Listen to the full episode

🎬 YouTube: Watch Episode 60 🎧 Spotify: Listen on Spotify 🍎 Apple Podcasts: Listen on Apple

Episode Timestamps

Story 1: Microsoft Office Zero-Day (CVE-2026-21509)

Microsoft has released an emergency out-of-band patch for an actively exploited zero-day vulnerability affecting multiple Office versions.

Key Details

• CVE: CVE-2026-21509
• Type: Security Feature Bypass (OLE mitigations)
• Affected Versions: Office 2016, 2019, LTSC 2021, LTSC 2024, Microsoft 365
• Exploitation Status: Active exploitation in the wild
• CISA KEV Deadline: February 16, 2026

Technical Background

Microsoft Office uses OLE (Object Linking and Embedding) mitigations to prevent malicious embedded content from executing harmful actions. CVE-2026-21509 bypasses these protections entirely by exploiting a flaw where security decisions rely on untrusted inputs — inputs the attacker controls.

The good news: this isn’t a preview pane attack, meaning users must actually open a malicious file to be compromised. The bad news: social engineering users into opening Office documents is the bread and butter of phishing campaigns.

Action Required

For Office 2021 and later: Updates are available via server-side changes, but you must restart your Office applications for the protection to take effect.

For Office 2016/2019: Patches are not yet available. Microsoft recommends applying registry mitigations detailed in their security advisory.

Cipher-ism: “Update your stuff. A patch does you no good if it isn’t installed.”

Story 2: WordPress Modular DS (CVE-2026-23550)

This vulnerability is a masterclass in how multiple design choices can combine to create catastrophic security failures.

Key Details

• CVE: CVE-2026-23550
• CVSS Score: 10.0 (Critical)
• Type: Unauthenticated Privilege Escalation
• Affected Plugin: Modular DS (40,000+ active installations)
• Patched Version: 2.6.0 (not 2.5.2)

The Attack Chain

Modular DS is a WordPress plugin that allows administrators to manage multiple WordPress sites from a single dashboard. The vulnerability allows complete admin takeover without any credentials:

1. Bypass Authentication: Supply origin=mo as a request parameter
2. Trigger Auto-Login: The plugin automatically logs unauthenticated users in as administrator
3. Game Over: Full admin access achieved

This is a textbook example of why security by obscurity doesn’t work. A “magic parameter” is not authentication.

Timeline

• January 13, 2026 (~2:00 UTC): First attacks detected by Patchstack (before public disclosure)
• Hours later: Vendor released version 2.5.2
• January 16, 2026: Version 2.6.0 released to address additional exploit paths

Indicators of Compromise

• Attacker IPs: 45.11.89.19, 185.196.0.11
• Rogue Admin Accounts: support2026, admin_backup
• Malicious Plugins/Themes: Check for recently installed items you didn’t add

Remediation

1. Update immediately to version 2.6.0 or later
2. Audit admin users for suspicious accounts created mid-January
3. Review installed plugins and themes for unauthorized additions
4. Consider WAF rules blocking requests to /api/modular-connector with origin=mo

Story 3: Malicious Chrome Extensions Stealing AI Conversations

OX Security researchers discovered a malware campaign they’ve dubbed “Prompt Poaching” — and it affected over 900,000 users.

Key Details

• Campaign Name: Prompt Poaching
• Affected Users: 900,000+ combined downloads
• Targets: ChatGPT and DeepSeek conversations
• Exfiltration Interval: Every 30 minutes
• C2 Domains: deepaichats[.]com, chatsaigpt[.]com

The Malicious Extensions

1. ChatGPT for Chrome with GPT-5, Claude Sonnet, and DeepSeek AI (600,000+ users) — This extension actually received Google’s Featured badge
2. AI Sidebar with DeepSeek, ChatGPT, Claude and more (300,000+ users)

Technical Analysis

The extensions impersonate a legitimate tool from AITOPIA, replicating its functionality while adding hidden data exfiltration capabilities. They leverage Chrome’s tabs.onUpdated API to detect navigation to AI chat platforms, then interact directly with the page DOM to extract:

• User prompts
• AI responses
• Session metadata
• Complete browsing history

Data is batched every 30 minutes, base64 encoded, and transmitted to attacker-controlled servers.

The Bigger Picture

Consider what people share with AI chatbots: proprietary code, business strategies, customer data, internal URLs, corporate secrets. This stolen data can be weaponized for corporate espionage, identity theft, targeted phishing, or sold on underground forums.

Action Required

• Remove these extensions immediately if installed
• Audit all browser extensions and their permissions
• Be skeptical of any extension, even those with featured badges or high ratings

Story 4: Brightspeed Data Breach

On January 5, 2026, US fiber broadband provider Brightspeed confirmed they are investigating claims of a cyberattack by a threat actor called Crimson Collective.

Key Details

• Threat Actor: Crimson Collective
• Victim: Brightspeed (20 US states, 1M+ customers)
• Claimed Data: Names, billing addresses, email addresses, phone numbers
• Status: Investigation ongoing — breach not confirmed

Context

This incident fits a broader 2026 trend of extortion groups targeting telecommunications and internet service providers due to the massive volumes of customer data they hold. Similar recent incidents include:

• Ledger breach (January 2026): Customer order data exposed via e-commerce partner Global-E
• ManageMyHealth breach (January 3, 2026): 400,000 medical documents affecting 120,000 patients in New Zealand

Recommendations for Brightspeed Customers

• Monitor for official communications from Brightspeed
• Be vigilant about phishing attempts using potentially exposed information
• Never assume an email, text, or call is legitimate — verify through official channels

Story 5: Cybersecurity Professionals Plead Guilty to Ransomware Operations

On January 2, 2026, two US cybersecurity professionals pleaded guilty to conspiracy to commit extortion as affiliates of the BlackCat/ALPHV ransomware group.

The Defendants

• Ryan Goldberg: Former incident response manager at Sygnia
• Kevin Martin: Former ransomware negotiator at DigitalMint

The irony is staggering. One helped companies recover from attacks while moonlighting as an attacker. The other negotiated with ransomware operators on behalf of victims while being a ransomware operator himself.

Key Details

• Charge: Conspiracy to Commit Extortion
• Active Period: May – November 2023
• Ransom Demands: $300,000 – $10 million
• Confirmed Payments: $1.27 million+
• Victim Sectors: Pharmaceutical, engineering, healthcare, drone manufacturing
• Sentencing: March 2026 (up to 20 years each)

The Insider Threat Lesson

This case highlights a growing concern: insider risk from trusted cybersecurity personnel. When we give security professionals access to our most sensitive systems, incident response playbooks, and “keys to the castle,” we’re extending significant trust.

Mitigation Strategies

• Background checks matter — even for security hires
• Continuous monitoring — trust but verify
• Principle of least privilege — even for security teams
• Segregation of duties — limit single points of failure

Episode Recap: Key Takeaways

1. Update your stuff. A patch does you no good if it isn’t installed. Restart those Office apps.
2. Security by obscurity does not work. Magic parameters, hidden endpoints, and “nobody will find this” are not security controls.
3. Be skeptical of browser extensions. Even Google’s Featured badge doesn’t guarantee safety. Audit permissions carefully.
4. Nothing is hack-proof. Security is about making it as hard as possible for attackers while acknowledging that determined adversaries may still succeed.
5. The insider threat is real. Sometimes the threat comes from inside the house. Background checks, least privilege, and monitoring apply to everyone — including your security team.

Subscribe for Weekly Updates

Never miss an episode of Exploit Brokers. Subscribe on your preferred platform:

• YouTube: @ForgeboundResearch
• Twitter/X: @ForgeboundLabs
• Spotify: Exploit Brokers By Forgebound Research
• Apple Podcasts: Exploit Brokers By Forgebound Research
• Newsletter: Forgebound Research Notes

Sources:

Never miss an episode of Exploit Brokers. Subscribe on your preferred platform:

• US Cybersecurity Plead Guilty: https://www.securityweek.com/two-us-cybersecurity-pros-plead-guilty-over-ransomware-attacks/
• OX Security Malicious Extensions: https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations/
• Modular DS CVSS 10.0: https://thehackernews.com/2026/01/critical-wordpress-modular-ds-plugin.html
• Brightspeed Breach Claims: https://www.bleepingcomputer.com/news/security/us-broadband-provider-brightspeed-investigates-breach-claims/
• Microsoft CVE: https://www.securityweek.com/microsoft-patches-office-zero-day-likely-exploited-in-targeted-attacks/

This has been your host Cipherceval, and I’ll catch you in the next one. Stay vigilant, stay curious, and update your stuff.

