Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
New research indicates that over 80,000 Hikvision surveillance cameras in the world today are vulnerable to an 11 month-old command injection flaw.
Hikvision – short for Hangzhou Hikvision Digital Technology – is a Chinese state-owned manufacturer of video surveillance equipment. Their customers span over 100 countries (including the United States, despite the FCC labeling Hikvision “an unacceptable risk to U.S. national security” in 2019).
Last Fall, a command injection flaw in Hikvision cameras was revealed to the world as CVE-2021-36260. The exploit was given a “critical” 9.8 out of 10 rating by NIST.
Despite the severity of the vulnerability, and nearly a year into this story, over 80,000 affected devices remain unpatched. In the time since, the researchers have discovered “multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability,” specifically in Russian dark web forums, where leaked credentials have been put up for sale.
The extent of the damage done already is unclear. The authors of the report could only speculate that “Chinese threat groups such as MISSION2025/APT41, APT10 and its affiliates, as well as unknown Russian threat actor groups could potentially exploit vulnerabilities in these devices to fulfill their motives (which may include specific geo-political considerations).”
The Risk in IoT Devices
With stories like this, it’s easy to ascribe laziness to individuals and organizations that leave their software unpatched. But the story isn’t always so simple.
According to David Maynor, senior director of threat intelligence at Cybrary, Hikvision cameras have been vulnerable for many reasons, and for a while. “Their product contains easy to exploit systemic vulnerabilities or worse, uses default credentials. There is no good way to perform forensics or verify that an attacker has been excised. Furthermore, we have not observed any change in Hikvision’s posture to signal an increase in security within their development cycle.”
A lot of the problem is endemic to the industry, not just Hikvision. “IoT devices like cameras aren’t always as easy or straightforward to secure as an app on your phone,” Paul Bischoff, privacy advocate with Comparitech, wrote in a statement via email. “Updates are not automatic; users need to manually download and install them, and many users might never get the message. Furthermore, IoT devices might not give users any indication that they’re unsecured or out of date. Whereas your phone will alert you when an update is available and likely install it automatically the next time you reboot, IoT devices do not offer such conveniences.”
While users are none the wiser, cybercriminals can scan for their vulnerable devices with search engines like Shodan or Censys. The problem can certainly be compounded with laziness, as Bischoff noted, “by the fact that Hikvision cameras come with one of a few predetermined passwords out of the box, and many users don’t change these default passwords.”
Between weak security, insufficient visibility and oversight, it’s unclear when or if these tens of thousands of cameras will ever be secured.
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
After a recent dip, ransomware attacks are back on the rise. According to data released by NCC Group, the resurgence is being led by old ransomware-as-a-service (RaaS) groups.
With data gathered by “actively monitoring the leak sites used by each ransomware group and scraping victim details as they are released,” researchers have determined that Lockbit was by far the most prolific ransomware gang in July, behind 62 attacks. That’s ten more than the month prior, and more than twice as many as the second and third most prolific groups combined. “Lockbit 3.0 maintain their foothold as the most threatening ransomware group,” the authors wrote, “and one with which all organizations should aim to be aware of.”
Those second and third most prolific groups are Hiveleaks – 27 attacks – and BlackBasta – 24 attacks. These figures represent rapid rises for each group – since June, a 440 percent rise for Hiveleaks, and a 50 percent rise for BlackBasta.
It may well be that the resurgence in ransomware attacks, and the rise of these two particular groups, are intimately connected.
Why Ransomware Has Bounced
Researchers from NCC Group counted 198 successful ransomware campaigns in July – up 47 percent from June. Sharp as that incline may be, it still falls some ways short of the high-water mark set this Spring, with nearly 300 such campaigns in both March and April.
Why the Flux?
Well, in May, the United States government ramped up its efforts against Russian cybercrime by offering up to $15 million for prized information about Conti, then the world’s foremost ransomware gang. “It is likely that the threat actors that were undergoing structural changes,” the authors of the report speculated, “and have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction.”
Hiveleaks and BlackBasta are the result of that restructuring. Both groups are “associated with Conti,” the authors noted, Hiveleaks as an affiliate and BlackBasta as a replacement strain. “As such, it appears that it has not taken long for Conti’s presence to filter back into the threat landscape, albeit under a new identity.”
Now that Conti’s properly split in two, the authors speculated, “it would not be surprising to see these figures further increase as we move into August.”
To exploit the vulnerabilities so they can then be repaired, ethical hacking identifies weaknesses in computer systems or networks. Hackers exploit a range of methodologies to identify dangers and eventually enhance safety. They can break into networks or computers using Linux-based operating systems. To stop cybersecurity threats, there are various applications. The field of hacking is highly broad and includes a wide range of activities.
In the modern cyber world, several types of attacks take place per hour. A hacking operating system is the most fundamental tool needed by any hacker. The Linux kernel typically serves as the foundation for operating systems that specialize in hacking.
These best OS for hacking are cutting-edge functioning systems because they come with several ethical hacking and penetration testing capabilities.
What is Ethical Hacking?
In revealing potential data breaches and network risks, ethical hacking is a legitimate method that involves finding flaws in an application, system, or organization’s infrastructure and getting beyond system security. In order to find vulnerabilities that harmful hackers can exploit or eliminate, ethical hackers search the system or network. It may secure the data to wedge attacks or neutralize them.
In addition to assessing the system’s defences, the enterprise that controls the system or network permits Cyber Security professionals to carry out such actions. Therefore, this process is planned, approved, and—more importantly—legal, in contrast to malicious hacking.
Of course, there are many different factors to consider in this precise and frequently lengthy system. Integrating the best operating system for hacking can enhance the efficiency and effectiveness of ethical hacking endeavors. An ethical hacker also referred to as a white-hat hacker will search for vulnerabilities using a variety of techniques. Additionally, they will carry out several other activities related to general cyber security. This may consist of:
Identifying weaknesses
Testing for penetration
Collecting information regarding entry points
Infrastructures being scanned for weaknesses
Exploiting flaws to gain access to systems and networks
Concealing their presence and avoiding detection
Putting together analyses and reports for the attempts
Let’s discuss the leading operating systems for ethical hacking in 2024, equipped with robust tools, specifications and features.
1. Kali Linux
XDA Developers
It is the most widely used ethical hacking OS. It is a Debian-based Linux – based operating system developed for penetration testing and digital forensics. It is financed and maintained by Offensive Security Ltd. The greatest and most widely used operating system for hackers is Kali Linux. It includes the first Nexus device open-source Android penetration test. The forensic mode is another excellent feature of the Kali Linux operating system.
Features:
Testing for penetration is possible.
Both a 32-bit and 64-bit version of this platform is available.
Kali Linux can be updated.
This OS supports complete disc encryption.
The network-based Kali Linux installation can be easily automated and customized.
Support for live USB installations.
Forensic work can be done using its forensics mode.
System Requirements:
2 GB of RAM
20 GB of disk space
32- or 64-bit CPU (single-core) with 2 GHz speed or better
High-definition graphics card and monitor
Broadband internet connection
2. Parrot Security OS
To give ethical hackers the best-in-class experience of penetration and security testing in real-world systems, Parrot Security OS is built on Debian GNU/Linux and integrated with the Frozen box OS and Kali Linux. Additionally, the Frozen box team intends to use it to offer vulnerability evaluation and mitigation, computer forensics, and anonymous Web browsing.
Kali repositories are used by Parrot Security OS for a variety of package updates and to include new tools.
Features:
It is offered as resource-constrained, lightweight software.
The source code is available for reading and modification.
Offers assistance from professionals to aid you with cybersecurity.
The distributed infrastructure of this hacker OS includes dedicated CDNs (Content Distribution Network).
This operating system can be shared with others.
System Requirements:
There is no need for graphic acceleration.
RAM must be at least 320MB.
It needs a dual-core CPU running at least at 1GHz.
It can boot in legacy and UEFI modes as well
The operating system installation requires at least 16GB of hard disc space.
3. DEFT Linux
The Hacker News
Digital Evidence and Forensic Toolkit, or DEFT, is an open-source Linux distribution. It is constructed around the DART (Digital Advanced Response Toolkit) software and is based on Ubuntu. It includes numerous well-known forensic tools and files that are useful to ethical hackers, penetration testers, IT security experts, and other people.
Features:
It is based on the Lubuntu system and includes free penetration testing and digital forensics software.
Complete support for logical acquisitions in iOS 7.1, Android, and Bitlocker-encrypted drives.
Digital Forensics Framework 1.3
System Requirements:
A 200 MHz X86 CPU and 128 MB of RAM are the minimal requirements.
Since DEFT Zero is a Live MODE edition and is based on Lubuntu, it takes a unique approach.
4. Samurai Web Testing Framework
Samurai Web Testing Framework is essentially a live Linux system that is already set up to function as a platform for web pen-testing. The framework includes a variety of open source and free hacking tools for finding weaknesses in websites. For web penetration testing, it is frequently referred to be the ideal operating system.
Features:
Samurai Web Testing Framework is an open-source project that focuses on exploiting websites.
It has already been set up for web pen-testing.
Features that can be used to target the website for the attack.
It includes tools like WebScarab (a tool for evaluating web security applications) and ratproxy (a program for running a web proxy server).
System Requirements:
2 GB of RAM
20 GB of disk space
32 or 64-bit CPU (single core) with 2 GHz speed or better
5. NodeZero Linux
NodeZero is a free and open-source Linux distribution for penetration testing that uses the Ubuntu repositories for updates. It includes a collection of fundamental services that are necessary for performing a variety of tasks, together with more than 300 penetration testing tools. The dual-arch live DVD ISO image of the Linux distribution, which supports both 32-bit and 64-bit computing architectures, is available for download.
Features:
System memory diagnostic tests
Hard disk booting
Install direct
Safe mode booting
Text-mode or debug mode
System Requirements:
2 CPU (physical or virtual)
8GB RAM
20 GB free HDD space
6. Linux Kodachi
Based on Ubuntu 18.04.6, the Linux Kodachi operating system will give you a private, non-forensic, and anonymous operating system that includes all the characteristics that someone who cares about privacy would need to be secure.
Kodachi is incredibly simple to use; all you need to do is boot it up on your computer using a USB drive, at which point you should have a fully functional operating system with established VPN and Tor connections as well as an active DNScrypt service.
Features:
Automatic connection to a VPN (all network traffic)
Automatic connection to the Tor network (browser traffic)
Automatic DNS encryption
System Requirements:
2 CPU (physical or virtual)
8GB RAM
20 GB free HDD space
7. Blackarch Linux
Medium
It is an Arch Linux-based best distro for hacking and for penetration testers and security researchers. It is regarded as the best OS for hacking distribution for security researchers to use to undertake application-based and web security testing because it comes with over 1,600 tools. It is a serious rival to Kali Linux and Backbox in terms of tool diversity and usability.
Features:
Several window managers in a live ISO. Blackarch gets out of the way so users can complete their tasks without interruptions
Different architectures are supported
An installer that supports source-based construction
More than 1800 tools
Install the packages one at a time or in groups
System Requirements:
2Ghz Quad-Core Processor.
6 GB Random Access Memory (RAM)
50 GB Disk Space.
High-definition graphics card.
8. Network Security Toolkit (NST)
On both 32-bit and 64-bit platforms, the Network Security Toolkit Linux distribution is based on Fedora. The goal of this bootable live CD was to give you access to the top open-source network security tools for penetration testing. This user-friendly hacking distribution turns x86 PCs through an ethical hacking tool that may be used for network traffic sniffing, intrusion detection, network packet creation, network/host scanning, etc.
Features:
Multi-Tap Network Packet Capture
Web-Based Network Security Tools Management
Host/IPv4 Address Geolocation
Network/System Monitoring
Network Intrusion Detection
Network Interface Bandwidth Monitor
Web-based Snort IDS Integration
Active Connections Monitor
System Requirements:
A i686 or x86_64 compatible CPU (Core 2 series or later)
At least 512MB of RAM (we recommend at least 1024MB if you want to use a graphical desktop)
A DVD drive and BIOS capable of booting from a DVD
A supported Ethernet (NIC) Adapter or WIFI card
9. BugTraq
For in-depth analysis and notification of software security vulnerabilities, BugTraq is a clarification mailing list. The foundation of the global security community on the Internet is BugTraq. It is the best OS for penetration testing.
