14367
The largest collection of malware source, samples, and papers on the internet. Password: infected Website: https://www.vx-underground.org/ vx-underground Telegram chatroom link: https://t.me/+njfLzUrqos01ZWNh
Today BianLian ransomware group claimed to have ransomed the Better Business Bureau
🧐🧐🧐🧐🧐
No major updates, news, or memes. Right now we're very busy (that's a lie, we're just being lazy)
Читать полностью…
Crazy to think Julian Assange got freed before GTA VI or Elder Scrolls VI
Читать полностью…
Facebook is flooded with actual garbage AI bait posts. We don't understand how these images are so popular (and believed to be real)
Читать полностью…
If you like embedded security, ICS security, automotive security, etc. you can go to RST CON
RST CON is being held this year in Savannah, Georgia, USA September 13th - September 15th
Get 10% off tickets with code vxunderground
*we're not getting paid for this, just a discount
Unless Lockbit ransomware group ransomed something small in the Federal Reserve, like maybe Lockbit took down their coffee machine and they can't watch anime or something (we don't know what the staff at the Federal Reserve actually do)
Читать полностью…
We hope everyone has had a good week and weekend.
We'll see all of you tomorrow.
> wake up
> check e-mail
> asked to sponsor cybersecurity conference
We love you for thinking about us. But you're basically asking a homeless person for $10,000+. It could be the other way around, we should be asking you to sponsor us.
Ransomware operators celebrating another healthcare facility being ransomed (they said it's the hospital's fault, not theirs)
Читать полностью…
rari_teh and Skejeton found an ultra rare false-positive
Creating a file with the string "This content is no longer available." is flagged by Windows Defender. It's a SHA256 collision with an actual malware sample.
The probability of a SHA256 collision is 4.3*10^60.
There is a higher probability of an asteroid crashing into the planet and causing a max extinction.
Note: he doesn't know us, we don't know him or his team. Our website is sketchy to non-malware people.
We don't see this as insulting. But, it's funny seeing him say this for liability sake – he doesn't want one of his followers detonating ransomware and then blaming him 😂😂
Shoutout to AnyRun for the full-disclosure and being honest about the situation.
Читать полностью…
Kaspersky and all of its subsidiaries, affiliates, or parent companies are forbidden from selling in the United States starting July 20th.
They can provide updates to existing customers until September 29th.
More information: https://www.washingtonpost.com/business/2024/06/21/kaspersky-banned-us-antivirus-russia/
Correction: our previous post about the compromise of the Los Angeles School Unified District may be a result of a compromise from Vice Society ransomware group in 2022. During that compromise from Vice Society we did not review the data, hence we cannot confirm if the data is new or old.
tl;dr may be recycled leak, could be new leak, we don't know but the data is still bad news.
June 11th a Microsoft engineer accidentally leaked 4GB of Microsoft PlayReady internal code. It was leaked on the Microsoft Developer Community. The leak includes:
- WarBird configurations
- WarBird libraries for code obfuscation functionality
- Libraries with symbolic information related to PlayReady
Researchers from AG Security Research Lab were able to successfully build the Windows PlayReady dll library from the leaked code. Interestingly, they were assisted because on the Microsoft Developer Community forum a user also provided step-by-step instructions on how to begin the build process.
Also, interestingly, interestingly, the Microsoft Symbol Server doesn't block requests for PDB files corresponding to Microsoft WarBird libraries, which inadvertently leaks more information.
Adam Gowdiak of AG Security Research Lab reported the issue and Microsoft removed the forum post. However, as of this writing, the download link is still active.
File listing is below. Forums screenshots are attached. All information discovered by AG Security Research Lab
File listing: https://pastebin.com/raw/i65qfd2z
Apologies – was testing something on Telegram. I'm sorry if that sent out a broadcast message.
Читать полностью…
Today, Julian Assange made a plea deal with the US government. Assange will plead guilty to a felony charge for his role in a major breach of classified material, receiving a 62-month sentence already served, allowing him to return to Australia. Note: The plea deal must be approved by a federal judge.
Читать полностью…
We missed the date on this. This is a few years old (we're confused and scared)
Читать полностью…
You can now have ARM and x64 in the same process. Thank you, Microsoft. You continue to introduce new ways for us to explore malware capabilities.
https://learn.microsoft.com/en-us/windows/arm/arm64ec
Yesterday Lockbit ransomware group claimed to have ransomed the United States Federal Reserve.
1. Doubt
2. If Lockbit ransomware group actually ransomed the United States Federal Reserve it would be DEFCON 2 and the administrators would need to worry about a drone strike
Damn, Mark Cuban got the hookup. Sundar Pichai got the squad on it ASAP
Читать полностью…
CDK Global outage officially attributed to BlackSuit ransomware group.
That's interesting.
More information: https://www.bleepingcomputer.com/news/security/cdk-global-outage-caused-by-blacksuit-ransomware-attack/
Greets
We're still watching the CDK Global situation – some CDK Global customers submitted precautionary SEC 8-K forms. ZachXBT and other cryptocurrency nerds are discussing the theft of $54,000,000 from BtcTurk.
Please, no more chaos. We're busy this weekend 🙏
Correction: the files submitted also contain the string "This content is no longer available.".
However, the file extension being changed to .rar, .mp4, etc. result in a false positive and gets flagged as spyware (???)
Shoutout to Coin for spotting this.
Companies when they discover cybersecurity isn't a buzzword, they've become a victim of ransomware, and it's causing damage on an international scale
Читать полностью…
Today on Linus Tech Tips' WAN show mentions that him and his team purchased a vx-underground harddrive.
Subsequently, he calls us sketchy, states he doesn't know us, and he cannot recommend us to his followers.
😭😭😭😭😭
Today AnyRun App Sandbox announced they were compromised
No customer data was stolen, no production environment is impacted
tl;dr Threat Actor phished customer, Threat actor used phished customer to phish AnyRun employee
More information:
https://x.com/anyrun_app/status/1804157392935870466
> Newest security update patches CVE-XXXX-XXXX
The patch:
Today a Threat Actor operating under the moniker "Satanic" claimed to have compromised the Los Angeles Unified School District.
This data includes 24,000,000 records on students, past and present, and information on over 24,500 employees (primarily educators). The information leaked also contains information on the parents.
'Satanic' released a sample of the data. The data appears to be authentic. The authenticity of the data is terrifying because it contains information on children who are currently enrolled in Elementry school – with children in K - K5, meaning some of the individuals listed could be as young as 5 years old. On initial review of the sample data released we discovered records on a person who is 9 years old (coupled with information on the child's parents).
Listing every column in the database would be exhaustive. Here is a summary:
- Student ID
- Student Full Legal Name
- Student Preferred Name
- Parent(s) Full Names
- Parent(s) E-mail
- Parent(s) Phone Number
- Child Address(es)
- Grade
- Ethnicity
- Gender
- Poverty (boolean flag)
- Homeless (boolean flag)
- Foster (boolean flag)
- Graduated (boolean flag)
- Primary Language Spoken
- Student Photo
- Migrant (boolean flag)
- Special education (boolean flag)
- Transportation Type
- Home Longitude and Latitude (???)