Welcome to another captivating episode of Exploit Brokers! In this installment, we delve deep into the ever-evolving world of cybercrime and digital security. Join us as we unravel two gripping stories that shed light on the precarious nature of our online existence.

First up, we explore the dark corners of the internet where cybercriminals flood the dark web with stolen X/Twitter gold accounts. Verified accounts, belonging to celebrities and organizations, have become a lucrative target for crooks. Learn how they compromise these accounts, what they do with them, and how you can protect yourself from falling victim to these scams. #Cybercrime #DarkWeb #TwitterGoldAccounts #OnlineSecurity

Next, we tackle the concerning vulnerability in Google’s OAuth system. Password changes are often seen as a quick fix to account compromise, but malicious actors have found a way to circumvent this. Discover how an exploit allows hackers to regain access to your account even after you change your password. We break down the details and share tips on how to safeguard your online presence effectively. #GoogleSecurity #PasswordReset #OnlinePrivacy #cybersecurity  #DigitalThreats #Malware #Cyberattacks #OnlineSafety

Join us as we navigate the complex web of cybercrime and digital security, arming you with the information you need to stay one step ahead of hackers and scammers. Don’t forget to hit that subscribe button and ring the notification bell to stay updated on all things cybersecurity. Your online safety is our priority! #ExploitBrokers #TechNews #CybersecurityAwareness #staysafeonline #oauth #cybercrime #hackers #hackingnews

Sources:

Stolen Twitter/X Accounts: https://www.darkreading.com/application-security/cybercriminals-flood-dark-web-x-twitter-gold-accounts

Google Password Vuln: https://www.theregister.com/2024/01/02/infostealer_google_account_exploit/

In this episode of Exploit Brokers, we delve into a recent online uproar surrounding T-Mobile and its alleged imposition of fines for text messages containing hate speech and other violations. We take a closer look at the image that sparked the controversy, which led many to fear that T-Mobile was turning into a “Big Brother” figure, constantly monitoring and fining consumers. However, as we investigate further, we find that the situation is not as dire as it initially seemed

As we dissect the details, we emphasize the importance of staying informed about evolving policies and industry practices. While there is no immediate cause for consumer alarm, it’s crucial to keep an eye on developments in the telecommunications sector to ensure that user privacy and freedom of communication are protected.

Join us as we separate fact from fiction in this intriguing story of T-Mobile, potential fines, and the evolving landscape of digital communication. Please subscribe to our podcast or YouTube channel for more thought-provoking discussions on tech and cybersecurity.

#tmobile #privacyconcerns #telecommunications #datasecurity #bigbrother #digitalprivacy #internetsecurity #onlineprivacy

Hey Minecraft players, if you’re into modding you’re going to want to tune in. So, in an article by Malwarebytes Labs a new vulnerability known as BleedingPipe has been found. The bug allows for Remote Code Execution or RCE on both servers and clients. The bug occurs when a hacker sends a specially crafted payload to take over the server. The bug is found within the deserialization class in java that is used to exchange network packets between servers and clients. The bug has been exploited as lately as July 9^th 2023. In a blog post by MMPA, it lists the vulnerable mods as those like EnderCore, Gadomancy, LogisticsPipes with versions older than 0.10.0.71 and a few other mods. MMPA has released a mod to help protect servers and clients by adding filtering on the network going to the vulnerable part of the code.

So, let’s talk first about what is happening in a bit more of a code perspective. Deserialization and serialization are ways to transfer data from one place to another. So, let’s say you have a player whose health dropped a bit. The server can send out that information by serializing a data packet and sending it out. This then requires the receiver to deserialize the packet and interpret what is needs to update or do. This is a common functionality that exists in all kinds of apps that communicate between clients, servers, and other programs. My big concern here is twofold. One is the person or company that maintains the mods. They must be aware of and have the time and effort available to fix the vulnerability. Secondly, is the maintainer of the server. The server admin and/or owner must have time and effort available as well as the insight to update the affected mods. If you know someone who maintains mods or maintains servers, then you should share my content with them so we can raise awareness. In the meantime, you can go look at the PipeBlocker mod by MMPA to help start protecting yourself sooner rather than later.

Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-bleedingpipe-rce-to-target-minecraft-servers-players/

MMPA: https://blog.mmpa.info/posts/bleeding-pipe/

BlueCharlie’s Evasive Moves: Dive deep into how this Russian APT actor shifts tactics and what this means for cybersecurity

So, the APT or Advanced Persistent Threat actor BlueCharlie is attempting to evade detection by swapping their old infrastructure such as domains out for 94 new domains. BlueCharlies is a Russian espionage APT actor.  They also go by “Clasito”, “COLDDRIVER”, “SEABORGIUM”, and “StarBlizzard” and have been active since 2017. They target government, defense, education, and political organizations and have also targeted Non-Government Organizations, Journalists, and think tanks. Recently, researchers began to map out BlueCharlie’s campaigns, the impact on the Russia-Ukraine war, broke down BlueCharlie’s infrastructure and attributed a specific person that is though to be leading BlueCharlie’s actions. An anonymous analyst from Recorded Future’s Insikt revaled some insight into how BlueCharlie used a tool known as Evilginx. The attackers took advantage of Evilginx ability to conduct a Man-in-The-Middle attack. The framework allows an attacker to append a legitimate looking domain url to the end of a phishing domain. So an example would be something like http://phisphingDomain[.]com/sso[.]legitimate[.]gov. where an unaware user may see the sso[.]legitimate[.]gov url and assume it’s an authentic website instead of appended to a domain controlled by the attacker. However, their new domains now appear to combine two random IT-related terms and are not currently appending legitimate urls at the end of their phishing domains. An example of their new naming structure given would be storage-gateway[.]com and no longer append a legitimate domain in efforts to appear real. The change is predicted to be because of their old infrastructure being exposed. It’s not uncommon for APT actors to change up strategy when their main strategy is exposed and is being actively looked for.

So, I’ve talked about the article but what does all this mean? An APT actor is a way to identify activities by some malicious cyber group. In this case, the APT actor is a Russian affiliated actor that is conducting hack-and-leak oriented attacks. In other words, they want to put all secrets of everyone they target out in the open. Their favorite known tool is called Evilginx, which is an open-source tool available on github. This tool is maintained by someone in the cyber security space. A lot of the popular tools used by white hat, black hat, and gray hat alike are open-source tools or commercially available. The tools can be used for good purposes, educational purposes, or evil purposes. The use ultimately falls on who is using it. There are proprietary tools and software like malware written by black hats, or Ghidra written by the NSA before it was open-sourced. The biggest takeaway is that attacks will come in all shapes and sizes and exposing an attack doesn’t completely neutralize it. It’s important to keep good security practices, keep software up to date, and minimize risk by being precautious in what you click and let run on your machines.

Source: https://www.darkreading.com/attacks-breaches/russian-apt-bluecharlie-swaps-infrastructure-to-evade-detection

Blue Charlie Higher Up: https://www.nisos.com/blog/coldriver-group-report/

Infrastructure switch up: https://www.recordedfuture.com/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023

Google’s AI Bug Hunter: Learn how Google is utilizing AI to push the boundaries of vulnerability discovery

So, Google has released a security blog article titled, “AI-Powered Fuzzing: Breaking the Bug Hunting Barrier”. It’s an interesting sounding title but what does it mean? Let’s break it down.