Features:
A wide range of pentesting tools are available on Bugtraq, including mobile forensic tools, virus testing labs, tools created by the Bugtraq-Community
audit tools for GSM,WIFI, Bluetooth, and RFID
integrated Windows tools
ipv6-focused tools, and standard forensics and pentesting tools.4
System Requirements:
1GHz x86 processor.
512 MB of system memory (RAM)
15 GB of disk space for installation.
Graphics card capable of 800×600 resolution.
DVD-ROM drive or USB port.
10. Cyborg Hawk Linux
The most sophisticated, potent, and still stunning penetration testing distribution ever made. lined up with the best tools for professional ethical hackers and cyber security specialists.
Utilize Cyborg to streamline security throughout your IT infrastructure. It is true power stems from the knowledge that a tester needs a powerful and effective system, one that gains from a robust variety of tools and is combined with a stable Linux environment.
Features:
Includes over 750 penetration testing tools
Cyborg Hawk is and always will be completely free
Has the capacity to be utilised as a live operating system
Mobile Security, Wireless Security, Forensics, Stress Testing, Reverse Engineering, and Exploitation Toolkit
Full support for virtual machines. Version 1.1
It now has a repository of its own
Stable and dependable
Support for a range of wireless devices
Everything is in its proper position and the menu is well organised
An injected kernel that was patched
System Requirements:
Memory: 4 GB.
Graphics Card: NVIDIA GeForce 510.
CPU: Intel Core 2 Duo E8400.
11. Live hacking OS
Several tools and programmes enabling ethical hacking, penetration testing, and mitigation verification are included in the Linux distribution Live Hacking.
This “Live DVD” for Ubuntu runs directly off the DVD without requiring it to be installed on the hard drive. Again, when the system has booted, you may use the included tools to test, verify, ethically hack, and carry out penetration testing under your own system to make sure it is protected from external intrusions.
Features:
There are two variations of it.
The first is a command-line operating system with quick setup and minimal hardware needs.
The GNOME desktop environment is included in the second edition to provide a more graphical user interface.
System Requirements:
A fast Pentium 3 or any Pentium 4 class processor.
For the desktop version 512MB of memory is required with 1GB recommended.
For the command line version just 128MB of memory is needed.
12. BackBox Linux
BackBox is a Free Open-Source Community Project that aims to improve and secure the IT environment by fostering a culture of security. It is more than just an operating system for ethical hacking. All of this while utilizing only Free Open-Source Software, showcasing the Community’s strength and promise.
Features:
It aids in tasks like vulnerability analysis and computer forensics.
Design carefully to eliminate duplication.
It uses the fewest resources possible from your machine.
This hacker operating system offers a user-friendly desktop setting.
allows you to practise attacking a network or application.
It provides both speed and stability.
System Requirements:
A 32-bit or 64-bit processor.
512 MB of system memory RAM (256 MB in case there will be no desktop manager usage and only the console)
4.4 GB of disk space for installation.
13. Pentoo
Pentoo is a Live CD and Live USB created for security analysis and penetration testing. Pentoo Linux, which is based on Gentoo Linux, is offered as a 32- and 64-bit installable liveCD.
Features:
Both 32-bit and 64-bit versions are accessible
Wi-Fi drivers with packet injection patches
Support for secure boot is included in full UEFI
CUDA/OpenCL program for enhanced cracking
Kernel 4.17.4 with all necessary injection patches
several tools for hacking and pentesting
System Requirements
1GHz x86 processor.
512 MB of system memory (RAM)
15 GB of disk space for installation
Graphics card capable of 800×600 resolution
DVD-ROM drive or USB port
14. Blackbuntu
Specifically created for information security professionals and students, the penetration testing distribution is based on Ubuntu.
Features:
It is built using Gnome 2.32.0, Linux 2.6.39, and Ubuntu 10.10.
Only systems with the 64-bit (x86 64) instruction set architecture can run BlackBuntu.
System Requirements:
1GHz x86 processor
768 MB of system memory (RAM)
10 GB of disk space for installation
Graphics card capable of 800×600 resolution
DVD-ROM drive or USB port
What are the Key Concepts of Ethical Hacking?
Four fundamental protocol principles followed by hackers are:
Be lawful: Before entering and conducting a security evaluation, get the necessary approval.
Establish the scope: Establish the assessment’s parameters to ensure that the ethical hacker’s work is legal and within the organization’s permitted restrictions.
Inform about vulnerabilities: All vulnerabilities found even during evaluation should be reported to the organization. Give suggestions for repairing these vulnerabilities.
Be sensitive to data: Cybersecurity professionals may need to accept a non-disclosure agreement in addition to other terms and conditions requested by the evaluated firm, depending on how sensitive the data is.
The Preferred Operating Systems of Professional Hackers
According to claims of high-risk hacking, some hackers use Microsoft Windows to remain undetected. Since Windows is a popular target for hackers, they must employ Windows-only environments in order to use Windows-based malware, the.NET framework, Trojans, or viruses. Hackers create a lightweight bootable ghost image that cannot be traced back to them using inexpensive disposable laptops that buy off Craigslist. These computers include unique SD card and USB ports that, if necessary, are simple to trash, bury, or even ingest.
Several attackers go above and above by adding additional readable storage for operating system read-only divisions and restricted persistent local storage. Some, the worried kind, go even further and include a hotkey panic button for instant RAM cleaning.
A compact, encoded SD card is produced with the bootable OS ghost image. The laptop burner is then methodically separated and discarded. The physical destruction of the RAM, hard drive, and network card is given particular care by the hackers. Such computers are occasionally destroyed with a blowtorch or a sledgehammer.
Ethical Hacker Skills and Certifications
Broad computer expertise is necessary for an ethical hacker. They frequently specialize in one aspect of the ethical hacking field, becoming subject matter experts (SME)
All ethical hackers need to possess:
Proficiency with scripting languages
Linux Skills
Technical Expertise
Expertise with operating systems
Profound understanding of networking
Strong basis in information security principles.
The Cyber Security certification has focused on the latest security threats and advanced attack vectors with a practical real-time demonstration of the new hacking techniques. This will boost your career and help you change the meaning of hacking for the world!
The following are some of the most well-known and obtained certifications:
Students learn about current hacking methods, exploits, security trends, possible attacks, and how to use professional tools to compromise systems in CEHv11 successfully.
2. Offensive Security Pen 200 (OSCP)
The foundational training for utilizing the Kali best Linux OS for hacking offered by Offensive Security is called Penetration Testing with Kali Linux (PEN-200).
The user’s emphasis is on practical learning instead of merely lectures and academic study, and its “Try Harder” campaign promotes both critical thinking and problem-solving.
You’ll need a firm foundation in network theory, and knowledge with Windows, Linux, and Bash/Python will be helpful.
3. GIAC Penetration tester
Another certification offered in the area of ethical hacking is SANS GPEN. The most well-known certification offered by the SysAdmin, Networking, and Security (SANS) institute is the GIAC Penetration Tester (GPEN). It mostly discusses in-depth technical techniques for verifying from reporting and scoping onward.
4. SEC542: Web App Penetration Testing and Ethical Hacking
SEC542, which emphasizes on testing and ethical hacking of enterprise online applications, is an additional choice from the SANS Institute to take into account.
The main objectives of SEC542 are to teach participants how to identify web explanation vulnerabilities, how to exploit them, and what tools and strategies attackers can employ to infiltrate this kind of software.
5. CREST
The CREST certification exams and programs are widely recognized in numerous nations. The UK, Europe, Asia, and Australia are some of these nations. This exam aids in recognizing and instructing qualified pen testers. This non-profit organization serves the needs of a technical information security market that calls for the assistance of a controlled and organized services sector.
Within the international technical cyber security sector, CREST supports the development of high-quality expertise, competence, and reliability.
Looking to boost your ITIL knowledge? Join our unique and engaging ITIL Foundation Classes! Discover the secrets of IT service management in a catchy and concise way. Don’t miss out on this opportunity to enhance your skills. Enroll now!
Conclusion
I hope this article will help you in selecting the best OS for ethical hacking. It’s intriguing to explore the area of ethical hacking and penetration testing. There has never been a better time to master ethical hacking for people who are interested in this area of computer security. As the cost of cyberattacks rises, there will undoubtedly be an increase in demand for people with these talents. Jobs in ethical hacking can pay well and provide job security.
The shades of ethical hacking range from black to white to grey. Black hackers use their skills for malevolent purposes, while white hackers use it for good. One of the most sought-after skills for any IT security specialist is ethical hacking, which is the primary means of bolstering network security. The KnowledgeHut’s Ethical Hacking course has focused on the latest security threats and advanced attack vectors with a practical real-time demonstration of the new hacking techniques.
Frequently Asked Questions (FAQs)
1. Is Parrot OS better than Kali?
Parrot OS is superior because it provides tools and an interface that are simple enough for beginners to utilise. However, both Parrot OS and Kali Linux offer a variety of tools that students can employ.
2. What operating system do most hackers use?
Linux is the best operating system for hackers. This is due to two key factors. As an open-source operating system, Linux’s source code is first and foremost freely accessible.
3. Do hackers use VPN?
At least not when it comes to hacking, hackers don’t really use VPNs. They should not be utilised for anonymity because it is far too simple to identify them.
4. What is Kali Linux used for?
An open-source, Debian-based Linux system called Kali Linux is designed for different information activities like computer forensics, reverse engineering, and penetration testing.
5. Can I hack without Linux?
I frequently observe this widespread misunderstanding. Many people believe Kali Linux is necessary for all hacking activities. Regardless of the OS or distribution a user uses, anyone with solid networking and system security skills can break into a system.
6. Can I use a virtual machine to run a hacking OS on my existing operating system?
Yes, you can use a virtual machine to run a hacking OS by using virtualization software like VMware, VirtualBox, and more.
The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords.
The king is dead. Long live the king. Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.
While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.
The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews’ Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said.
Password leak checker
Has your password been leaked online? Find out with our password leak checker tool in seconds and take action to protect your data today.Check if your password has been leaked
Credential stuffing attacks can be severely damaging for users and businesses. For example, a recent wave of attacks targeting Santander, Ticketmaster, Advance Auto Parts, QuoteWizard, and others was a direct result of credential stuffing attacks against the victims’ cloud service provider, Snowflake.
“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the team explained.
Post announcing the leak on a hacker forum. Image by Cybernews.
Not the first rodeo
The RockYou2024 compilation did not just fall from the sky. Three years ago, Cybernews published a story about the RockYou2021 password compilation, the largest at the time, with 8.4 billion plain text passwords.
According to the team’s analysis of RockYou2024, attackers developed the dataset by scouring the internet for data leaks, adding another 1.5 billion passwords from 2021 through to 2024 and increasing the dataset by 15 percent.
The RockYou2021 compilation, an expansion of a data breach from 2009, included tens of millions of user passwords for social media accounts. Since then, however, the compilation has ballooned exponentially. Most likely, the latest RockYou iteration contains information collected from over 4,000 databases over more than two decades.
The Cybernews team believes that attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware.
“Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the team said.
Attackers’ user profile. Image by Cybernews.
How to protect against RockYou2024?
While there is no silver bullet to protect users who had their passwords exposed, impacted individuals and organizations should take up mitigation strategies. The Cybernews research team advises to:
Immediately reset the passwords for all accounts associated with the leaked passwords. It is strongly recommended to select strong, unique passwords that are not reused across multiple platforms
Enable multi-factor authentication (MFA) wherever possible. This enhances security by requiring additional verification beyond a password
Utilize password manager software to securely generate and store complex passwords. Password managers mitigate the risk of password reuse across different accounts
Cybernews will include data from RockYou2024 in the Leaked Password Checker, allowing anyone to check if their credentials were exposed via the latest record-holding exposed password compilation.
With RockYou2024, we witnessed a second record-breaking compilation leaked online in 2024. Earlier this year, Cybernews discovered the Mother of all breaches (MOAB), comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records.
A new iteration of a sophisticated Android spyware called Mandrake has been discovered in five applications that were available for download from the Google Play Store and remained undetected for two years.
