DAK

@DAK@infosec.exchange
61 Followers
174 Following
1.4K Posts

Programmer, Gamer, Hacker.
When not breaking things I write emulators and raytracers.

https://DAK.LOL

DAKJul 10

I had a discussion yesterday with an acquaintance about some new infostealer leaks; I was talking about verifying whether the credentials are new or not; so I did some writing about why it's not unsafe to look up whether your password got leaked on the average service.

https://dak.lol/k-anonymous-password-lookups/

Does A Breached Password Lookup Reveal My Password?

I had a discussion yesterday with an acquaintance about some new infostealer leaks; I was talking about verifying whether the credentials are new or not (which was a silly thing to do, I should have known they weren’t in HIBP — for different reasons though) and I went to check if some of the passwords were contained in the HIBP corpus. The acquiantance asked something to the effect of, “why would you put the password into a web form, isn’t that leaking it further?”. This naturally reveals a common misconception regarding how breached password lookups typically work; both in HIBP itself, and competing commercial breached corpuses.

DAK.LOL
DAKJul 7

A new variant of Breachforums appears to be bootstrapping and already has > 300 users:

https://dak.lol/the-revival-of-breachforums/

#infosec #cybersecurity

The (alleged) revival of Breachforums

Breachforums, the infamous darkweb hacking and stolen data marketplace recently had another setback when its remaining primary administrators were arrested in France, shutting down yet another iteration of the marketplace. This closes another chapter in a site that has caused immeasurable damage to consumer and enterprise systems alike, facilitating the sale and trade of initial access, credentials, and leaked data.

DAK.LOL
DAKJun 23

https://dak.lol/what-really-is-the-16b-password-leak/

Posting this one late today in order to get in lockstep with the misinformation surrounding the previously posted "16B Passwords Leak" that surfaced on BleepingComputer.

Both the original post, and the correction are largely incorrect, based on it being infostealer data.

What Really Is That 16gb Password “Leak”?

Last week, a number of news outlets and organizations posted a story (which was then followed by ~ a retraction) of a darkweb password leak comprising 16B records. This immediately triggered a fervor around whether this was really a single leak, where it came from, who and how was exposed and so on – as always occurs around these things.

DAK.LOL
DAKJun 23

A short writeup about a funny Signal interaction I had last week with a security vendor.

That time I nearly got Hegsethed:

https://dak.lol/that-time-I-nearly-got-Hegsethed/

That Time I Nearly Got Hegsethed

Not a deep one this week, just a funny story about something that happened to me on Tuesday, July 17. It’ll unfortunately be a short one; one that should probably be turned into a youtube short talking about it, but moving pictures scare me.

DAK.LOL
DAKJun 11

Following on the Microsoft and DoJ takedown of Lumma infrastructure, and this week’s news from Sophos discussing a single user hosting over 100 malware github repos, I wanted to spend some time looking into the specific vectors leveraged by some of these repositories. Recently, some of these attacks have included taking screenshots upon execution, which can give us a look into specifically what a user ran that triggered the RAT (Remote Access Trojan) and harvested data from their machine.

https://dak.lol/stealer-malware-attack.vectors/

Stealer malware attack vectors – Lumma Stealer

Following on the Microsoft and DoJ takedown of Lumma infrastructure, and this week’s news from Sophos discussing a single user hosting over 100 malware github repos, I wanted to spend some time looking into the specific vectors leveraged by some of these repositories. Recently, some of these attacks have included taking screenshots upon execution, which can give us a look into specifically what a user ran that triggered the RAT (Remote Access Trojan) and harvested data from their machine.

DAK.LOL
DAKMay 22
DAKMay 22

Since Lumma just got shut down c/o Microsoft, the DoJ, Interpol etc, I guess I should get off my butt and post this:

https://dak.lol/the-anatomy-of-a-stealer-package/

A discussion of what is _actually_ contained in drops of Stealer data; it's more than just credential pairs. Sometimes yucky more.

#infosec #lumma #stealers

The anatomy of a stealer package – Lumma Stealer

With the shutdown of Lumma Stealer’s infrastructure announced this week by Microsoft’s Digital Crimes Unit (DCU), the US DoJ, and others, it seemed timely to write about the reality of what is actually packaged up when a Lumma (or Redline) stealer runs on a machine and drops the package across the C2 (Command & Control) infrastructure.

DAK.LOL
DAKMay 22

Since Lumma just got shut down c/o Microsoft, the DoJ, Interpol etc, I guess I should get off my butt and post this:

https://dak.lol/the-anatomy-of-a-stealer-package/

A discussion of what is _actually_ contained in drops of Stealer data; it's more than just credential pairs. Sometimes yucky more.

#infosec #lumma #stealers

The anatomy of a stealer package – Lumma Stealer

With the shutdown of Lumma Stealer’s infrastructure announced this week by Microsoft’s Digital Crimes Unit (DCU), the US DoJ, and others, it seemed timely to write about the reality of what is actually packaged up when a Lumma (or Redline) stealer runs on a machine and drops the package across the C2 (Command & Control) infrastructure.

DAK.LOL
DAKMay 14

Some thoughts on the practice of using "time to crack" charts for infosec marketing as penance for me taking generating them for marketing campaigns in the past.

https://dak.lol/time-to-crack-algorithms/

#infosec #cybersecurity

The misleading messaging of time to crack tables

TL;DR: It’s the time of year where security vendors post blog posts with charts of how long it takes to bruteforce a given password. As usual this raised a lot of questions from less security-minded people I know regarding the realism of the numbers, and how realistic the exercise now. As pennace for having generated this data in times past for similar marketing pushes, I will discuss why this is acutally a poor way to teach less-technical users about password complexity; and how users should be creating and using credentials.

DAK.LOL
Show threadDAKMay 8

Lockbit's passwords were not only not hashed, but contained a number of _very_ weak trivially guessable passwords, with the rest being of a lower than NIST 800-63B length and complexity. Generally a good example of how not to secure ransomware operator infra.

https://dak.lol/lockbit-plaintext/

On Lockbit’s plaintext passwords

Today it was discovered that an unknown actor had managed to exploit a vulnerability in Lockbit’s PHPMyAdmin instance (on their console onion site). Apparently they were running PHP 8.1.2 which is vulnerable to an RCE CVE-2024-4577. Which uhh… lol? It probably would have been prudent to do a post-paid penetration test on their own infrastructure at some point.

DAK.LOL
DAKMay 7, 2024
born to ride bikes, forced to pentest 🚲