A project by the name OSS-Fuzz was started back in 2016 and has been super important in automated vulnerability discovery for projects that are open sourced. For those who may not know Open-Source projects are projects whose authors have released the code for others to view. Different licenses let you do different things from making a copy with your own changes to different commercialization rights, but the underlying premise is people being able to see the code that runs the software. Vulnerability discovery is important because it’s the process of finding bugs that can lead to attacks against a software. Without the vulnerability discovery feedback, you could have bugs that could go unnoticed and then attacked in the wild. Now Google has been testing applying their Large Language Models or LLMs to help improve performance of OSS-Fuzz. To give further context fuzzing is the process of introducing large amounts of random, malformed, and unexpected inputs to see if crashes or bad behavior occurs.

Google has used the OSS-Fuzz service to freely support over 1,000 open sources projects and they have found and verified fixes for over 10,000 vulnerabilities. Even with these impressive numbers it’s thought that the service only covers about 30% of an open source’s project’s total code. A study referenced in the blog article suggests that the best way to increase the coverage is by adding additional places for fuzzing to test. This isn’t quite simple as it isn’t automated the way the current estimated 30% coverage is.

The blog article also states that the best way to get extra coverage is for those who maintain an open-source project is to take the time to add more fuzz targets as they are onboarded and integrate OSS-Fuzz into their infrastructure. This does take a time investment and as with any testing that is put into a program is generally a great way to improve the reliability and stability of a program. The downside is that it does require some investment to not only set the testing and fuzz targets in place but some rearchitecting of the program may be needed if the code is not easily modified for testing.

This is where the most recent innovation of LLMs can come into play.

Google created a framework to evaluate whether LLMs like Google’s Large Language Models could be prompted to add new fuzz targets and improve code coverage. Well simply put the results look extremely promising. After several rounds of prompt engineering, the process of fine-tuning prompting to get the desired outcome, they were able to add anywhere from 1.5% to 31% additional coverage to projects. This is amazing given it does not require the maintainers of the open-source project to do any code changes themselves.

Now this is only the early stages, and more research is still to come but this is exciting technology for fuzz-oriented bug hunting. As well the Google blog notes their longer-term goals which include extending support to other language ecosystems beyond C/C++ to languages like Java and Python. They also want to automate the project onboarding process to bring the barrier of entry lower for any open-source project that wishes to take advantage of OSS-Fuzz.

I know that was a lot and many non-developers may not know the full impact of this. It’s essentially leveraging AI like ChatGPT to add ways for testing to occur. The more testing can happen at scale and automatically then the more bugs can be found faster. Zero-days and Vulnerabilities are like games of cat and mouse. The fastest player wins until the other catches up. The more bugs are squashed before major attackers can take advantage the better projected targets are. The last thing anyone wants is a major bug to go unnoticed and allow a nation-state hacker group to steal millions of dollars’ worth of data.

Source: https://security.googleblog.com/2023/08/ai-powered-fuzzing-breaking-bug-hunting.html

New Mac Malware Alert: Unmasking the new variant of XLoader hiding in a productivity app

So the apple never falls far from the tree. A new variant of XLoader malware has been discovered. XLoader is a macos malware that is hiding itself as OfficeNote, a productivity app. The new version of XLoader is bundled inside an Apple disk image or .dmg file. The file uses the name OfficeNote.dmg and is signed by a developer signature MAIT JAKHU (54YDV8NU9C). The first time this malware was found was back in 2020. The malware is thought to be the new “Formbook” a keylogger and information grabber that was distributed as a Malware-as-a-service or MaaS. We’ve been seeing Malware-as-a-service appear more and more. It’s the illegal version of software-as-a-service that allows people to subscribe to useful software and webapps for their personal or business needs.

The original mac variant of XLoader was a compiled .JAR file that requires a Java runtime to be able to execute. However Apple does not ship Java Runtime Environments with Macs for quite a while now. The newest XLoader is now using C and Objective C which run natively on Macs. The disk image that the malware is bundled with was signed on July 17, 2023. It’s important to note that apple has revoked the signature and should no longer show up as a trusted signature. SentinelOne said that the multiple traces of the malware were detected on VirusTotal around July 2023. This likely indicates they were actively trying to get infections and running a large infection campaign around that time.

Researchers found advertisements for the Mac variant of the malware for $199/month or 3 months at $299. The researches noted that this is significantly more expensive than the windows version which are normally sold for $59 a month or $129 for 3 months.

The malware itself is designed to steal clipboard data and information stored in common web browser directors such as Firefox and chrome. Safari does not appear to be targeted, however. As well the malware is using sleep commands to avoid raising red flags that could lead to it being detected.

What does this all mean exactly? Well, a new Mac malware is on the loose and looking to infect someone looking for a productivity app such as a word processor. Clipboard stealing and directory data harvesting are concerning because they could be trying to steal credentials, cookies, and other data that could lead to leaking sensitive data or ways to gain access to personal or business accounts. This is especially concerning since the malware appears to create a persistent process in the Mac OS through a Launch Agent. Launch Agents are legitimate ways for developers who need persistent processes to run such as a background service for a user’s application.

Most operating systems provide ways to have something known as Daemons running. A Daemon is a background process that handles requests for an application but does not require the user to have a window up. This is useful for things like web servers and remote tools since you don’t want to leave a window open to have things running.

Keep a look out for any apps known as OfficeNote for the mac users out there. Only install software from trusted sources and always be careful what you download and what you install.

Source: https://thehackernews.com/2023/08/new-variant-of-xloader-macos-malware.html

Outro

Hey guys thank you for listening to this episode of Exploit Brokers. Please consider subscribing and clicking the bell notification to get updated when new episodes are published. As well share us with others to help us get noticed by others so we can spread awareness of the cyber threats we face today.

The digital world will continue to evolve and whether hacking news, breaches, malware, ai, or a myriad of other issues arise; Exploit Brokers will be here to help shine some light on it.  While it may seem daunting, our mission is to serve as your beacon, to help lighten up the dark corners of the cyber world and be a source of knowledge for those willing to join us. Information is our strongest ally and together we form our strongest shield. Until our next episode, stay safe and keep your digital shields up.

Intro

Hey guys T-Mobile got hacked, PayPal gets hit by a massive credential stuffing attack, a new android malware that is an evolution of an existing banking malware, and a phone ad scheme that infected real apps. All this in this episode of Exploit Broker’s Hacking News Round up. You’re not going to want to miss this.

PayPal Accounts hit by Credential Stuffing Attack

So, let’s talk about PayPal for a second. It appears they were sending out data breach notifications but before you run out and check your account know that the issue happened back in December 2022. We are finding out more details now because PayPal distributed a security incident notice. We are getting more details and it’s important we discuss and figure out what happened. Did PayPal have some unknown zero day? A flaw in the configuration of some server? No. It appears it was a large Credential Stuffing Attack.

Simply put a credential stuffing attack involves hackers taking known passwords from data dumps on the internet and then use a brute force login tool to try to login to multiple websites with the leaked credentials. The brute force login tool pretends to be a web browser and will try logging into an account using passwords found for a known user. It relies heavily on a user reusing the same password for multiple things. Let’s say you use password 123, if you do please change it, but for this discussion let’s say you use password123 on website a,b,c,d and then there is a data breach and website a leaks your password. A credential stuffing attack would try to login to website b,c, or d with the password found on the internet. Hackers would use the information they got from the website a breach to login to the other websites.

 You must keep all your passwords as unique as possible and try not to repeat the same password on multiple websites. 

So now that we know a bit more about what happened, let’s talk about what PayPal did. As soon as PayPal found out about the hack, they began an investigation. They reset the password of affected users and setup enhanced security that required a password change on the next login. They also gave users a chance to get two years of Equifax and their identity monitor solution.

What did the hackers have access to? According to PayPal they could view your name, date of birth, social security number, address, and individual tax identification number. This was all between a window thought to be from December 6^th to December 8 back in 2022. It also looks like almost 35,000 users were affected by the incident.

So, on the surface it sounds bad, and it is bad for anyone who is affected by the hack. On the plus side PayPal found the attack early on and was able to rule out a vulnerability on their side. The issue with bugs found on the application is they can take longer to fix and can generally affect a wider base of users. In this case a credential stuffing attack would be a result of hackers finding passwords on the internet and by chance it’s the same password on the targeted website. It’s important to change up passwords often and minimize, if not eliminate all together, reused passwords. It’s a good practice to use something like a password manager to help randomize passwords for all your accounts. However, make sure the master password is complex and not something you’ve used before.