The applications attracted a total of more than 32,000 installations before being pulled from the app storefront, Kaspersky said in a Monday write-up. A majority of the downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K.
“The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment,” researchers Tatyana Shishkova and Igor Golovin said.
Mandrake was first documented by Romanian cybersecurity vendor Bitdefender in May 2020, describing its deliberate approach to infect a handful of devices while managing to lurk in the shadows since 2016. The malware has yet to be attributed to a threat actor or group.
The updated variants are characterized by the use of OLLVM to conceal the main functionality, while also incorporating an array of sandbox evasion and anti-analysis techniques to prevent the code from being executed in environments operated by malware analysts.
The list of apps containing Mandrake is below –
AirFS (com.airft.ftrnsfr)
Amber (com.shrp.sght)
Astro Explorer (com.astro.dscvr)
Brain Matrix (com.brnmth.mtrx)
CryptoPulsing (com.cryptopulsing.browser)
The apps pack in three stages: A dropper that launches a loader responsible for executing the core component of the malware after downloading and decrypting it from a command-and-control (C2) server.
The second-stage payload is also capable of collecting information about the device’s connectivity status, installed applications, battery percentage, external IP address, and current Google Play version. Furthermore, it can wipe the core module and request for permissions to draw overlays and run in the background.
The third-stage supports additional commands to load a specific URL in a WebView and initiate a remote screen sharing session as well as record the device screen with the goal of stealing victims’ credentials and dropping more malware.
“Android 13 introduced the ‘Restricted Settings’ feature, which prohibits sideloaded applications from directly requesting dangerous permissions,” the researchers said. “To bypass this feature, Mandrake processes the installation with a ‘session-based‘ package installer.”
The Russian security company described Mandrake as an example of a dynamically evolving threat that’s constantly refining its tradecraft to bypass defense mechanisms and evade detection.
“This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces,” it said.
When reached for comment, Google told The Hacker News that it’s continuously shoring up Google Play Protect defenses as new malicious apps are flagged and that it’s enhancing its capabilities to include live threat detection to tackle obfuscation and anti-evasion techniques.
“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” a Google spokesperson said. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
mIRC is a software that allows you to communicate, share, play or work on IRC networks.across the world, whether in multi-user group conferencesor private one-on-one discussions.Communications are instantly transferred using windows.It is possible to define a chat group and send messages to multiple peoplesimultaneously.This software provides users with a file transfer protocol.It tracks exchanges to ensure that data is transmitted to its recipient.It is also able to send encrypted files to keep them secure.
mIRC allows the creation of scripts to accomplish certain tasks.For example, it can automatically launch applications that send pre-set messages.It can also launch functions using commands entered on a dedicated console.
(Note: For best image quality, it is best to view this tutorial using Google Chrome.)In this odyssey we will try to uncover the
secret of the Keygens . Watch out!
Olly is getting closer to the galaxy…
“OPERATION mIRC”
LIMITATIONS• 30 days trial•
Bad Nags
THE TOOLS• PROTECtiON iD v.6.6.7 (http://pid.gamecopyworld.com)
•
OllyDbg version 1.0.10.0 – select Odbg110.zip (http://www.ollydbg.de/)
• Visual Studio Professional 2013 with Update 4 (www.microsoft.com/visualstudio/eng/download)
(About Visual Studio: Take a good look at the
cOsMoS .)Before we begin, let’s not forget to work on a copy of the mIRC executable
, a copy that we will name
mirc_CrAcK .
At the same time, let’s create a shortcut of
mirc_CrAcK , which we will place on the desktop.
PROGRAM ANALYSISLet’s open
PROTECTiON iD , making sure that everything circled in red is enabled or checked.
Next, let’s
drag and drop the executable to
PROTECTiON iD .
Following this procedure, we see that the executable is not encrypted or compressed.
PROGRAM ANALYSIS UNDER OLLYDBG 1.0.10.0To see what
mIRC has in store for us, let’s run it under
Olly .
Olly stops at address
00F8 4F6C .(A clarification all the same: each time Olly is restarted
, the first 4 signs of the addresses change,so it is normal that you do not have exactly the same address.By the way, I would apply a different grease to the last 4 signs – those remain the same – like this,you will distinguish them more easily.)
From here, let’s execute a
[F9] .And there you have it! The
mIRC interface is displayed. Let’s click on the
[Continue] button .
Hey! Here’s a
nasty Nag :
mIRC reminds us that this version is
limited to 30 days !”If you have your registration…”. No! but let’s activate the link ”
here ” anyway.
And hop! another
nasty Nag !
ANALYSIS OF THE UGLY NAGIn fact, to use
mIRC in its commercial version and more precisely in its unlimited version,This asks us to enter our
first name ,
last name and the registration
code received by email.Obviously, since we did not purchase the license right, we do not own the Registration
Code .That’s not nice!
Fortunately, there is a way for us to recover this Registration
Code .Let’s assume that it is an algorithm that generates the
Code by retrieving the input from the ”
Full Name ” field .The difficulty lies in situating this algorithm in the program.It’s not simple, but there is a solution: the solution is called an
API (Application Programming Interface).
SendDlgItemMessage : This function is to send a message to a specified control in a dialog box.(Regarding
mIRC , after the
Code is generated by the algorithm and checked, it would send us amessage like:
Code is good or
Code is bad.)
Let’s start by entering the ” Full Name ” and ”
Registration Code ” fields .
Let’s not click the [OK] button just yet .
To retrieve this
API , let’s go back to the main
Olly window .Next, let’s press
[Ctrl+N] ; now we are in the
imports window ; let’s sort them by
type .
Let’s go find
SendDlgItemMessage . Hop! there it is. Let’s put a
BP on each of them marking theirpresence in the program:we select it
> Right click in the window > Set breakpoint on every reference .(There are 426 of them! Shown in the lower left corner of
Olly .)
Let’s go back to the main
Olly window with
[Alt+C] ; let’s activate
mIRC by clicking on the
[OK] button .
Olly ‘s first stop on a
BP of the
SendDlgItemMessageW API . There is nothing that could interest us there.Let’s delete this BP with the [F2] key .
Let’s continue with
[F9] and, once again, activate the
mIRC window by clicking on
[OK] .Second stop of
Olly on a
BP of the
API SendDlgItemMessageW . Here, nothing interesting.Let’s delete this
BP with the
[F2] key .
Let’s continue with
[F9] …, and hop!
Olly stops a third time on a
BP of the
SendDlgItemMessageW API withoutthat we need to intervene in the
mIRC window . And here, friends, it starts to get very interesting.Before going further, let’s delete all the
BPs placed on our
API :
[Ctrl+N] > we are back in the windowimports;
SendDlgItemMessageW API must be selected
> Right-click > Remove all breakpoint .And there you have it. Next, let’s activate an
[Alt+C] to return to the main
Olly window .Now let’s step through the routine by activating
31 x F8 and carefully observing what
Olly displays in the
main window ,
registers and
stack , up to
the CALL whose address on my PC is
00EB C9C7 .By the way, let’s immediately place a
BP on this
CALL with
[F2] (we will keep this
BP throughout our analysis,because it will be our reference point, so
don’t delete it ).We will enter this
CALL with
[F7] , because the previous 2 command lines contain our entries, and Ithinks that these will probably be used downstream of this subroutine.
How are we going to localize this algorithm?In order to generate the famous
Code , the program retrieves each character of our
name and processes it via the algorithm.To carry out this process, the program uses a system of loops; it is thanks to these loops that we will be able tospot this algorithm. Since
Olly displays this system, let’s start looking for these loops.We are at the beginning of this subroutine. Let’s activate
36 x F8 in order to arrive at the
CALL at address
00EB AD33 .As before, the
registers and
stack show some very interesting values.Let’s enter this new
CALL with
[F7] .
We are now on the first command line of this subroutine.
From this command line, let’s press
56 x F8 to go to address
00EB AB60 .This address is truly the starting point of our analysis, because the elements that we have been looking for from the beginningare located from this address. In order to follow my comments, I advise you to trace this subroutine atusing the
[F8] key , and this, up to the address
00EB ABB4 . There, we place a
BP with
[F2] .In this part, to understand the flow of the program, it is important to observe, line by line, the
registers , the
stack and the ”
info ” area of
Olly .
00EB ABB4 is the address that will allow us to discover the start of the algorithm and calculate its length.Let’s start by discovering the beginning by
right-clicking on the address displayed in the ”
info ” area of
Olly .Next, select ”
Follow address in Dump “. (Reminder: on your PC, the addresses are different.)
The first hexadecimal value in the algorithm starts with
0B . (Be careful!
0B is not an address, but avalue; so on your PC it should also be
0B .)
Next, to know the length of the algorithm, we will have to do a little calculation.At address
00EB ABB4 , the reasoning is as follows:the segment address
SS:[003F 81C8 ] represents the start of the algorithm; its content
SS:[ESP+ECX*4+14]tells us its length.Let’s calculate
ESP+ECX*4+14 :• Let’s open the Windows Calculator;• Let’s select “Hex” (yes! we are in hexadecimal);• In the registers,
ESP is equal to
003F 81B4 (on my PC);•
ECX will have the value
26 (yes, because – note that we are in a loop – at the address
00EB ABBC the line ofcommand displays
CMP ECX,26 . If
ECX is arithmetically greater than
26 , the
JLE on the next line does notdoes not jump and goes through the
XOR ECX, ECX returning
0 to
ECX .In this loop, the command lines clearly show that
ECX will never be larger than
26 .So here is the operation to be carried out:
003F 81B4 + 26 x 4 + 14 = 003F 8260. Let’s remember this address.
Let’s go back to the
Dump . The address
003F 8260 represents the last hexadecimal value of the algorithm.
003F 8258 =
0A
003F 8259 = 00
003F 825A = 00
003F 825B = 00
003F 825C =
04
003F 825D = 00
003F 825E = 00
003F 825F = 00
003F 8260 =
10
The values forming the algorithm are these: (obviously, the
0B 09 0C 0B 0A 08 0A 0A 10 08 04 06 0A 0C 10 08 0A 04 10We have localized the algorithm, but to realize a
KeYgEn , this is not enough.
CODE FORMFinding the form of the
Code is quite simple, because we have clues: our
name is processed twice.The first time, the program retrieves our
name in this first loop.
Then it processes our
name in the first loop linked to the algorithm.
The second time, the program retrieves our
name in this second loop.
And finally, it processes our name again in the second loop, also linked to the algorithm.
Other clues:
2D in ASCII character is equal to the dash ”
– “.”
%ld-%ld ” in Visual C++: we are in the presence of two variables of type long, separated by a hyphen.Combined with printf, the output might look like this:
12345-67890 .There is no doubt, thanks to all these clues, we can remember that the form of the
Code is two numbersseparated by a dash.
Now, let’s note the instruction lines (in yellow), they will be used to program our
KeYgEn .First loop.
Second loop.
Before closing
Olly , if necessary, let’s delete all
BP ,
except one (as I said before),the
BP at address
00EB C9C7 . Let’s close
Olly with
[Alt+X] .
THE BIG MOMENT HAS ARRIVED TO MAKE OUR KEYGEN. LET’S LAUNCH VISUAL STUDIO!On the start page, click on
New Project… .
Next, in the “
New Project ” window , select
Windows .
To create our
KeYgEn , let’s select
.NET Framework 2.0 and Windows Forms Application… Visual Basic .
Let’s fill in the fields by naming our folder and listing its location.
Let’s close the ” New Project ” window by clicking on
[OK] .At this point we discover the graphical interface, it is in some way a work plan which will allow usto carry out our project.To the left of this space is
the toolbox containing objects called
controls , they will be used to create
TexBox ,
Labels ,
Buttons , etc. In the center, this form, called ”
sheet ” (Form1), will represent the interface ofour
KeYgEn .Above, in the toolbar, the
[Start] button will allow us to generate the code or events enteredpreviously and to appreciate or not the result. (It also allows you to save the project.)
To the right of this space is the
properties window .It will allow us to configure the objects that we have placed in the form (Form1);we will be able
to choose a color, enter text, specify a position , etc.The icons in the red box are important because they will allow us to displaydifferent
property options .
