware papers in queue
- The new Eminem album is almost not bad
β€30π4β€βπ₯3π₯°3π3π2π’1π1
Xitter is currently experiencing technical difficulties following the attempted assassination of Donald J. Trump.
π₯83π€―45π€23π±14π€£9β€7π₯°4π3π3π«‘2π’1
Today is the day of rest.
We hope all of you have had a good week.
We'll see all of you tomorrow morning.
We hope all of you have had a good week.
We'll see all of you tomorrow morning.
β€75π12β€βπ₯11π₯°6π4π’1π€1
We've seen a lot of people discussing the Disney compromise. Let's talk about it.
tl;dr prolly data stealer, not insider threat, leak is real but not going to destroy walt disney
First, the individual(s) who take credit for the compromise allege they had help from an insider. We don't believe this to be true. When the Threat Actor(s) asserted they received insider help, they also openly distributed this individuals PII β including medical information. This is not indicative of an Insider Threat. A Threat Actor(s) weaponizing an Insider Threat is going to bleed their insider dry (e.g. more data) and an Insider Threat is (probably) going to remain anonymous. Very rarely is an Insider Threat going to openly operate under their real identity (unless they're happy to get raided).
Secondly, and regarding the data, we have not reviewed the data. It's over 1TB of Slack conversations and we're not going to pull all of that. But, while there is indeed a leak, 1TB of Slack conversations isn't necessarily going to result in the downfall of the Disney corporation. Any involuntary disclosure of information is bad, but Slack conversations will primarily be project discussion, meeting scheduling, and generic day-to-day work-related conversations. Following the leak we have not seen any evidence of damaging information disclosure β no Star wars films, no video games, no unreleased content, etc.
Third and finally, if this was the result of an Insider Threat, more information would be disclosed. Not Slack conversations. You would expect Jira data, or source code, or hidden secrets, or something other than people chatting.
Our guess is that this Disney employee was hit by an Information Stealer. Their Slack session was stolen, or some stored credentials locally which do not require MFA was stolen. This is sufficient enough to scrape data. If this data was indeed a result an Insider Threat β they did a terrible job as an Insider Threat because nobody cares about work banter.
tl;dr prolly data stealer, not insider threat, leak is real but not going to destroy walt disney
First, the individual(s) who take credit for the compromise allege they had help from an insider. We don't believe this to be true. When the Threat Actor(s) asserted they received insider help, they also openly distributed this individuals PII β including medical information. This is not indicative of an Insider Threat. A Threat Actor(s) weaponizing an Insider Threat is going to bleed their insider dry (e.g. more data) and an Insider Threat is (probably) going to remain anonymous. Very rarely is an Insider Threat going to openly operate under their real identity (unless they're happy to get raided).
Secondly, and regarding the data, we have not reviewed the data. It's over 1TB of Slack conversations and we're not going to pull all of that. But, while there is indeed a leak, 1TB of Slack conversations isn't necessarily going to result in the downfall of the Disney corporation. Any involuntary disclosure of information is bad, but Slack conversations will primarily be project discussion, meeting scheduling, and generic day-to-day work-related conversations. Following the leak we have not seen any evidence of damaging information disclosure β no Star wars films, no video games, no unreleased content, etc.
Third and finally, if this was the result of an Insider Threat, more information would be disclosed. Not Slack conversations. You would expect Jira data, or source code, or hidden secrets, or something other than people chatting.
Our guess is that this Disney employee was hit by an Information Stealer. Their Slack session was stolen, or some stored credentials locally which do not require MFA was stolen. This is sufficient enough to scrape data. If this data was indeed a result an Insider Threat β they did a terrible job as an Insider Threat because nobody cares about work banter.
π56π13π€£6β€2π€2π«‘2π1π’1
We're seeing people on Xitter discuss being approached by brands and companies β offering them thousands of dollars for a single tweet.
This is absolutely disgusting. Why aren't we being approached?
The only people offering us large sums of money are criminals πππ
This is absolutely disgusting. Why aren't we being approached?
The only people offering us large sums of money are criminals πππ
π€£122π«‘17π6π4π’3π1
vx-underground
We're seeing people on Xitter discuss being approached by brands and companies β offering them thousands of dollars for a single tweet. This is absolutely disgusting. Why aren't we being approached? The only people offering us large sums of money are criminalsβ¦
This media is not supported in your browser
VIEW IN TELEGRAM
"Can I advertise our drainer?"
"Can I advertise my new Breached-like forum?"
"Can I advertise my Infostealer?"
Bro, we're probably on every watchlist on the planet. The very nanosecond we took dirty money we'd hear helicopters and the "COPS" theme song.
"Can I advertise my new Breached-like forum?"
"Can I advertise my Infostealer?"
Bro, we're probably on every watchlist on the planet. The very nanosecond we took dirty money we'd hear helicopters and the "COPS" theme song.
π€£133π«‘14π8π―7β€2π1π1π’1
This media is not supported in your browser
VIEW IN TELEGRAM
dulge πππ
β€57π€£37π₯15π’3π€3π€3π«‘2β€βπ₯1π€1
There's a cool and badass cybersecurity conference taking place in Amsterdam, the Netherlands on September 5th. It is called OrangeCon
Tickets are cheaper for students.
We weren't paid to bring attention to this conference, but we wish we were.
https://orangecon.nl/
Tickets are cheaper for students.
We weren't paid to bring attention to this conference, but we wish we were.
https://orangecon.nl/
π€49π13π€£8β€βπ₯7π―6π3
vx-underground
There's a cool and badass cybersecurity conference taking place in Amsterdam, the Netherlands on September 5th. It is called OrangeCon Tickets are cheaper for students. We weren't paid to bring attention to this conference, but we wish we were. https://orangecon.nl/
This was almost a paid advertisement
(we said no because we have no problem giving smaller conferences publicity)
(we aren't financially motivated)
(we said no because we have no problem giving smaller conferences publicity)
(we aren't financially motivated)
π69β€βπ₯24π―11β€7π€―6π3π2π€£2π1π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
Dulgex making fire for x64dbg
(x64dbg is gangsta af fr fr ong)
(x64dbg is gangsta af fr fr ong)
β€53π₯38π€£16β€βπ₯8π€3π’2π―2
vx-underground
Currently exploring some COM stuff β found a cute trick to read registry keys. The COM interface expects a WCHAR string (BSTR). But then... it converts it to a CHAR string to invoke RegQueryValueExA
You can do some goofy stuff and run a executable with it (wraps to ShellExecuteEx)
https://pastebin.com/raw/V1jmkp39
https://pastebin.com/raw/V1jmkp39
π24π3π1
vx-underground
You can do some goofy stuff and run a executable with it (wraps to ShellExecuteEx) https://pastebin.com/raw/V1jmkp39
The coolest part is the existence IWshShell, IWshShell2, and IWshShell3. All of them the exact same, except each one has an extra method present. IWshShell3 exposes an Exec method which is almost identical to IWshShell::Run
π25β€βπ₯7π2π€£1
This media is not supported in your browser
VIEW IN TELEGRAM
Microsoft is being criticized (again) because Administrator-to-Kernel mode execution is not considered a security boundary.
Researchers noted that home users, who often run as administrator, could be a victim of this lack-of security boundary.
Researchers asked Microsoft why?
Researchers noted that home users, who often run as administrator, could be a victim of this lack-of security boundary.
Researchers asked Microsoft why?
π59π€£32β€βπ₯7π3π€1π€―1π’1
This media is not supported in your browser
VIEW IN TELEGRAM
The x10 software engineer skit by KaiLentit
β€62π€£10π7π6π€4π₯°2π’1