Should you panic, stop using PayPal, and disconnect your internet and go offline forever? No. You need to look into a password manager, change out the most critical passwords you have, and rotate passwords out often. Hacking is becoming a more common place and it’s important to learn to navigate without fear.

Source: https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/

T-Mobile Hacked

The cell phone carrier T-Mobile just recently released notice about a security breach back in late November. T-Mobile filed a report with the Securities and Exchange Commission or SEC about a security incident involving 37 million of its customers. It appears hackers found their way into the network and stole addresses, phone numbers, and birth dates of the affected customers. According to the report the hackers were not able to steal passwords, pins, credit cards, social security numbers, or bank account information.

This only adds fuel to the flames for T-Mobile. For those who may not be aware I’ll recap what’s happened over the past few years.

Back in August 2018 hackers managed to use a vulnerable Application Programming Interface or API to steal details from about 2 million T-Mobile customers. Although they stated passwords, financial information, and social security numbers were not compromised they hackers did potentially steal name, billing zip code, phone number, account number, email address, and account type. That was the beginning of their troubles.

The following year in November 2019 they had another data breach. This time it appeared that roughly over 1 million pre-paid customers had their name, billing address, phone number, account number, rate, plan and calling feature information stolen.

Continuing down this timeline we find ourselves at March 2020. This time hackers were able to break into an employee’s email account and used it to steal customer account information. The hackers were able to get names, addresses, phone numbers, and rates. The hackers were not able to get financial information or Social Security Numbers.

The rest of 2020 looked quiet and then we get to 2021.

2021 had two T-Mobile hacking events. One in January 2021 and the other in August 2021. The January event did not expose names, physical or email addresses, financial data, credit card information, social security numbers, tax ids, passwords, or pins. The August event, however, is a different story.

The hacking event in August 2021, appeared to have been the worst. Hackers were able to steal names, driver license details, government identification numbers, social security numbers, dates of birth, prepaid customer pins, addresses, and phone numbers. The event was disclosed days after a hacker put the data up for sale on an underground forum.

Now back to our new and recent incident. Although financial and social security information was not stolen, they were able to steal addresses, phone numbers, and dates of birth. This means the impacted customers are now further opened to being targets of phishing campaigns, spam campaigns, and even more personal information is available so that identity theft becomes even easier for hackers to exploit.

This is a prime example of why you need to rotate passwords often, get identity monitoring, lock down your credit, and sign up for a service that notifies you if passwords, email, and any of your personal information is found on the dark web.

Source: https://www.9news.com/article/news/nation-world/t-mobile-data-stolen-37-million-customers/507-db07bf8a-f2ad-4fbc-b0d2-d72583920271

August 2018 Source: https://grahamcluley.com/hackers-t-mobile-data/

November 2019 Source: https://techcrunch.com/2019/11/22/more-than-1-million-t-mobile-customers-exposed-by-breach/

March 2020 source: https://www.theregister.com/2020/03/05/tmobile_breach/

January 2021 source: https://www.theregister.com/2020/03/05/tmobile_breach/

August 2021 source:

New Rat Can Take Over your Device

The Android banking malware world has two very dangerous families known primarily between Hydra and Octo. These two families of malware are dangerous because of their ability to perform a Device Take-Over or DTO. Once a device has been taken over by a hacker, they van view and interact with the screen. Hackers can exfiltrate data, manipulate apps and do anything that someone who has psychical access to the phone could do.

There is one other family of Android Banking Malware with comparable infection, ERMAC. ERMAC was being rented by its creator DukeEugene but the biggest different is it did not have the ability to do a device take over. ERMAC source code was sold, and several renamed variants popped up. Infections with the name MetaDroid and OWL were found by ThreatFabric.

The story however has taken a turn. Recently DukeEugene posted a new advertising for a brand-new banking malware known as Hook. Hook was touted as a new malware written from scratch. I’d assume this was to get bad actors interested in a new piece of tech that doesn’t have samples everywhere or to rebrand the product toward a new audience. The claim of being written from scratch, however, may be false as the team at ThreatFabric found that the malware shares a lot of the same source code as the original ERMAC.

So why am I bringing this up if it’s the same ERMAC malware that isn’t as powerful as Hydra and Octo? Hook has some shiny new upgrades that make it concerning. It can now communicate in Realtime and bidirectionally. To give context previously the malware would be using a polling method where it would periodically send messages to the server controlling it. This makes it hard to do anything quickly as changes would require waiting until the next time a poll occurred. The new Realtime communication known as WebSocket communication opens a remote connection and can keep it open until the control server is happy with the conversation. This coupled with its last addition make it a formable malware.

Hook can now use Virtual Network Computing or VNC to view the device remotely and abusing accessibility services to interact with UI elements. These two abilities, viewing and controlling the device, upgrade the malware to the same threat level as Hydra and Octo. Hook can now be considered a Device Take-Over capable malware. It can perform clicks, filling in text boxes, take screen shots, and more. It also can view and retrieve files on the victim device. If you have crypto or use WhatsApp you’ll want to be extra careful. Hook has the ability to extract seed phrases for wallets which would allow a hacker to create a copy of the wallet. Lastly, Hook has the ability to read and send messages from the popular messaging app WhatsApp. Hook is a new malware to be on the lookout for.

Source: https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html

Outro

Malware, password hacking, and leaked data are only a portion of the cyber threats of the digital world we live in. If you want to stay up to date and learn about the threats lurking in the cyber shadows stay tuned. This has been Exploit Brokers; I’ll see you in the next one.

Intro

Hey guys and welcome to Exploit Brokers where we break down articles, recap recent hacking events, and give insight on the technical aspects of the hacking events. I will explain things and give my opinion on tech and hacking events so let’s get started.

Hackable License Plates or Hack way or the Highway

What if your car’s license plate could track you? What if hackers were able to access that information and could now monitor the position of your car whenever they wanted? This isn’t science fiction this is what security researchers were able to access when they gained admin access to Reviver’s backend system. In an article by Vice titled, “Researchers Could Track the GPS Location of All of California’s New Digital License Plates” they dive into the issue found by security researchers. Reviver is the company that sells and maintains the REVIVER license plate, a digital license plate that the company states is the modern license plate. The digital license plate also allows a personalized message at the bottom of the plate. Once the security researcher was able to gain admin access, they could change this to whatever they wanted. In addition to modifying the personalized message an attacker could track the plate, update, and delete any plate they want to. Currently California is allowing digital license plates and Reviver is the sole provider of these plates.

Let’s break down the technical information available to try to understand what happened. At first glance it appears there are two main account types of an account given, a “CONSUMER” type and a “CORPORATE” type. At least that’s what appears to normally be passed out. There was a third type of account identified as a “REVIVER” account. This acted as an admin account or root in Linux terms. This means whoever had an account with a “REVIVER” type on it would be able to wield virtually unchecked powers. In my opinion this sounds like something developers and testers would implement so they can get in and out of the system for testing, maintaining, and enhancing pieces of code and products. This is purely what I suspect happened but only REVIVER currently knows what the intention of the account type was.

The good news? Reviver has patched the issues that were reported by the security researchers. Good on them. It’s nice to see companies being receptive to bugs being reported and doing something about it. Far too many times do you hear about companies ignoring bug reports or outside people finding flaws in their systems. REVIVER I think you did well in fixing the issues promptly.

Source: https://www.vice.com/en/article/wxn9vx/researchers-track-reviver-digital-license-plate-gps-location

Canada’s standard means tether gets more restrictions.

It appears the crypto markets can’t catch a break. Decrypt.co is reporting on some more bad news for the crypto markets. It appears that crypto.com will delist the tether stable coin in Canada due to pressures from Canadian regulators. Users will only have until January 31^st to trade or withdraw their tether coins. There was some confusion since the notice by crypto.co did not specifically list that only Canadian Users would be affected. Any remaining tether coin after the January 31^st deadline would be automatically converted over to another stable coin known as USD Coin which is by the financial tech company Circle.