Let’s select the first icon representing the
list by category ,
and the third representing the
properties .
The main areas of work having been presented, we can begin the creation of our
KeYgEn .Let’s go back to this ”
sheet ” (Form1). The graphics on this one are really very basic.Let’s give him a real visual of
KeYgEn .
Normally this shape is selected by default. If it is not, let’s select it.By the way, from now on we will no longer call it form, but
KeYgEn .Let’s change its name:
Properties > Design > (Name) => Enter Keygen
After entering, to generate the values,
click on the main window of
Visual Studio “Form1”.
(Get into this habit when you want to generate property values . There are other ways to generate values,we will see this during this adventure.)Let’s change its dimensions:
Properties > Layout > Size => Let’s enter 285; 255 (Let’s generate the entered values.)
Let’s remove the Windows graphics:
Properties > Appearance > FormBorderStyle > [Click on the small arrow] => Select None
(Let’s generate the selected value.)
Let’s color the background of our
KeYgEn in black:
Properties > Appearance > BackColor => Let’s enter 2; 2; 2 (Let’s generate the entered values.)
Position of our
KeYgEn on the screen:
Properties > Layout > StartPosition > [Click on the small arrow] => Select CenterScreen
(Let’s generate the selected value.)
TopMost position on screen:
Properties > Window Style > TopMost > [Click on the small arrow] => Select “True”
(Let’s generate the selected value.)
When we display our
KeYgEn on the screen, it would be nice to be able to move it using our mouse cursor.To get this, we’re going to enter a bit of code.I’m not going to embark on a programming course, because that’s not the goal of this adventure,and it would be much too long; nevertheless, I will bring some information, in particular, when we convertthe algorithm structures and the two loops in
Visual Basic .
Let’s start by activating the ” Events ” icon (circled in red).
Properties > Mouse > MouseDown => Let’s type Keygen_MouseDown (Let’s generate the entry.)
By generating the input, we arrive in the Visual Studio programming space .
In the
Public Class part , we will declare an
Instance and
variables .When you want to add a space to the left of the lines of code, use the
[Tab] key on the keyboard.To perform a line return, press the
[Enter] key on the keyboard.
When we have finished entering the lines of code, let’s return to the space of our
KeYgEnby
clicking on the Form1.vb [Creation]* tab .
So far, nothing too complicated. Now, let’s do the same with
MouseMove .
Properties > Mouse > MouseMove => Let’s type Keygen_MouseMove (Let’s generate the entry.)
Once again, by generating the input, we return to the
Visual Studio programming space .Let’s write these few instructions inside a
conditional structure .
Then, as before, let’s return to the space of our
KeYgEn .After all this achievement, it is time to appreciate the result: let’s click on the
[Start] button .
Our
KeYgEn begins to take shape; it appears in the middle of our screen;we move it with our mouse cursor.To stop debugging and return to the space of our
KeYgEn , let’s click on the
[Stop] button ,as shown in the image below.
Now, we are going to associate a music with our
KeYgEn . Well yes!, it’s still better!To begin with, we need to prepare a music file whose format is
.wav . Then we need to loadthis file in
resources .In the menu bar
PROJECT > [last line of the context menu]
Properties… > [on the left, in the list]
Resources > Add a resource [activate the small arrow] > Add an existing file…
Windows Explorer opens, allowing us to select the
.wav file that we have previously prepared.Remember to select
All Files (*.*) or Audio (*.wav)Then, let’s click on
[open] … and there you have it!
Let’s go back to the GUI – where our
KeYgEn is – by clicking on the
Form1.vb [Creation] tab .Then…,
Properties > Behavior > Load => Enter Keygen_Load
Next, let’s go to the programming space by clicking on the
blue Load rectangle ,because we have some codes to write.
Here we are. Let’s write these 2 lines of code:
Tip: When our input cursor arrives on
SoundPlayer(My.Resources.Visual Studio IDE automatically displays the name of our wav
file (blue rectangle: My_Music ),then you just have to press the
[Tab] key on your keyboard so that it appears after
My.Resources.(Remember to enter a closing parenthesis after
My_Music , see previous image.)
The 2 lines of code having been written, let’s return to the graphical interface by clicking on the
Form1.vb [Creation]* tab .Now we’re going to add an image to our
KeYgEn . Head over to the
toolbox , and in there,Let’s select
PictureBox .
Next, let’s hover our mouse cursor over our
KeYgEn . At that point, the cursor will take the form of
the PictureBox icon with a small cross-shaped mark.Let’s place this icon in the corner of our
KeYgEn as shown in the image below:
Then, to form the image block, let’s drag and drop a little further down to the right:
Let’s adjust the image block to our
KeYgEn .
Don’t forget to select the Properties icon .
Properties > Layout > Location => X enter 0 ; Y enter 0Regarding the entry of positions , validate this by clicking once on the blue rectangle of
X , then
Y.
Let’s size the image block to 285 x 146 pixels.
Properties > Layout > Size => Width enter 285; Height enter 146 (Validate.)
Before loading an image into the
resources , we need to prepare it:choose a theme, colors, create a shape, etc., it’s up to you.A word of advice: to avoid deformation of the latter, it is preferable that its dimensions are identical to the blockimage we created in our
Keygen (285 x 146 pixels).Regarding the choice of the format of your file, it differs depending on the type of image and the desired effect:gif or animated gif; jpg; png (if your image contains transparencies).When this image is created, we return to
Visual Studio , we select the image block that we hadpreviously made, then
right click in this block > Choose an image…
In the… window, select
=> Project resource file: > Import…Windows Explorer opens, select the
file format , then our
image file , then
Open > [OK] .
Here we are with a beautiful
KeYgEn !If you want to launch your
KeYgEn using the Visual Studio [Start] button , you
will notice that by placing theyour mouse cursor over the image you just created, you cannot move it within your screen space.This is normal…, as we did with the background of our
KeYgEn , we must code the object or controlcorresponding to the image block.This must be applied to every object created. (We’ll see this a bit later.)Now, to correlate with the
nasty Nag of
mIRC Registration , we need to create the
input fields ,buttons
, etc.You have learned how to create an image block, now we will use an object (
Label ), it is exactly the sameprocedure, it is only the tool that changes.To begin with, using this object, we will create a sort of “text block” in which we will enter ”
Full Name “.Let’s head over to the
Toolbox and select
Label .
Then, using our mouse cursor, let’s drag and drop it just below the image block created previously.Have you noticed ?When we create an object or a block – during drag and drop – information about the dimensions ofthe object is displayed in the lower right corner of our screen. This is useful because it allows us to get as close as possiblethe intended dimensions. Then, to refine the dimensions, just go to the
properties , as we havepreviously done for the image block.
Before entering the text, let’s choose its color. Let’s check that the
Label1 object is selected.Afterwards…,
Properties > Appearance > ForeColor > [Click on the small arrow] System => select “GrayText” .
Regarding the background color, there is no need to intervene, because when we created the background color of our
KeYgEn (2; 2; 2), this remains the default background color.Moreover, we only need to pay attention to the
BackColor role (image above), to see that the coloris a black referenced 2; 2; 2.That’s it for the color. Now let’s enter the text:
Properties > Appearance > Text => Let’s enter Full Name (Validate.)
This being accomplished, let’s position our object in the space of our
KeYgEn :
Properties > Layout > Location => X enter 8; Y enter 146 (Validate.)Regarding its dimensions, there is no need to be interested in it, because the
AutoSize role sets ”
True ” by default, therefore,The dimensions apply depending on the text (number of typographic characters; font; weight; body).
Now we’re going to create a
control that allows us to enter our name.To do this, let’s head over to the
Toolbox and select
TextBox .
As before, let’s drag and drop just below ”
Full Name “.
When creating this
control , I notice that the
BackColor role no longer displays 2; 2; 2 by default.It’s touchy computing! So let’s always be vigilant and apply our background color:
Next, let’s change the appearance defining the edge of the frame:
Properties > Appearance > BorderStyle > [Click on the little arrow] => Select “FixedSingle” .
As I told you before, this control is reserved for the text that we will enter,we will therefore adapt the appearance of this text to the visual of
KeYgEn .Let’s apply some grease:
Properties > Appearance > Font > Bold > [Click on the little arrow] => Select “True” .
Let’s apply a color:
Properties > Appearance > ForeColor => Let’s enter 184; 1; 15 (Let’s validate.)Let’s apply a position (the entered characters will be displayed centered):
Properties > Appearance > TextAlign > [Click on the little arrow] => Select “Center” .
Now let’s place our
control – precisely – in the space reserved for it:the position :
Properties > Layout > Location => X enter 12; Y enter 161 (Validate.)the dimensions :
Properties > Layout > Size => Width enter 150; Height enter 20 (Validate.)
Come on! For the ”
fun ” part, let’s click on the
[Start] button of
Visual Studio , turn up the volume of our speakers and enjoy!
Let’s close by clicking on the
[Stop] button . Friends!, this is just the beginning, the best is yet to come!Let’s continue by creating a second
Label which we will call ”
Registration Code “.Let’s head over to the
Toolbox and select
Label .
As before, using our mouse cursor, let’s drag and drop this objectjust below the
control (
TextBox1 ) that we just made.The first
Label we created is called ”
Label1 “, this one is called ”
Label2 “.Let’s check that the ”
Label2 ” object is selected.Before entering the text, let’s choose its color (the same as ”
Label1 “):
Properties > Appearance > ForeColor > [Click on the small arrow] System => select “GrayText” .
By the way, we notice that the
BackColor role correctly displays the background color 2; 2; 2.Let’s enter the text:
Properties > Appearance > Text => Let’s enter Registration Code (Validate.)
Let’s position our object precisely:
Properties > Layout > Location => X enter 8; Y enter 185 (Validate.)
Now we will create a second
control , it will have the function of displaying the
Code generated by the algorithm.The first
control is named ”
TextBox1 “, this one is named ”
TextBox2 “.To do this, let’s head over to the
Toolbox and select
TextBox .
As before, let’s drag and drop just below ”
Registration Code “.
Let’s not forget to select our
control (
TextBox2 ), then apply our usual background color:
&H4, &H6, &HA, &HC, &H10, &H8, &HA, &H4, &H10}Now let’s enter this algorithm into the programming part of
Visual Studio .
Let’s double-click on the black background of our
KeYgEn , in order to access this space.
If necessary, let’s go back up to the top, in the
Public Class Keygen section .First, let’s declare the
data variable :
Dim data() As Integer(
Dim = statement [declares and allocates];
data = variable name;
As = as;
Integer = Type).I advise you to take the time to enter these lines of code (read yourself), because programming does not allowno errors, no failures.
Once this is done, let’s click on the [Start] button , in order to generate these lines of code…
…then, on the
[Stop] button …
…and finally, let’s click on the Form1.vb [Creation] tab , in order to return to our
KeYgEn .
That’s it! For now, let’s close
Visual Studio ; we’ll come back to that later.Now we need to analyze and convert into
VB the two loops discovered under
Olly .Let’s start with the first loop.
MOV EDX,3 => With this instruction, the program initializes
RoL l IaPrO from the fourth character, i.e. (
l ).This requires us to enter (in the ”
Full name ” field) at least 4 characters, so as not to generate the Code
0-0 .
We will create a procedure [the
Function statement ] that returns a value (this value will be the first partof
the Code ):
Function hash1(ByVal name As String) As UIntegerInside this structure, let’s declare our
variables :
Dim i As UInteger, hash As UInteger, p As UIntegerThe
variable p represents the string of values of the algorithm. By giving it the value
0 , we associate it with the firstelement of the algorithm (
&H B ):
p = 0Next, let’s create a
repeating structure (loop) with
For…Next statements .The command line below represents the loop counter:the
variable i = its starting value (
3 ) to its ending value (length of the name
RoL lIaPrO ), decremented by
1 each timeiteration:
For i = 3 To name.Length -1Correspond to :
MOVZX EDI,WORD PTR DS:[ESI+EDX*2]
INC EDX
CMP EDX,EAXThe command line below represents – at the first iteration – the multiplication between the fourth character of
RoL l IaPrO [ Asc(name.Chars(i)) ] and the first value of algorithm
B [ data(p) ] . The hash
variable is the equivalentof
EBP , it retrieves the sum of the operation and keeps it in memory. Therefore, at the second iteration, the newamount will be added to the one kept in memory, etc.
hash += Asc(name.Chars(i)) * data(p)Correspond to :
IMUL EDI,DWORD PTR SS:[ESP+ECX*4*14]
ADD EBP,EDIThe
variable p is incremented by
1 step at each iteration. Therefore, at each return, the calculation will be based on the valuenext step of the algorithm.
p = p + 1Correspond to :
INC ECXInside the
Function hash1 structure , let’s insert another structure called a
conditional loop .The command line below means: if the
variable p is greater than
26 (hexadecimal),then, the
variable p will recover
0 .In this case, the
variable p is reset to the first value of the algorithm, i.e.:
&H B
If p > &H26 Then
p = 0
End IfCorrespond to :
CMP ECX,26
XOR ECX,ECXThen, the
Next statement is associated with the
For statement . When the program arrives at this statement, itincrements or decrements by the step specified in the command line
For i = 3 To name.Length -1 .Here, the step is
-1 . So,
Next will decrement by 1 step along the length of the name
RoLlIaPrO each loop cycle.
NextCorrespond to :
INC EDX
And finally, the Return instruction to return the value to the calling code (the sum stored in memory by the hash
variablewill be returned on this same
variable , and at each loop cycle a new sum will be added to it. At the lastloop cycle, this value [
sum ] of the calling code will represent the first part of the
Code [
Registration Code ]).
Return hashEssential instruction at the end of the structure:
End FunctionThe analysis and conversion to
VB of the first loop is complete.Now let’s take care of the second loop, this one is almost identical to the first one.The difference lies in this sense:so that the second part of the
Code is not identical to the first part, some instructions have been added.To better understand, let’s go back to this second loop.
The analysis will focus – mainly – on the differences between the two loops.Let’s start by creating a second procedure [ the Function
statement ] that returns a value(this value will be, this time, the second part of the
Code [
Registration Code ]), we will name it
hash2 :
Function hash2(ByVal name As String) As UIntegerInside this structure, let’s declare our
variables :
Dim i As UInteger, hash As UInteger, p As UIntegerThen, the
variable p having value
0
p = 0To better understand the next part, I advise you to consult the previous image as often as necessary.Let’s create the
repeating structure (loop) with
For…Next statements .Let’s begin…
For i = 3 To name.Length -1Be careful, because the difference is there, inside this structure.Added line of code:
Asc(name.Chars(i – 1))It corresponds to:
MOVZX EDI,WORD PTR DS:[ESI+ECX*2-2]This line of code creates, on the name
RoLlIaPrO , a decrement of
1 typographic character compared to the linecommands
MOVZX EBP,WORD PTR DS:[ESI+ECX*2] .They are identical, it is the
-2 that creates the difference. (One is retrieved by
EDI , the other by
EBP .)Then these two command lines multiply each other.The multiplication between these two command lines occurs under the
IMUL EDI,EBP instructionI hope this doesn’t sound too complicated; I’m trying to be as specific as possible, however,I expect – from some of you – this question:why is
RoLlIaPrO
decremented by
1 character, while the code indicates
-2 ?Isn’t that a good question? Here’s the answer:When we analyze the two loops under
Olly , let’s look towards the
Dump .
The hexadecimal numbers representing the RoLlIaPrO typographic characters are separated by the codehexadecimal
00 of zero value (no character). Therefore, between
2 characters, the decrement value is
-2 .On the other hand,
VB does not use this hexadecimal code
00 between
2 characters, so the decrement value is
-1 .
Well, let’s continue…, and enter this famous instruction:
hash += Asc(name.Chars(i – 1)) * Asc(name.Chars(i)) * data(p)The rest is identical to the first procedure (
Function hash1 ):
p = p + 1
If p > &H26 Then
p = 0
End If
Next
Return hash
End FunctionAnd there you have it! Now it’s time to open
Visual Studio and go back to the space where our
KeYgEn is located .We have just created the program that will generate the
Code in the ”
Registration Code ” field.Let’s enter this program in the space dedicated to it, and to do this,
double-click on the black background ofour
KeYgEn :
If necessary, let’s go back up to the top, in the ”
Public Class Keygen ” section.Let’s place our mouse cursor at the end of the algorithm, just after the closing curly bracket (see the image below)[red circle]), then execute the [Enter] key on our keyboard
twice .This procedure allows us to introduce a new structure taking into account spaces.And here, let’s enter our program (image below).
To generate these lines of code, click on the
[Start] button , then on the
[Stop] button ,and finally, on the
Form1.vb [Creation] tab : we have returned to the space of our
KeYgEn .Our program is ready, but not quite. To generate the
Code (
Registration Code ) by activating the button
[GeNeRaTe – mIRC v7.41] , we need to program it.As shown in the figure below, let’s access its own structure by
double-clicking on this button.
We arrive in this structure named
Button1_Click .
As shown in the image below, let’s enter the two lines of code. Be careful to respectthe spaces between signs and words.
MouseDownBackColor role which, I remind you, specifies the color of theclient area of the button as soon as we produce a mouse “click” within the limits of the
control .
Properties > Appearance > FlatAppearance > MouseDownBackColor => Let’s enter 184; 1; 15 (Let’s validate.)For this to work, the
FlatStyle role must rely on ”
Flat “.
Properties > Appearance > FlatAppearance > FlatStyle > [Click on the little arrow] => Select “Flat” .
Before entering the text, let’s select its color:
Properties > Appearance > ForeColor > [Click on the small arrow] System => select “GrayText” .
Now let’s enter the text:
Properties > Appearance > Text => Let’s enter cOpY (Validate.)
Let’s arrange our
control precisely:the position :
Properties > Layout > Location => X enter 228; Y enter 200 (Validate.)the dimensions :
Properties > Layout > Size => Width enter 57; Height enter 20 (Validate.)
And there you have it! The graphic design of the button allowing us to save the
Code in the “Clipboard” is finished.Now, in order for this button to generate the desired event when activated,we need to associate a line of code with it.By
double-clicking on this button, we access the space that will allow us to enter this line of code.
We are in the structure of the button
[cOpY] named
Button2_Click .
Next, let’s enter the line of codes as shown in the image below:
When we are done, let’s go back to our
KeYgEn space by clicking on the
Form1.vb [Creation]* tab .
Then, as before, let’s click on
[Start] to generate our program.
For the last time, let’s close our
KeYgEn using the
[Stop] button in
Visual Studio .Now we will create the
[cLoSe] button .Let’s head over to the
Toolbox and select the Button
control .
Let’s drag and drop it next to the
[GeNeRaTe – mIRC v7.41] button .
Before we go to the
properties , let’s not forget to select this
control named ”
Button3 “.Verification: In the
properties , the
BackColor role of this object must be 2; 2; 2.(This color reference must be displayed by default, otherwise, enter manually.)As before, regarding the
Cursor role, let’s choose the ”
Hand ” parameter :
Properties > Appearance > Cursor > [Click on the little arrow] => Select “Hand” .
Next, let’s remove that ugly border around the button:
Properties > Appearance > FlatAppearance > FlatStyle > [Click on the little arrow] => Select “Flat” .
Let’s select the text color:
Properties > Appearance > ForeColor > [Click on the small arrow] System => select “GrayText” .
Let’s enter the text:
Properties > Appearance > Text => Let’s enter cLoSe (Validate.)
Let’s arrange our
control precisely:the position :
Properties > Layout > Location => X enter 228; Y enter 228 (Validate.)the dimensions :
Properties > Layout > Size => Width enter 57; Height enter 20 (Validate.)
The graphic design of the button allowing us to close our
KeYgEn is complete.
Now, like the [cOpY] button , so that this button generates the desired event when activated,we need to associate a line of code with it.By
double-clicking on this button, we access the space that will allow us to enter this line of code.
We are in the structure of the button
[cLoSe] named
Button3_Click .
Next, let’s enter the line of codes as shown in the image below:
When we are done, let’s go back to our
KeYgEn space by clicking on the
Form1.vb [Creation]* tab .
Then, as before, let’s click on
[Start] to generate our program.
Now we can close our
KeYgEn using the
[cLoSe] button .
Our
KeYgEn is almost finished!Remember, when we integrated the image into the space of our
KeYgEn , we noticedthat
by placing our mouse cursor – inside this image block – we could not move itin the
screen surface.To remedy this, we need to associate the name of the objects that are relevant to this incidenceto the structure of
” MouseDown ” and that of ” MouseMove “.These objects are:The object containing the image with the
property name ”
PictureBox1 “.The object representing the label ”
Full Name ” with the
property name ”
Label1 “.The object representing the label ”
Registration Code ” with the
property name ”
Label2 “.To apply this,
let’s double-click on the background of our
KeYgEn :
We’ve returned to the Visual Studio programming space .Each object name must be followed by a comma, so remember to enter a comma after
MouseDown(see red circle).Reminder: to make your entry easier: use the ”
listbox “, this is automatically displayed when the cursorof your mouse arrives at the appropriate place.You have two solutions for use: when you have selected the name, you
double-click on it
or you press the [Tab] key .
After entering, here is the result:
This being done, let’s return to the space of our
KeYgEn by clicking on the
Form1.vb[Creation]* tab :
Then, as we usually do, let’s generate these lines of code by clicking on
[Start] .Now we can move our
KeYgEn by placing our mouse cursor on all of its surfaces, except, of courseheard, on buttons and input fields. Let’s close our
KeYgEn and
Visual Studio .However, we still have one small detail: to launch our
KeYgEn , we need to activate an executable.Under
Visual Studio the executable icon is not customized, it is a default visual,so we’re going to change that.
To begin with, we need to prepare an .ico file . We can grab a pre-made graphic from the Internet,but, if you have imagination, I strongly advise you to create a graphic in Illustrator or Photoshop.In Photoshop, save your file in
PNG-24 , this allows you to preserve the transparencies of your creation.Next, download
IconWorkshop (publisher:
axialis.com ), in order to convert your
PNG file to
.ico .When our ”
.ico ” file is ready, let’s open
Visual Studio and then access the general properties of our
KeYgEnby clicking on
Project > Properties…
After this action, we access a window, then we select the
Application tab .
Then, let’s select
<Browse…> , in order to reach our ”
.ico ” file.
We select it…,
Open …, and there you have it!
Let’s save this procedure by clicking on the
[Start] button , then, following this last generation,Let’s close our
KeYgEn by clicking on the
[cLoSe] button . Now we can close
Visual Studio .Where is the executable?Remember, when we opened
Visual Studio to create our
KeYgEn , we named a folder enlisting its location.It is from this folder that we will retrieve the executable of our
KeYgEn , the directory of which is as follows:
name of our folder\bin\Debug\
Obviously, you can copy, move or upload this executable.To continue working on
mIRC , I advise you to create a copy of this executable on your desktop.Good! Now it would be time to test the
Code that we obtained thanks to our
KeYgEn .This time, let’s launch our
KeYgEn via the executable; enter our name in the ”
Full Name ” field; click on the
[GeNeRaTe – mIRC v7.41] button , in order to generate the
Code , and finally, click on the
[cOpY] button , to copy it into the”Clipboard”.Let’s launch
mIRC via its shortcut on the desktop.
In the ” About mIRC ” window ,
mIRC gives us an indication:”If you have your registration, please enter it here”. Yes, of course, we have it! So, let’s click on ”
here “.
Let’s enter our name in the ”
Full Name ” field. Then, let’s activate the
[Ctrl+V] keys , in order to paste our
Codein the ”
Registration Code ” field, then start the entries by clicking on the
[OK] button .
It does not work ? !
Our
Code is good, yet… it doesn’t work.In your opinion, do you know why? I imagine that some of you have the answer.Here is the answer :The
Code is not enough to unlock the program, there is a second protection.The answer is in the window title: ”
mIRC Registration “.Yes! We have to register our
Code via the Internet. Are we blocked?No! Don’t worry, we will fix that.Let’s think for two seconds…: in a
nasty Nag , there is a
[Register] button ,This means that there is a registration address somewhere in the program.Let’s close
mIRC and open it under
Olly . Then,
[F9] .
mIRC displays the ”
About mIRC ” window, click on ”
here “:
The ” mIRC Registration ” window opens. As before, let’s fill in the fields and then click the
[OK] button .