The controversial decision was essentially forced by the Ontario Securities Commission when the Canadian Standards Association or CSA stated their view on stable coins. The CSA essentially views stablecoins or stablecoin related agreements to be securities and/or derivatives.  This change of view means that the stablecoins are now seen a regulated entity like that of stocks, derivatives, futures, and things of that nature. For my American viewers the Ontario Securities association is essentially the Canadian Securities and Exchange Commission or the SEC.

Let’s stop for a second and give some background on the topic. A stable coin is the intermediary between crypto and fiat currency. It is generally tied to another currency or commodity and makes it easier for transactions between coins to happen without the added steps of exchanging to fiat currency such as US dollars. Stable coins are backed by the real-world assets such as the US dollar. To give further background on stable coins; tether is the third-largest digital asset by market capitalization and the largest crypto stablecoin available at the time of this recording. As well, the USD Coin is the second largest stablecoin by a FinTech company known as Circle. The move to change to USDC for any remaining tether makes sense. USDC is owned by a registered Money Service business in the US and is therefore already regulated and scrutinized by the US. Tether had previous issues in the past including lawsuits brought up pertaining to their statements pertaining to USDT being backed by cash and cash equivalents. I’ll be sure to do a video on this in the future.

Source: https://decrypt.co/118812/crypto-com-delist-tether-canada

Let’s JWT this down

The one thing most developers and system admins don’t want to hear is that there is a severe vulnerability in systems they are developing or maintaining. A new high-severity flaw has been found in JsonWebToken or JWT. The severity has the potential to allow an attacker to do Remote Code Execution or RCE. Known as CVE-2022-23529, has been patched in the 9.0.0 version of the JWT package. If your app is running 8.5.1 or below, then it’s time to update it to 9.0.0 to avoid it being exploited out in the wild.

To give some context JWT is how some web applications authenticate users. The JWT library is developed and maintained by Auth0 which is owned by Okta, Inc. The severity is a concern because the JWT library we’re discussing has over 10 million weekly downloads on NPM , the popular node package manager, and is used by over 22,000 projects. That means thousands of potential applications that are running vulnerable code that could lead to an attacker executing malicious code on a victim server.

We’re seeing more and more software supply chain related attacks lately. Essentially why attack an application directly when you can find exploitable bugs in package that have widespread usage. This allows you to target tons of applications all at once. The moment a strong vulnerability is found the attacker only needs to play the numbers game to try and get a successful attack underway.

Developers should be mindful of security as often as possible. I know it’s alluring to think that software has to be shipped fast but it’s important to have processes in place to try to catch as many of these vulnerabilities as soon as possible. It’s impossible to eventually introduce bugs into applications but the more that are caught the harder it is for an attacker to find an easy vector of attack.

Source: https://thehackernews.com/2023/01/critical-security-flaw-found-in.html

The Zero Day in Sugar

So, there is a major vulnerability in the SugarCRM that allows attackers to take full control of the victim’s server. A recent Zero Day, or previously unknown vulnerability, has been discovered to have been exploited in the wild against SugarCRM instances. The zero day has reportedly affected 12 percent or roughly 354 of the over 3,000 SugarCRM servers online. SugarCRM did make a hot fix available early January and has applied it to its cloud-based offerings. It does encourage any admin running SugarCRM on their own servers to patch as soon as possible.

The vulnerability was posted in late December and included Google Dorks, or search queries used to find certain things by using by Google’s powerful web crawling. A hacker can use a google dork to find websites that are potentially vulnerable by searching information not generally available on the surface of the website.

To give more info on the zero-day found, it was identified as an authentication bypass bug. An authentication bypass bug allows an attacker to send access the server without needing to be authenticated or logged in. The attacker in this instance was able to manipulate a file on the server. The file manipulation allowed the attacker to obtain a cookie which can then be chained to upload a malicious image. The malicious image contained code that allows the attacker to open a remote session on the server. Once they have a remote session on the server, they can do virtually anything they want to. This essentially means the hacker has completely taken over the server and could place other backdoors and launch their own apps at the expense of the server owner.

Source: https://arstechnica.com/information-technology/2023/01/hundreds-of-sugarcrm-servers-infected-with-critical-in-the-wild-exploit/

Outro

Thank you for tuning in this has been Exploit Brokers, I’ll see you in the next one!

Table of Contents

• Linux How To: Make a Directory
• Linux How To: Delete a Directory
• Linux How To: Make a File
• Linux How To: Delete a File
• Linux How To: Do a file rename

Introduction

Managing files and directories is an essential part of maintaining and using any Unix/Linux system.

The Linux file system works similarly to Windows and MacOS if you are familiar with those operating systems. Although Linux is much easier and faster to get around if you get comfortable with the Command Line Interface or CLI.

Directory Management

Linux How To: Make a Directory

There are two primary ways of making a directory. There is the visual way using a Graphical User Interface (GUI) and there is the CLI. I will primarily go over using the CLI.

Making a directory involves the use of the mkdir command, which stands for Make Directory but made into a short command.

mkdir has several arguments that can be passed in but only the name of the directory is mandatory.

The base command looks like the following:

exploit@exploitBrokers:~$ mkdir sampleDirectory

If you entered a command similar to the above you would now have a directory named sampleDirectory available. You can view this by entering the list contents command ls.

You should have similar output when you enter the ls command

exploit@exploitBrokers:~$ ls
sampleDirectory

If you enter the list command with the arguments -l which indicate that ls should use the long listing format then you will get an output similar to the following

exploit@exploitBrokers:~$ ls -l
drwxr-xr-x 2 exploitUser exploitGroup 4096 Jun 1 23:30 sampleDirectory

The following line is broken down as follows:

d is the file type, this indicates it is a directory.

rwx each three characters indicate whether the owner/group/others have permissions and what permissions they have. Our current directory allows the owner to r – read, w – write, and x – execute the directory.

r-x allows the group to read and execute but not write.

r-x allows all others to read and execute but nor write.

exploitUser is the owner of the directory.

exploitGroup is the group that the directory belongs to.

The rest is the size, date created, and name of the directory or file.

Linux How To: Delete a Directory

Deleting a directory involves a normal delete/remove command rm and appending an optional flag.

Although the flag is optional for the remove command when files are involved things differ slightly for directories. Attempting to delete a directory without an additional flag results in the following output.

exploit@exploitBrokers:~$ rm ./sampleDirectory/
rm: cannot remove './sampleDirectory/': Is a directory

This is easily fixed by appending a recurse flag -r. The following is an example of a complete command.

exploit@exploitBrokers:~$ rm -r ./sampleDirectory/

This results in the directory being deleted and all files and directories inside being deleted as well.

File Management

Linux How To: Make a File

Now that you can make and delete directories you will need to learn how to make and delete files. In Linux there are a multitude of file types in Linux but the majority of files are recognized simply as regular files. JPEG, PNG, MOV, PDFs, and etc are considered regular files. We will discuss other non-regular file types in another article.

Making a file can depend on the file contents and the application that will use it. Although a PDF and JPEG are both regular files the contents will differ. We will make a simple text file with a greeting.

exploit@exploitBrokers:~$ echo "hello" > someFile.txt

Here we are using the echo command to print our “hello” text out and then using the > pipe into command to put it into someFile.txt. It’s nice to note we don’t need the .txt extension but it’s nice to have to keep things easy to view. You can easily have a JPEG with a .txt file at the end because Linux tries to be smart about files and can usually determine the file type based off the content and not just the extension.

If we print out the content of the file using the cat command we would get the following:

exploit@exploitBrokers:~$ cat someFIle.txt
hello

It’s that simple to create a file. You can also use the touch command to make an empty file that you can then open up in a text editor to add content to and the possibility for file creation is endless. Here is an example of the touch command before we move on.

exploit@exploitBrokers:~$ touch someFile.txt

Linux How To: Delete a File

Deleting a file is generally just as easy if not easier than making a file. Deleting a file uses the same rm command as deleting a directory but does not require the recursive argument.