Olly stops at the
BP we had left in place.It is thanks to this
CALL that we discovered the two loops and the algorithm.
Let’s advance through the routine by pressing
7 x [F8] , so that we are at address
011B C9E6 .By executing the
CALL located at address
011B C9E1 , we discover that it creates an alphanumeric string.This string is actually generated by an algorithm from our
Code .So your channel will be different from mine.This has a very important role since it will establish the link with the
mIRC server , in order to identify our
Codeand thus, validate it by a response to our computer.(By the way, there is software that can intercept server responses.)
Our goal is to bypass the action of this link.Noticed :when you execute the
CALL located at address
011B CA41 , you will see, by projecting yourself towards the
stack ,that it will generate the Internet address allowing us to register our
Code .See (below) the contents of the
stack at the time of execution of this
CALL :
For now, we are still at address
011B C9E6 .Let’s go on…
26 x [F8] , and we are at address
011B CA4B .There, the
JNZ must imperatively jump to address
011B CAE4 , in order to avoid the
JMP located at address
011B CADF .Let’s replace the
JNZ with a
JE : the command line being selected;
double-click on it;
The ” Assemble at 011B CA4B ” window opens; type
JE 011BCAE4 > Assemble > Cancel .
011BCA4B | CrAcK | I mirc_CrA.011BCAE4(Be careful, as I told you at the beginning, your PC displays different addresses.)
Let’s go on…
25 x [F8] , and we are at address
011B CB3E .At this address, the
I jumps. It must not jump, because the
CALL which is responsible for validating our
Code ,without going through the Internet, is located at the address
011B CB5F .Let’s replace this
JE with a
JNZ : the command line being selected;
double-click on it;
The ” Assemble at 011B CB3E ” window opens; type
JNZ SHORT 011BCB6E > Assemble > Cancel .
011BCB3E | CrAcK | JNZ SHORT mirc_CrA.011BCB6E
Then
[F9] …
Yes ! This time, everything is
perfect !Let’s not activate the
[OK] button in the ”
mIRC Registration ” window , because, first,we need to save the changes made in
Olly .
Let’s go back to
Olly by clicking on its icon (in the taskbar), then
right-clicking in its main window;select =>
Copy to executable > All modifications :
Then, in the ”
Copy selection to executable file ” window, select =>
Copy all :
Olly ‘s D window opens; right-click in this window, select => Save file :
Windows Explorer opens displaying the
mIRC directory => click on the
[Save] button ;
the ” File exists” window opens > click on the
[Yes] button :
Now we can close
Olly by pressing the keyboard keys
[Alt+X] .By this procedure,
mIRC and
Olly were closed.It’s time to test
mIRC .Let’s go to the desktop and
double-click on the
mIRC_CrAcK.exe shortcut :
alas! there is still a problem…,
mIRC does not open!
mIRC most likely has a third protection. What is this protection? Do you have any idea?
Checksum !, does that ring a bell? The
checksum is a more or less complex calculation system,allowing to compare the fingerprint or the sum of two strings.For us, it checks whether the sum of the hexadecimal values of the instructions is the same as the original.Once done, it returns a value.If this does not match the value initialized by the original, well… I would say that taking into accountchanges we made to the program…, we know the end of the story.Definitely,
mIRC is not an easy opponent, but once again, thanks to
Olly ‘s unstoppable attack ,we will fix that.Let’s open
mIRC under
Olly , then launch it with a
[F9] . Result…
mIRC ”
sends us to hell ” [
sic Junlajubalam ].
Let’s use Olly ‘s unstoppable weapon by clicking the
[K] button, in order to find out what the last
CALL executed was. by the program before going to ”
hell “.
With this action, the K window opens and shows us the path to follow:the line located at address
0028 F788 is probably the right track.
Double-click on this line, in the ”
Called from ” column:
This operation takes us to the instruction line located at address
010B 4F0A . Let’s place a
BP on this
CALL :
Once this is done, let’s relaunch the program with a
[Ctrl+F2] , then…
[F9] .
Olly stops at our
BP at
0046 4F0A .Since the
checksum is upstream of this address, we are in a good position to recover a clueor an interesting reference. (We can delete this
BP .)In this window,
right-click , select =>
Search for > All referenced text strings :
In this
R window , let’s use the scroll bar located on the right of our screen, in order to go up,to the first line;
select it ;
right-click and choose =>
Search for text :
What reference will we look for to neutralize the return value of the
checksum ?Let’s think for a moment…First, we need to find out where in the program it generates this value.We know that the
checksum analyzes the executable in its entirety, it would be relevant to apply a searchon the
name of our executable, that is: mirc_CrAcK.exe .Let’s type
mirc_CrAcK.exe and then click
[OK] .
Next, press
the [L] key 5 times while holding the [Ctrl] key .This operation takes us to address
0030 B6F0 .This line is interesting because it is preceded by an
alphanumeric string .This is not there by chance, it is probably recovered by the
checksum .With this line selected, let’s press the
[Enter] key on our keyboard,in order to project ourselves into the main
Olly window .
Here we are.The
alphanumeric string is just before our line, that’s a good omen.Let’s put a
BP on this line located at address
0030 B6F0 :
Then let’s relaunch the program with
[Ctrl+F2] > Yes > [F9] , and here we are again.(A little reminder: when we relaunch the program, the address is not necessarily the same,only the last four signs do not change.)
So we’re back to the same address, but this time the program is running.From this address, we will not follow the routine with
[F8] , because it risks being much too long,let’s use
our mouse wheel: go down… , go down… , and stop when we discover
a set of loops, because that’s where the checksum operates.The figure below shows a real textbook case, because this set of loops is quite complex.As far as we are concerned, it is not really its content that interests us, but its outcome.After a multitude of rounds, the routine comes out of this set, but to go where?The best way to get an answer to this question is to considerall conditional jumps generating their landing point outside this loop assembly.(Be careful though, because when CALLS
are within a combination of loops,it sometimes happens [rare] that the routine disappears into the depths of one of these, so be careful!)Here, two outputs are possible: one at address
000E B883 , and the other at address
000E B8A7 .To find out which of these two addresses will retrieve the routine, simply place a
BP on each of them,then execute a
[F9] (don’t execute this [F9]
right away ) .I have intentionally indicated the conditional jump located at address
000E B7CF , it is not inside this set ofloops, but its position and drop point are important clues, because if
EAX is equal to
-1 , the
JE avoids allthese loops, and therefore, the
checksum .In fact, when the program has not undergone any modification, the routine goes through the address
000E B883 .Moreover, this conditional jump to address
000E B7CF is quite surprising , this would suppose that a first check would havewas applied by retrieving the alphanumeric string ”
99d91de80314978804605952 ” located a little further upstream.
Now… let’s run this
[F9] ; the routine stops running at address
000E B8A7 .
Next, let’s execute
19 x [F8] .It is really very interesting to follow the progress of the program, because at the address
000E B8DA ,this one goes through a
JMP which sends it back on the path taken by the routine when it does notnot subject to any modification.Now we are able to ask ourselves this question: what are the differences between these two routines?In the figure below I indicate these differences:at address
000E B8DA , the
JMP returns an
EAX =
00000002 , while the correct routine – the one that opensthe program – encapsulates the XOR instruction
EAX,EAX (address
000E B88C ), i.e.
EAX =
00000000 .
Now that we understand how the program works, and in order for it to work properly,we will make
EAX equal to
00000000 .Let’s modify the
JMP so that it points the program towards the
XOR EAX,EAX instruction :
double-click on the selected line, enter =>
JMP SHORT 000EB88C(as usual, on your PC the address is different), then
Assemble > Cancel .
000EB8DA | CrAcK | JMP SHORT mirc_CrA.000EB88C
As before, let’s save this modification:
right click in
Olly main window
> Copy to executable > All modifications > Copy All > right click
in window D > Save file > Save > Yes.Now let’s go back to the main
Olly window with
[Alt+C] , then execute a
[F9] ;
The ” mIRC Registration ” window opens; click on the
[OK] button .
Now the program has become nice to us
, it opens normally. Let’s click on the
[OK] button :
The ” About mIRC ” window opens:
Now we can use the program,
mIRC has become really nice to us.
Let’s go back to
Olly and exit with
[Alt+X] .Let’s not forget to delete the original executable and rename (same name as original)the copy of the executable ”
mirc_CrAcK.exe ” on which we operated.And there you have it… our mission is complete.
A vulnerability classified as problematic has been found in Bolt CMS 3.7.1. Affected is an unknown function of the file /bolt/editcontent/showcases of the component Showcase Creation Handler. The manipulation of the argument textarea leads to cross site scripting. Using CWE to declare the problem leads to CWE-79. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The weakness was presented 07/30/2024. This vulnerability is traded as CVE-2024-7300. It is possible to launch the attack remotely. Technical details are available. Furthermore, there is an exploit available. The exploit has been disclosed to the public and may be used. The current price for an exploit might be approx. USD $0-$1k at the moment. The MITRE ATT&CK project declares the attack technique as T1059.007. It is declared as proof-of-concept. As 0-day the estimated underground price was around $1k-$2k. Vendor was contacted early and confirmed that the affected release tree is end-of-life. A possible mitigation has been published before and not just after the disclosure of the vulnerability. [Details]
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.Lang
en
72
de
10
fr
8
ja
2
es
2
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.Country
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.Actors
The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.Activities
IOC – Indicator of Compromise (3)
These indicators of compromise highlight associated network ranges which are known to be part of research and attack activities.
Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.
These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.
Reconnaissance is the first phase of penetration testing which means gathering information before any real attacks are planned So Ashok is an Incredible fast recon tool for penetration tester which is specially designed for Reconnaissance” title=”Reconnaissance”>Reconnaissance phase. And in Ashok-v1.1 you can find the advanced google dorker and wayback crawling machine.
Main Features
- Wayback Crawler Machine - Google Dorking without limits - Github Information Grabbing - Subdomain Identifier - Cms/Technology Detector With Custom Headers
CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign.
The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity.
The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world.
“After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer,” CrowdStrike’s Counter Adversary Operations team said.
“The installer contains CrowdStrike branding, German localization, and a password [is] required to continue installing the malware.”
Specifically, the spear-phishing page featured a download link to a ZIP archive file containing a malicious InnoSetup installer, with the malicious code serving the executable injected into a JavaScript file named “jquery-3.7.1.min.js” in an apparent effort to evade detection.
Users who end up launching the bogus installer are then prompted to enter a “Backend-Server” to proceed further. CrowdStrike said it was unable to recover the final payload deployed via the installer.
The campaign is assessed to be highly targeted owing to the fact that the installer is password-protected and requires input that’s likely only known to the targeted entities. Furthermore, the presence of the German language suggests that the activity is geared towards German-speaking CrowdStrike customers.
“The threat actor appears to be highly aware of operations security (OPSEC) practices, as they have focused on anti-forensic techniques during this campaign,” CrowdStrike said.
“For example, the actor registered a subdomain under the it[.]com domain, preventing historical analysis of the domain-registration details. Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution.”
The development comes amid a wave of phishing attacks taking advantage of the CrowdStrike update issue to propagate stealer and wiper malware malware –
A phishing domain crowdstrike-office365[.]com that hosts rogue archive files containing a Microsoft Installer (MSI) loader that ultimately executes a commodity information stealer called Lumma.
A ZIP file (“CrowdStrike Falcon.zip”) that contains a Python-based information stealer tracked as Connecio that collects system information, external IP address, and data from various web browsers, and exfiltrates them to SMTP accounts listed on a Pastebin dead-drop URL.
An email phishing campaign orchestrated by the Handala Hacking Team targeting Israeli entities that tricks recipients into downloading an “outage fix,” which launches an installer responsible for unpacking and executing an AutoIt script to launch a data wiper and exfiltrate system information via Telegram’s API.
Web infrastructure and security company Akamai said it uncovered no less than 180 newly created counterfeit typosquat domains purporting to assist with navigating the incident, whether it be technical support, quick fixes, or legal support, in an attempt to introduce malware or steal sensitive information.