If we wanted to delete the file we created earlier we would simply use the following command:

exploit@exploitBrokers:~$ rm someFile.txt

If an error occurs then either run the command as a more privileged user or you can use the force -f flag. Note additional flags are advisable if you have more experience or are willing to make mistakes and learn from your mistakes while learning Linux.

Linux How To: Do a File Rename

An easy way to do a file rename in linux is to use the mv command. The command syntax is as follow

exploit@exploitBrokers: ~$ mv oldFileName.txt newFileName.txt

The above command is the quickest way to rename a file on linux.

Linux How To: Conclusion

This was a short introduction to making and deleting files and directories. A helpful hint is to use the --help flag with commands or to reference the man command if available. These are helpful as they usually provide extra information for users to read and try to figure out what to do next.

Intro

Hey guys, welcome to exploit brokers today. We’re going to be going over four different articles. Let’s talk about Twitch. Let’s talk about ricochet, the freakout botnet and the Mykings botnet. Let’s jump into it.

Cool. So guys, welcome back. I know I’ve been offline for a little bit, but I am here to bring you back your hacker news goodness. So today we’re going to jump right into it.

Freakout Botnet Attacks DVRs

We’re going to talk about the freakout botnet. It turns out they are using their botnet to turn DVRs into Monero crypto miners. So Monero is one of the favorite type of crypto miners in the criminal industry, because it’s very hard to track compared to like Bitcoin and all that.

So the transactions are much more. Privacy oriented. I guess if you can say it that way, so let’s jump right into it. Let’s see. And I will list the articles and the show notes. This one is by threatpost.com titled freak-out botnet turns DVR’d into Monero, crypto miners. You what we’re talking about today.

I’ll start out by saying the article says the new Necro Python exploit targets visual tools DVRs used in surveillance systems. So we’re not talking about just like, you know, your old DVR. If anyone still has a DVR for tvservices. I imagine a lot of people. Still do, but no, this is specifically the visual tools, DVRs first surveillance systems.

So if you think about surveillance systems, they’re going to be on all the time. They’re going to be pulling feed for everything. So, you know, Hey, if they’re always on anyways, and most people aren’t going to be checking them normally. ’cause, you know, you don’t really check them unless you need them, then you could totally put something on there.

The Juniper threat labs, researchers issued a new detail. There’s apparently something known as Niekro Python and Python, IRC bot. For some people IRC, they may be familiar with that. That’s the internet relay chat. It’s kind of like the predecessor to like messaging. You’d put up an IRC server.

People could join, you could talk Kind of like a messaging board, but more interactive . According to this the malware in late September was targeting the visual tools, DVR VX16 4.2.28.0 models with crypto mining attacks. What this usually seems to be is like, Hey, Grabbing their botnets and they’re targeting this specific model.

Maybe there’s a firmware of a vulnerability. Maybe there’s something else we’ll just kind of keep going and see if there’s anything we can find. Right. They’re using command injection. . The script can run in both windows and Linux environments and the script has a polymorphic engine to morph itself.

Ooh. So, okay. This is actually really cool. Polymorphic engines, if you think about like something being able to evolve itself or change itself over time you know, viruses or bacteria and stuff like that. The polymorphic engine is actually a very cool way that some viruses, I mean, I say cool, but it’s kind of devastating.

It’s a very cool way that some computer viruses, they keep morphing themselves and antivirus, sometimes use signature-based defenses. Right. So what that means is they’re looking for. A specific type of code or for the binary’s to look a certain way. And then that will allow it to be like, Hey, this looks an awful lot, like this kind of virus or this specific virus.

So by morphing itself, you’re changing your signature. Every couple executions or every execution, right? So the next time you infect somebody while you’re using the next variant of what it was. And typically I was looking into polymorphic, see how they kind of work. Right. And they have their base encrypted.

That’ll get re encrypted and then you have the actual delivery system. There’s a way that you can keep that encrypted in the program. Then you can decrypt it, recompile it, but also re encrypted as well. You have the payloads being constantly changed and the signature will look different.

According to the article freakout, which is the ones who originated the botnet have been doing this since at least January. They’ve been trying to launch distributed denial of service attacks and crypto mining attacks. So they’re trying to bring people down and trying to make money kind of makes sense. Right?

They have several iterations of the Necrobot. According to what I’m seeing here There’s been even recent changes. Cool. They’re using, what’s known as a domain generation algorithm for added persistence. Based off my research, the domain generation algorithm, how it works is it’ll guess a certain kinds of domains. And then it’ll go reach out and like, Hey, are you my C to C server?

Are you my command and control server? If it doesn’t find it well, then, Hey, that’s fine. It just tries again and tries again . The first Necrobot used to scan ports, 22, 80, 443, 8081, and 7001. Then if, if it detected it, then according to the article an XM rig, which is a high-performance Monero miner linked to a specific wallet.

Then it would just try to mine and then throw whatever Monero to that wallet. So the vulnerabilities for those of you that are kind of wondering. Is the CVE-2021-15568 TerraMaster TOS before 4.1.29, CVE-2021-2900. The Genexis. Sorry. If I butchered that Genexis platinum 4410 2.1 P4410-V2-1.28.

There’s five of these, we were already covered two. The third one is CVE-2020-25494 Xinuos, formerly SCO, OpenServer version five and version six. Next is the CVE-2020-28188 TerraMaster TOS every version up to, and including 4.2.06 and the last one is the CVE-2019-12725 Zeroshell 3.9.0.

So something I’d like to point out. We do have what looks to be like one extremely recent exploit 2021. Like, you know, last year, exploits, 2020s and the 2019. This virus has exploits that are pretty recent. The chances that an organization is using something that hasn’t been patched or that the software’s haven’t had a patch for like the 2021 let’s say, then, you know, that’s, that’s pretty high.

As a software engineer, turnaround time is not like, Hey, there’s an exploit. Cool. I could totally get that fixed by this afternoon. If you just find out about it and you’re in process of normal code delivery code release right. You may not have team members to go fix critical patches that night.

You may have to pull them off that could throw your deadlines off. Very much a cat and mouse and a delivery standpoint, right? So of course you have to do bug. But do you have time to do bug fixes and your main release as well? From this, I don’t know too much about TerraMaster or the CVS in question, but from a software engineering perspective, you got to be careful with that.

Ooh, so the head of Juniper labs has told threat posts, which is the article that I’m reading this off. Most security teams need to be able to handle DGA domain attempts. What I’m assuming he means right? From an IT perspective, if a computer, a box, right, is sending out 400 DNS requests looking for similar things will an average user, shouldn’t be sending 400 DNS requests in an hour.

Right. They might go to like four or five, but if they’re doing their job, Even if you’re Googling, right. You’re not going to hit 300 domains, 400 domains. Two hours, three hours. That’s my guess. By having a route switch firewall with a rule that kinda says like, Hey, if any machine is throwing like 300 or more than 200 or whatever threshold .

X amount of DNS requests in X time or Y time, then you need to throw an alert. You need a block that cause Hey, that could be a malicious or compromised box. I could totally see where that’s, kind of where they’re getting at. But you know, that’s just my opinion. So let’s roll into the next one.

Source: https://threatpost.com/freakout-botnet-dvrs-monero-cryptominers/175467/

Ricochet Anti-Cheat Kernel

So ricochet call of duty for any of you gamers who are interested, ricochet is an anti cheat engine. Call of duty, wants to use for Warzone and Vanguard. The reason I’m bringing this up is they have a Kernel level driver. It’s first going to come to call of duty. Kernel level, for those of you who may or may not be aware, you have the user level and you have the kernel level.

Kerner level is anything that runs windows privileges versus user space is, you know, users kind of straight forward. Right? The problem with Kernel drivers is they tend to have a lot of control over the system due to the nature that they are integrated tightly with the operating system. They’re trying to calm people down.

I kind of pre-read this article right there, trying to calm people down by saying, Hey, it’s not always on and it only checks for software that interacts with call of duty, but that doesn’t mean it can’t change. That doesn’t mean that there couldn’t be false flags, right? So my biggest concern with any security tool with any AI thing..