On Thursday, CrowdStrike’s CEO George Kurtz said 97% of the Windows devices that went offline during the global IT outage are now operational.
“At CrowdStrike, our mission is to earn your trust by safeguarding your operations. I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted,” Kurtz said. “While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency.”
Previously, the company’s chief security officer Shawn Henry apologized for failing to “protect good people from bad things,” and that it “let down the very people we committed to protect.”
“The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch,” Henry acknowledged. “We are committed to re-earning your trust by delivering the protection you need to disrupt the adversaries targeting you. Despite this setback, the mission endures.”
Meanwhile, Bitsight’s analysis of traffic patterns exhibited by CrowdStrike machines across organizations globally has revealed two “interesting” data points that it said warrants additional investigation.
“Firstly, on July 16 at around 22:00 there was a huge traffic spike, followed by a clear and significant drop off in egress traffic from organizations to CrowdStrike,” security researcher Pedro Umbelino said. “Second, there was a significant drop, between 15% and 20%, in the number of unique IPs and organizations connected to CrowdStrike Falcon servers, after the dawn of the 19th.”
“While we can not infer what the root cause of the change in traffic patterns on the 16th can be attributed to, it does warrant the foundational question of ‘Is there any correlation between the observations on the 16th and the outage on the 19th?'”
While the full impact of the IT outage remains to be tallied, cloud insurance services firm Parametrix Solutions estimates that the event impacted nearly a quarter of the Fortune 500 companies, resulting in a direct financial loss of $5.4 billion (excluding Microsoft), including $1.94 billion in losses for healthcare, $1.15 billion for banking, and $0.86 billion for the airlines sector.
John Cable, Microsoft’s vice president of program management for Windows servicing and delivery, said the incident “underscores the need for mission-critical resiliency within every organization.”
“These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners, who also care deeply about the security of the Windows ecosystem,” Cable said, urging enterprises to have a major incident response plan (MIRP) in place, periodically take data backups, utilize deployment rings, and enable Windows security baselines.
With endpoint detection and response (EDR) software requiring kernel-level access to detect threats in Windows, the disruptive event appears to have also had the desired effect of Microsoft rethinking the entire approach.
Redmond said alternative features like virtualization-based security (VBS) enclaves, which it introduced back in May, could be used by third-party developers to create an “isolated compute environment that does not require kernel mode drivers to be tamper resistant.” Azure Attestation, another security solution, enables remote verification of the “trustworthiness of a platform and integrity of the binaries running inside it.”
Microsoft further described the issue as arising due to a “read-out-of-bounds memory safety error in the CrowdStrike developed CSagent.sys driver,” and that such kernel drivers are leveraged for tamper resistance and performance improvements, not to mention for gaining system wide visibility into security related events.
“Windows provides several user mode protection approaches for anti-tampering, like Virtualization-based security (VBS) Enclaves and Protected Processes that vendors can use to protect their key security processes,” David Weston, vice President of enterprise and OS security at Microsoft said.
“Windows also provides ETW events and user-mode interfaces like Antimalware Scan Interface for event visibility. These robust mechanisms can be used to reduce the amount of kernel code needed to create a security solution, which balances security and robustness.”
(The story was updated after publication to include Microsoft’s analysis of Windows crash reports stemming from the CrowdStrike programming error.)
The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner.
“ALPHV/BlackCat did not get seized. They are exit scamming their affiliates,” security researcher Fabian Wosar said. “It is blatantly obvious when you check the source code of the new takedown notice.”
“There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice.”
The U.K.’s National Crime Agency (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.
Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the “feds screwed us over” and that they intended to sell the ransomware’s source code for $5 million.
The disappearing act comes after it allegedly received a $22 million ransom payment from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the attack.
The company has not commented on the alleged ransom payment, instead stating it’s only focused on investigation and recovery aspects of the incident.
According to DataBreaches, the disgruntled affiliate – who had their account suspended by the administrative staff – made the allegations on the RAMP cybercrime forum. “They emptied the wallet and took all the money,” they said.
This has raised speculations that BlackCat has staged an exit scam to evade scrutiny and resurface in the future under a new brand. “A re-branding is pending,” a now-former admin of the ransomware group was quoted as saying.
Menlo Security, citing HUMINT sources with direct contact to the affiliate, described them as likely associated with Chinese nation-state groups. The affiliate, who goes by the name Notchy, is said to have engaged on ransomware-related topics in the RAMP forum as early as 2021.
BlackCat had its infrastructure seized by law enforcement in December 2023, but the e-crime gang managed to wrest control of their servers and restart its operations without any major consequences. The group previously operated under the monikers DarkSide and BlackMatter.
“Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs,” Malachi Walker, a security advisor with DomainTools, said.
“On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product ‘high.’ In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions.”
The group’s apparent demise and the abandonment of its infrastructure come as malware research group VX-Underground reported that the LockBit ransomware operation no longer supports Lockbit Red (aka Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.
LockBit has also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation took down its infrastructure last month following a months-long investigation.
It also comes as Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, finance, and insurance companies in the U.S., Germany, India, Taiwan, and other countries since emerging in April 2023.
Attacks mounted by the group “involve multi-stage components designed to ensure maximum impact and success in the group’s operations,” the cybersecurity firm noted.
A list of top most popular Android Reverse Engineering Tools to decode, re-encode and signing apk
1: APK EDITOR STUDIO – Free, Open source & Cross-platform APK editor Supported OS: Windows, Mac, Linux Interface: GUI Info: APK Editor Studio is a powerful yet easy to use APK reverse-engineering tool. Extract, edit or replace APK resources, images and icons; add translations, create your own APK mod or learn its internal structure. Multiple handy tools will help you to easily change application icon, application title, automatically sign APK and install it on your device.
2: jadx – Dex to Java decompiler Supported OS: Windows, Mac, Linux Interface: Command line, GUI Info: Produce Java source code from Android Dex and Apk files
3: Apktool – Decode & Rebuild Apk Supported OS: Windows, Mac, Linux Interface: Command line Info: Decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.
4: Uber Apk Signer – Signing and zip aligning Apk Supported OS: Windows, Mac, Linux Interface: Command line Info: A tool that helps signing, zip aligning and verifying multiple Android application packages (APKs) with either debug or provided release certificates (or multiple). It supports v1, v2 and v3 Android signing scheme. Easy and convenient debug signing with embedded debug keystore. Automatically verifies signature and zipalign after every signing.
5: dex2jar – Tools to work with android .dex and java .class files Supported OS: Windows, Mac, Linux Interface: Command line Info: Read/write the Dalvik Executable (.dex) file, Convert .dex file to .class files, disassemble dex to smali files and assemble dex from smali files
6: GDA – Android Reversing Tool Supported OS: Windows Interface: GUI Info: GDA is a new decompiler written entirely in c++, so it does not rely on the Java platform, which is succinct, portable and fast, and supports APK, DEX, ODEX, oat.
7: JD-GUI – Displays Java sources from CLASS files Supported OS: Windows, Mac, Linux Interface: GUI Info: JD-GUI is a standalone graphical utility that displays Java source codes of ‘.class’ files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.
8: Dexplorer – Explore apk from Android Device Supported OS: Android Interface: GUI Info: Explore the Dex/Apk files of all your installed apps and downloaded apk’s. A simple decompiler is included, but is not able to show method bodies.
Hope this list of android reverse engineering tools will help you to explore more inside of android apk
A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by “several” ransomware groups to gain elevated permissions and deploy file-encrypting malware.
The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host.
“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” Broadcom-owned VMware noted in an advisory released in late June 2024.
In other words, escalating privileges on ESXi to the administrator was as simple as creating a new AD group named “ESX Admins” and adding any user to it, or renaming any group in the domain to “ESX Admins” and adding a user to the group or using an existing group member.
Microsoft, in a new analysis published on July 29, said it observed ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest leveraging the post-compromise technique to deploy Akira and Black Basta.
“VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named ‘ESX Admins’ to have full administrative access by default,” researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, and Vaibhav Deshmukh said.
“This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist.”
In one attack staged by Storm-0506 against an unnamed engineering firm in North America, the threat actor weaponized the vulnerability to gain elevated permissions to the ESXi hypervisors after having obtained an initial foothold using a QakBot infection and exploiting another flaw in the Windows Common Log File System (CLFS) Driver (CVE-2023-28252, CVSS score: 7.8) for privilege escalation.
Subsequently, phases entailed the deployment of Cobalt Strike and Pypykatz, a Python version of Mimikatz, to steal domain administrator credentials and move laterally across the network, followed by dropping the SystemBC implant for persistence and abusing the ESXi admin access to deploy Black Basta.
“The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC,” the researchers said. “The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.”
The development comes as Google-owned Mandiant revealed that a financially motivated threat cluster called UNC4393 is using initial access obtained via a C/C++ backdoor codenamed ZLoader (aka DELoader, Terdot, or Silent Night) to deliver Black Basta, moving away from QakBot and DarkGate.
“UNC4393 has demonstrated a willingness to cooperate with multiple distribution clusters to complete its actions on objectives,” the threat intelligence firm said. “This most recent surge of Silent Night activity, beginning earlier this year, has been primarily delivered via malvertising. This marked a notable shift away from phishing as UNC4393’s only known means of initial access.”
The attack sequence involves making use of the initial access to drop Cobalt Strike Beacon and a combination of custom and readily-available tools to conduct reconnaissance, not to mention relying on RDP and Server Message Block (SMB) for lateral movement. Persistence is achieved by means of SystemBC.
ZLoader, which resurfaced after a long gap late last year, has been under active development, with new variants of the malware being propagated via a PowerShell backdoor referred to as PowerDash, per recent findings from Walmart’s cyber intelligence team.
Over the past few years, ransomware actors have demonstrated an appetite for latching onto novel techniques to maximize impact and evade detection, increasingly targeting ESXi hypervisors and taking advantage of newly disclosed security flaws in internet-facing servers to breach targets of interest.
Qilin (aka Agenda), for instance, was originally developed in the Go programming language, but has since been redeveloped using Rust, indicating a shift towards constructing malware using memory-safe languages. Recent attacks involving ransomware have been found to leverage known weaknesses in Fortinet and Veeam Backup & Replication software for initial access.
“The Qilin ransomware is capable of self-propagation across a local network,” Group-IB said in a recent analysis, adding it’s also equipped to “carry out self-distribution using VMware vCenter.”
Another notable malware employed in Qilin ransomware attacks is a tool dubbed Killer Ultra that’s designed to disable popular endpoint detection and response (EDR) software running on the infected host as well as clear all Windows event logs to remove all indicators of compromise.
Organizations are recommended to install the latest software updates, practice credential hygiene, enforce two-factor authentication, and take steps to safeguard critical assets using appropriate monitoring procedures and backup and recovery plans.
The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.
The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.
SideWinder, which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains.
“SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants,” the Canadian cybersecurity company said in an analysis published last week.
The latest set of attacks employ lures related to sexual harassment, employee termination, and salary cuts in order to negatively impact the recipients’ emotional state and trick them into opening booby-trapped Microsoft Word documents.
Once the decoy file is opened, it leverages a known security flaw (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan’s Directorate General Ports and Shipping (“reports.dgps-govtpk[.]com”) to retrieve an RTF file.
The RTF document, in turn, downloads a document that exploits CVE-2017-11882, another years-old security vulnerability in the Microsoft Office Equation Editor, with the goal of executing shellcode that’s responsible for launching JavaScript code, but only after ensuring that the compromised system is legitimate and is of interest to the threat actor.
It’s currently not known what’s delivered by means of the JavaScript malware, although the end goal is likely to be intelligence gathering based on prior campaigns mounted by SideWinder.
“The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions,” BlackBerry said. “The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future.”
A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year.
The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to share malicious links or malware, per Check Point, which has dubbed it “Stargazers Ghost Network.”
Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy.
The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn’t spotted in the dark until early July 2023.
“Threat actors now operate a network of ‘Ghost’ accounts that distribute malware via malicious links on their repositories and encrypted archives as releases,” security researcher Antonis Terefos explained in an analysis published last week.