Is false positives. Right? False positives could give people a really bad day. Do we want to stop hackers? Yeah, we want to stop hackers. Do we want to stop people from ruining the game ? Yeah, we want to stop people from ruining the game. What happens if the driver accidentally sees overclocking software as a flag.

So you’re going to have a lot of tech enthusiasts. A lot of people build gaming, rigs, gaming computers with the idea. Cool. I can play games, but I can also overclock this thing and get the most performance or just some people just like to do it for fun. Even I’ve played around with overclocking.

It’s just one of those things like, Hey, I have a really cool PC. Can I try this? My other concern as well. You have a kernel level driver that can interact with a system that’s been developed by this company. Well like any kernel level thing. What if there’s a vulnerability in that kernel?

How fast would they be able to patch it? How much will they care? Are they going to be invested to be able to like, Hey, a CVE came out on our kernel driver that is installing Monero miners or whatever should we patch it? Do we care?

That’s almost any company, but this is one more company. What I’m reading, the way I’m understanding is you will not be able to play the game unless the kernel driver is installed. For you to be able to play call of duty on your gaming PC, you would need to have this Kernel Installed.

That doesn’t make me feel great about it. Call of duty I’m seeing maybe a hundred million yeah, about a hundred million players, which means that if you target, let’s say, let’s say a quarter of them are gaming PC players, right

You have a quarter of the 100 million. So you have 25 million people who are now running this driver on their computers. If a CVE breaks out 25 million is, you know, pretty substantial base considering it’s one company. You should be worried about that for anything and everything.

Windows is not exactly, the most secure system there’s a lot of faults they’re getting better, but they do have a lot faults. Not related, but it appears that part of the driver is actually using or could possibly use machine learning algorithms. I don’t know this definitively, but they’re saying that they want to use machine learning to analyze server data, to determine patterns.

Now this goes back to my false positive concern, right? So machine learning algorithms are. At current time, most of them are not 100, truly 100% accurate. If you think it’s a hundred percent, you’re maybe you’re over-fitting, which means you’re, you’re saying, Hey, this data looks this way. Cool. But then when you throw real data at it, it doesn’t fit the training data exactly.

So you’ll overfit and that’s just, that’s just one thing I’m concerned about. Say, say it’s half a percent, right? What’s half a percent of a hundred million players is like 50,000 players that you may. Automatically flag. If you doing anything like an auto ban based on the flags, cool. You just falsely band 50,000 players.

Not to mentioned that even false positive, be like, well, Hey, what about the hackers that do get through? You are reducing the amount, but this is not a catchall solution. This is not a cool, we can fix everything.

You have to do it in a nuanced way. You can’t just have the machine learning, AI be able to auto ban people without some sort of appeal process, without some sort of safety checks to prevent those who get falsely flagged to be able to come back because it’s going to suck. You pay $60, a hundred dollars, or, you know, $60 plus DLC.

I mean, Warzone is free, but if you’re buying the season pass or whatever, you’re still paying, it’s going to suck that you falsely get flagged and you lose access to the thing that you were paying money. And I don’t think anybody wants that.

I was pulling the information, I’m going to put it in the show notes off CallOfDuty.com, it’s self.

Source: https://www.callofduty.com/blog/2021/10/ricochet-anti-cheat-initiative-for-call-of-duty

MyKings Botnet

Let’s kind of segment into the next article.

The next article comes from bleepingcomputer.com titled “MyKings botnet, still active and making massive amounts of money”. Cool. Botnets making money seems to be like a recurring theme. The MyKings botnet, according to the article is still actively spreading and is making tons of crypto.

The first appearance was like five years ago. Being that it’s one of the most analyzed I’m kind of pair I’m paraphrasing slash reading the article. MyKings is particularly interested in researchers thanks to his vast infrastructure versatile features. What does it mean by versatile features will list a few, right.

I’ll kind of touch on what they mean. So the article states that it includes: bootkits, miners, droppers, clipboard stealers, and more. Bootkits are particularly problematic because they install themselves in the boot sector of the operating system. You don’t want a virus that manipulates your system on boot or just as it’s booting, because it becomes very hard to truly get rid of that.

If the boot kit installs itself, well, you may have to completely wipe the entire system and there goes all your data, right? Minors going back to the Monero Miner, or if you know, Bitcoin minor that could be done. There’s there’s dozens of variations. There’s probably a couple different miners per coin.

Right? Droppers, I’ve heard this term before. I have to come back to you on that clipboard stealers, you know, straight up just steals your clipboard. The reason that could be problematic is if you’re mining or if you’re doing something else cool, now they have your wallet and have other stuff.

Every time that it sees your wallet, they could inject their wallet. And there you go. Now they’re now they’re using the hacker’s wallet for reasons that they would use there’s deposits, trades, et cetera.

Let’s jump into the article. Bleeping computer seems to be referencing the Avast threat labs. The earnings reflected in the wallet linked to the makings are approximately 24.7 million. So they’ve been, they, they make quite a bit of money off this, right. They’re using substitution.

Oh, cool. Kind of what I was touching on. So they are using the clipboard manipulation thing to inject their to inject their wallet. The latest I’m going to read from the article. The latest version of the malware also features a new url manipulation system in the clipboard stealer module, which the attackers created to hijack steam item trade transactions. Cool they’re even targeting Steam here, the module changed the trade off offer URLs.

So the actors placed at the receiving end. So not only are they trying to probably look for digital wallets, now they’re even targeting games. So they’re targeting steam. Which is kind of interesting. I mean, in games, items sell for a lot I know there’s this one game don’t remember off the top of my head that uses real world money to kind of be like a one-to-one, but you’re not supposed to take the money out.

At least the developers, I think don’t want you to . Hey, that’s one way that now criminals are trying to make more money. Now let’s go after games too. So there was also functionality added for the Yandex, disc storage, cloud service, and it looks like they’re essentially using that for a social engineering style spread. They are putting a photos archive, you unzip it, it’s actually the malware, but you are a trusted person sending your other friend, this link, they’re going to download it, run it because it came from you and it’s actually gonna infect them because your clipboard was manipulated behind the scenes.

Source: https://www.bleepingcomputer.com/news/security/mykings-botnet-still-active-and-making-massive-amounts-of-money/

Twitch Hacked

Now onto our last article.

Article by 9to5mac.com, “PSA: Twitch.tv was hacked, everything leaked, including creator payouts”. I’m pretty sure you’ve seen this on the news. It’s been everywhere. Right? So Twitch TV, the very popular streaming channel for, or streaming website for games. And I guess other stuff was hacked.

So if you have an account there they’re recommending you change your password, which I will recommend if your data’s ever in a breach. Yes. Change your password. Yeah, do it. Password managers are also pretty cool. Those can get hacked too, but Hey, at least you have like only one master password that you need to be changing often and you don’t got to remember the other ones.

Going through the article. There was an anonymous hacker who posted a huge download link. Apparently the entire website source code, various console phone stuff. Ooh, an unreleased steam competitor talking about steam earlier, right?. Payouts and encrypted passwords all got leaked. So encrypted passwords that could or could not be problematic depending on how good the encryption is. By the way don’t trust it, change your password. Payouts, that’s just, ah, man. Now you’re going to know what every streamer makes. Apparently 125 gigabyte torrent link was posted to 4Chan. I think last Wednesday. This was October 6th.

Ooh. So very early Wednesday, I think like maybe late September Wednesday. So I’m a little bit late to this article. One anonymous company told and I’m reading from the art from the article. “One anonymous company told VGC”, which I’m guessing is where 9to5Mac original quoted their stuff.

“That the leak data is legitimate. Including the source code for the Amazon owned streaming platform. Internally, Twitch is aware of the breach, the source said, and it’s believed that the data was obtained as recently as Monday. We’ve requested comment from Twitch and will update this story when it replies”.

I guess there hasn’t been any update, going over, right. All of that. That’s, that’s rich. So as well as the data that got. Internal penetration testing tools got leaked too. Right? So the hackers got hacked. Twitch TV isn’t exactly hackers, but they’re hacking tools got hacked. Reminds me of, I think it was a government agency, got their stuff stolen by hackers too.

It kinda reminds me of that realm, right. When you look in, when you look into the abyss, the abyss will stare back kind of thing. ‘ The entirety of Twitch’s source code with comment history “going back to its early beginnings”‘. They got all the Twitch, pretty much all the repo all the creator payouts from 2019, mobile desktop and console client, proprietary SDK and internal AWS services used by twitch. So they can completely make a Twitch clone tomorrow. Wow. ‘”Every other property that Twitch owns”, including IGDB and CurseForge’.

No idea what those are, but Hey, it’s Amazon owned, so it’s big. “An unrelased Steam competitor, codenamed Vapor from Amazon Game Studios”. So something I’ve, I’ve been seeing from the Amazon side. Right. As a developer, I like AWS. It’s kind of cool. I’m not super big on only one platform, but anyways, I’ve seen where Amazon is pushing I think I forget their name of it, but they, they have, they’re starting to push into the game market and I think it’s because Hey, Vapor or whatever this thing is. If it’s a steam competitor, they want to get in on selling games. I know they’re trying to get in on the game engine side.

It kind of makes sense. Gaming is a very profitable or not profitable, but is a very big industry people game on their mobile people game on console people game on PC , it’s what people do. The last point of what was stolen includes a penetration tools, which I was talking about, it looks like it was red team tools for my listeners who are not aware, red team essentially means attacker, right?

You have red team attack, the blue team defends, and kind of variations of those. You have some people that try to do both. That will be another episode. Another thing to talk about. A Twitter user has actually been quick to post spreadsheets about who the highest-paid earners were. So I will link the article in the description or in the show notes, if you want to go check out what that Twitter is and see, you know, who were the higher paid ones? All I will say here is it’s like a couple of million dollars from August 2019 to October 2021. I mean that. That’s pretty big.

Most people don’t make a couple of million dollars unless you’re a CEO or something also, Hey, props to them.

‘The hacker said their motivation was to disrupt the space because “their community is a disgusting, toxic cesspool”‘, nine to five quoting somebody else. Not me.

It seems just like the hacker was disgruntled because of Twitch’s politics. Not going to get into that, but Hey, if you don’t like Twitch, don’t get on Twitch. If you like Twitch, well, then get on Twitch. It’s going to be completely up to you, I do agree with the notion rules should be applied evenly.

You can’t just pick and choose, you know, you’re profitable people can bend the rules, stuff like that. I don’t, I, it should be across the board. Right. It said Twitch is working hard to address this, but many people are unhappy about the results. According to the article, I mean kind of makes sense.

Your whole data was leaked or your tools are leaked or internal stuff was leaked. Now everyone knows how much they made. You know, people can see how much they made from this year to this year.

According to this, you know, but you, people are unhappy. And I know a lot of people have been unhappy with the touch platform as a generality, but you reap what you sow I guess.

Source: https://9to5mac. com/2021/10/06/twitch-tv-was-hacked/

Outro

Guys that’s the last article. So thank you for sticking with me again. This has been Exploitbrokers Hacker News with your host Lauro, and I will see you in the next one

Installing Go

We must first download and install go to set up our environment. Go to the following website to download the executable for windows.

https://golang.org/dl/

Once you navigate to Go’s download page you should select the appropriate windows installer for you. It looks something like this:

Once you click it, it will download a file similar to the following:

go1.16.5.windows-amd64.msi

I’m downloading go 1.16 for a 64 bit Windows machine. This will differ slightly depending on when you’re reading this and what your windows version is.

Simply run it and click through the executable. Once it is installed you can verify it’s installed by running this command on a cmd prompt.

go version

As well, the output will depend on the go version you installed and your windows version but it will look similar to this:

go version go1.16.5 windows/amd64

Once you get this message then congratulations! You’ve successfully installed go. You can begin coding go with powershell and a notepad or you can chose an ide such as Visual Studio Code. Following this idea, we will install Visual Studio Code.

Installing Visual Studio Code and setting up for Go development

So now that we’ve installed go we can start setting up the IDE for our development.

Visual Studio Code

You can download Visual Studio Code from the following link:

https://code.visualstudio.com/download

Again you should pick the windows version that matches your environment, but in general, the download page looks something similar to the following:

As a general rule of thumb.

• User Installer: installs only for the current user
• System Installer: installs for all users of the system
• .zip: is the files without the installer

The downloaded file looks something like:

VSCodeSetup-x64-1.58.0.exe

I recommend the system installer but that’s ultimately up to you and what you’re installing VS code on. Once you download the file run through the installation steps.

Once installed you can search for the app under the name, Visual Studio Code. As well you can open it from a cmd prompt using the following command:

code

Now that you have Visual Studio Code installed we can move on setting it up for our Go development.

Go development setup in VS Code

We must first go to our package manager noted by the symbol noted below.

Then we can search for the GO package by simply typing go in search.

We are looking for the “Go” package authored by “Go Team at Google”.

Once you’ve located this package simply press install and let VS code install it. If VS code prompts to install tools for Go then accept and let vs code setup thing necessary for you.

Wrap-up

We’ve set up a simple Go language environment for Visual Studio Code on WIndows. You can also start looking at a simple introduction by following our building and running tutorial https://exploitbrokers/programming/golang/golang-how-to-build-and-run-golang-apps/

Happy Golang Coding!

Specifically, we will cover: go run, go build, and go install. Let’s jump into it.

Golang, how to build Golang applications and use the run and build commands.

Specifically, we will cover: go run and go build. We will cover syntax, usage, examples, and some example code you can run. This tutorial expects you to have a local golang development environment setup. If you don’t have one or want to follow along exactly you can check out our golang development setup here https://exploitbrokers/programming/golang/golang-setup-visual-studio-code-for-windows/.

GO example file

Here is the example file we will use to show how to use the build and run commands. This is a simple application to print out a simple message.

package main

import "fmt"

func main() {
	fmt.Println("Hello, i'm learning golang from exploitbrokers.com")
}

You should copy and save this to any file name you want but it must end in a .go extension. It should look something like

helloExploitBrokers.go

GO build

We will first learn how to build golang applications using the build command built in to go. The “build” command does pretty much what it sounds like, it builds an executable that can be run at a later point in time.

go build helloExploitBrokers.go

The go build command will create an executable but needs the file name to be specified.

If we want “go build” to work without explicitly calling the file name explicitly then we will need to set up a go.mod which we will go over later in the article.

So if we run the command above in a windows environment we will get a file that looks like:

helloExploitBrokers.exe

We can then execute the helloExploitBrokers.exe and get the following output. To execute you can use a terminal, command prompt, or if you’re in visual studio code you can use the interactive. See the image below.

Executing the executable from an interactive terminal/command prompt/etc is as simple as:

./helloExploitBrokers.exe

The execution above will print out our message:

Hello, i'm learning golang from exploitbrokers.com

Now we will learn how to make a go.mod file that allows visual studio code to run it instead of using the terminal. It’s important to note that any console apps needs console input from the user will still need to be run similar to our current application as only interactive terminals allow user input when using visual studio code.

GO Mod Init

Go’s “mod init” command allows us to set up a go.mod file which makes our current file act as a module. A module is go’s way to have packages. If you’ve ever used packages in other languages the concept is the same.

The syntax and sample usage is as follows:

go mod init helloExploitBrokers

Once the command is ran you will notice a new file will appear.

go.mod

The file go.mod will contains something similar to the following.

module helloExploitBrokers

go 1.16

This tells go that this module is named helloExploitBrokers and has a go version of 1.16. The technicalities are beyond the scope of this tutorial and are best looked up at a later point. The big takeaway is that now using’s visual studio code’s built-in run will work now.

Go Run

Go’s run command makes it easier to run our code when in our ide because it essentially makes a temporary exe and runs it for us. It saves time by running the code instead of building it and making us run it manually.

The run syntax will differ slightly depending on whether you have the go.mod file setup.

If you have the go.mod file setup then you can run the following command.

go run .

The . (dot) tells go to look in the current module for the main function we set up in our earlier file.

If you don’t have the go.mod file setup then you can run the following command.

go run helloExploitBrokers.go

The main difference is whether you specify the file or go looks for the main function is the files.