“This network not only distributes malware but also provides various other activities that make these ‘Ghost’ accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories.”
Different categories of GitHub accounts are responsible for distinct aspects of the scheme in an attempt to make their infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged on the platform.
These include accounts that serve the phishing repository template, accounts providing the image for the phishing template, and accounts that push malware to the repositories in the form of a password-protected archive masquerading as cracked software and game cheats.
Should the third set of accounts be detected and banned by GitHub, Stargazer Goblin moves to update the first account’s phishing repository with a new link to a new active malicious release, thereby allowing the operators to move forward with minimal disruption.
Besides liking new releases from multiple repositories and committing changes to the README.md files to modify the download links, there is evidence to suggest that some accounts part of the network have been previously compromised, with the credentials likely obtained via stealer malware.
“Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected,” Terefos said.
“It’s common to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit account associated with the Link-Repository updates the malicious link with a new one.”
One of the campaigns discovered by Check Point involves the use of a malicious link to a GitHub repository that, in turn, points to a PHP script hosted on a WordPress site and delivers an HTML Application (HTA) file to ultimately execute Atlantida Stealer by means of a PowerShell script.
Other malware families propagated via the DaaS are Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point further noted that the GitHub accounts are part of a larger DaaS solution that operates similar ghost accounts on other platforms such as Discord, Facebook, Instagram, X, and YouTube.
“Stargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is considered a legitimate website, bypasses suspicions of malicious activities, and minimizes and recovers any damage when GitHub disrupts their network,” Terefos said.
“Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts.”
The development comes as unknown threat actors are targeting GitHub repositories, wiping their contents, and asking the victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.
The social engineering attack targets developers with phishing emails sent from “notifications@github.com,” aiming to trick them into clicking on bogus links under the guise of a job opportunity at GitHub, following which they are prompted to authorize a new OAuth app that erases all the repositories and demands a payment in exchange for restoring access.
It also follows an advisory from Truffle Security that it’s possible to access sensitive data from deleted forks, deleted repositories, and even private repositories on GitHub, urging organizations to take steps to secure against what it’s calling a Cross Fork Object Reference (CFOR) vulnerability.
“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Joe Leon said. “Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them.”
In other words, a piece of code committed to a public repository may be accessible forever as long as there exists at least one fork of that repository. On top of that, it could also be used to access code committed between the time an internal fork is created and the repository is made public.
It’s however worth noting that these are intentional design decisions taken by GitHub, as noted by the company in its own documentation –
Commits to any repository in a fork network can be accessed from any repository in the same fork network, including the upstream repository
When you change a private repository to public, all the commits in that repository, including any commits made in the repositories it was forked into, will be visible to everyone.
“The average user views the separation of private and public repositories as a security boundary, and understandably believes that any data located in a private repository cannot be accessed by public users,” Leon said.
“Unfortunately, […] that is not always true. What’s more, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean your commit data is actually deleted.”
Searchable Encryption has long been a mystery. An oxymoron. An unattainable dream of cybersecurity professionals everywhere.
Organizations know they must encrypt their most valuable, sensitive data to prevent data theft and breaches. They also understand that organizational data exists to be used. To be searched, viewed, and modified to keep businesses running. Unfortunately, our Network and Data Security Engineers were taught for decades that you just can’t search or edit data while in an encrypted state.
The best they could do was to wrap that plaintext, unencrypted data within a cocoon of complex hardware, software, policies, controls, and governance. And how has that worked to date? Just look at the T-Mobile breach, the United Healthcare breach, Uber, Verizon, Kaiser Foundation Health Plan, Bank of America, Prudential… and the list goes on. All the data that was stolen in those breaches remained unencrypted to support day-to-day operations.
It’s safe to conclude that the way we’re securing that data just isn’t working. It’s critical that we evolve our thought and approach. It’s time to encrypt all data at rest, in transit, and also IN USE. So, how do we effectively encrypt data that needs to be used?
As stated, it’s well established that most data is not being encrypted. Just look at the well documented, ongoing growth rate of cybercrime activity. In short, all data breaches and data ransom cases have one glaring common thread— every target maintains millions of private, sensitive, and confidential records in an unencrypted state. Stores of data, fully indexed, structured and unencrypted as easy to read plaintext simply to support operational use cases. This challenge falls under the auspices of “Acceptable Risk”.
It’s often viewed that if an organization has good cyber hygiene, that organization is encrypting data at rest (in storage, archived, or backed up) and in transit or motion (i.e. email encryption, or sending data from one point to another point). And many may think that’s enough—or that is the best they can do. After all, encryption at rest and in motion is the only encryption focus of current compliance and governance bodies, where they address database encryption.
In truth, most compliance lacks any real definition of what would be considered strong database encryption. Unfortunately, the mindset for many is still ‘if compliance doesn’t address it, it must not be that important, right?’
Let’s unpack this a little. Why don’t we encrypt data? Encryption has a reputation for being complex, expensive, and difficult to manage.
Just looking at traditional encryption of data at rest (archives and static data), these encryption solutions commonly involve a complete “lift and shift” of the database to the encryption at rest solution. This exercise often requires a network architect, database administrator, detailed mapping, and time.
Once encrypted, and assuming that long-string encryption such as AES 256 is utilized, the data is only secure right up to the point that it is needed. The data will eventually be needed to support a business function, such as customer service, sales, billing, financial service, healthcare, audit, and/or general update operations. At that point, the entire required dataset (whether the full database or a segment) needs to be decrypted and moved to a datastore as vulnerable plaintext.
This brings another layer of complexity—the expertise of a DBA or database expert, time to decrypt, the build out of a security enclave of complex solutions designed to monitor and “secure” the plaintext datastore. Now this enclave of complex solutions requires a specialized team of experts with knowledge of how each of those security tools function. Add in the need to patch and refresh each of those security tools just to maintain their effectiveness, and we now understand why so much data is compromised daily.
Of course, once the data set has been utilized, it’s supposed to be moved back to its encrypted state. So, the cycle of complexity (and expense) begins again.
Because of this cycle of complexity, in many situations, this sensitive data remains in a completely unencrypted, vulnerable state, so it is always readily available. 100% of threat actors agree that unencrypted data is the best kind of data for them to easily access.
This example focuses on encryption of data at rest, but it’s important to note that data encrypted in transit goes through much of the same process—it’s only encrypted in transit but needs to be decrypted for use on both ends of the transaction.
There is a much better approach. One that goes beyond baseline encryption. A modern, more complete database encryption strategy must account for encryption of critical database data in three states: at rest, in motion, and now IN USE. Searchable Encryption, also called Encryption-in-Use, keeps that data fully encrypted while it’s still usable. Removing the complexity and expense related to supporting an archaic encrypt, decrypt, use, re-encrypt process.
So why, now, is Searchable Encryption suddenly becoming a gold standard in critical private, sensitive, and controlled data security?
According to Gartner, “The need to protect data confidentiality and maintain data utility is a top concern for data analytics and privacy teams working with large amounts of data. The ability to encrypt data, and still process it securely is considered the holy grail of data protection.”
Previously, the possibility of data-in-use encryption revolved around the promise of Homomorphic Encryption (HE), which has notoriously slow performance, is really expensive, and requires an obscene amount of processing power. However, with the use of Searchable Symmetric Encryption technology, we can process “data in use” while it remains encrypted and maintain near real-time, millisecond query performance.
IDC Analyst Jennifer Glenn said, “Digital transformation has made data more portable and usable by every part of the business, while also leaving it more exposed. Searchable encryption offers a powerful way to keep data secure and private while unlocking its value.”
“Technologies like searchable encryption are rapidly becoming a staple for organizations to keep data usable, while ensuring its integrity and security,” Glenn said.
A 30+ year old data management company, Paperclip, has created a solution to achieve what was once referred to as the ‘holy grail of data protection’, encryption of data in use. By leveraging patented shredding technology used for data storage and Searchable Symmetric Encryption, a solution was born that removes the complexity, latency and risk inherent with legacy data security and encryption strategies.
Understanding that necessity is the mother of all inventions, Paperclip, founded in 1991 as a content supply-chain innovator, realized they themselves needed to do more to secure the cadre of sensitive data their client’s trusted them with. When analyzing the growing number of data breaches and data ransom attacks, one reality became abundantly clear: threat actors aren’t compromising or stealing encrypted data.
They are laser focused on the vast amounts of unencrypted, plaintext data being used to support key operational activities. That’s where they can do the most damage. That’s the best data to hold hostage. It was this critical data that needed to be addressed. It was time to evolve the way we encrypted our most active data, at the database layer.
This was the genesis of SAFE, first as a solution then to bring it to the commercial market.
Of course, identifying the challenge was easy. All organizations have sensitive data to protect, and all organizations have sensitive data they rely on to run their core operations. The next stage was to build a practical solution.
Paperclip SAFE is a SaaS solution that makes fully encrypted, searchable data encryption a practical reality. The entire process of encrypting, decrypting, using, re-encrypting—and the resources needed to accomplish those tasks— is no longer required. More importantly, SAFE removes the excuse related to why millions of records are left fully exposed to data theft and ransom attacks right now.
SAFE Searchable Encryption is commonly referred to as a Privacy Enhancing Technology (PET) Platform. As a PET, SAFE evolves the way data is secured at the core database layer. SAFE is unique to all other encryption solutions because it provides the following features:
Full, AES 256 encryption supporting data owner and data holder key vaults – A threat actor must compromise both disparate keys. Even then they don’t get access to the data.
Patented Paperclip Shredded Data Storage (SDS) – Even before any data is encrypted with AES 256, complex encryption, the data is shredded into pieces, salted and hashed. This breaks all context and creates entropy. Imagine a threat actor compromises both encryption keys. What they end up with is like taking a micro cross-cut shredder, running one million documents through it, throwing out a third of the shredded pieces, replacing that third with shredded old encyclopedias, shaking it up and throwing it on the floor like some sick, demented jigsaw puzzle. Based on current technology it will take about 6,000 years to reassemble all those pieces.
Always Encrypted dataset supporting full create, read, update, delete (CRUD) functionality. – Inherently, when the data isn’t in use, it’s at rest, still fully encrypted. No more encrypted, unencrypted… It’s always encrypted.
Fast encrypted compound searching (<100 milliseconds over a standard SQL query). End users won’t even realize that SAFE is running in the background.
Continuous Machine Learning and AI Threat Detection and Response (TDR) – SAFE is based on Zero Trust so the solution will monitory and learn user trends. Any out-of-band activity will be blocked and will require administrative action. The solution is also monitoring for SQL injections, data fuzzing, and other threat actor actions. As part of the solution, SAFE produces a lot of telemetry that can feed a Client’s SOC monitoring service.
Simple JSON API integration. There is some development involved, but the result is no disruption to the end user and a dataset of always available, always encrypted data.
Implementation Flexibility – SAFE is a SaaS solution, but it was also designed to be implemented as a lightweight on-premises solution. In addition, SAFE can be integrated within a third-party application where that third-party is maintaining sensitive data on behalf of the Client (outsourced application like human resources, payroll, banking platforms, healthcare EMR & PHR, etc.). If you outsource your sensitive data to a third-party vendor, it’s time to ask how they’re encrypting that data. What happens if that vendor is breached? Is your data encrypted?
We’re in a race, one that the threat actors seem to be winning. It’s time to build a better encryption engine. It’s time for SAFE.
In today’s cyber-centric business landscape, the need for searchable encryption spans many industries and use cases such as Financial Services, Healthcare, Banking, Manufacturing, Government, Education, Critical Infrastructure, Retail, and Research to name a few. There isn’t an area where data doesn’t need to be more SAFE.
SAFE as a SaaS solution can be implemented in less than 30-days with no disruption to end users or network architecture. To learn more about SAFE searchable encryption, visit paperclip.com/safe.
Note:This article is expertly written and contributed by Chad F. Walter, Chief Revenue Officer at Paperclip since June 2022, leading Sales and Marketing initiatives, with over 20 years of experience in cybersecurity and technology.
.png&w=3840&q=75)
.png&w=3840&q=75)
.png&w=3840&q=75)
.png&w=3840&q=75)
.png&w=3840&q=75)
, it opens normally. Let’s click on the 
Let’s go back to 
