Put your hands up, criminal scum.

You're under arrest for violations of the United States Computer Fraud & Abuse Act, Wire Fraud, and Aggravated Identity Theft

sMelLy whY doNt u jUsT mAke a TorRenT oF tHe MalWaRe SamPleZ

MOTHERFUCKER WE DID.

- Has it's own category on vx-underground
- Posted about for several weeks

We only did it as a giant .7z to be nice to nerds who DIDN'T want to torrent.

/me flips desk

It's Friday

- A Threat Actor operating under the moniker 'NullBulge' claims to have exfiltrated 1.1TiB of data from Disney's slack. Based on the information disclosed by the Threat Actor we suspect it is yet another victim of Infostealer malware.

- AT&T filed an SEC 8K. In April an unknown Threat Actor exfiltrated customer calls and text interactions from October 31st, 2022 - January 2nd, 2023. It does not contain the contents of the conversations, but it includes almost every single AT&T customers phone number.

- Rumors are surfacing of SquareSpace customers suffering from DNS hijacks. So far crypto-related domains are being targeted. Details are sparce – it's not certain if it's due to targeted customer compromise(s), or a SquareSpace compromise. We suspect it's targeted customers. If SquareSpace was compromised we believe more high-profile customers would be targeted.

Individuals are reporting that NullBulge, the individuals claiming responsibility for the Disney slack leak, website is suddenly offline – individuals are unable to pull the leak.

tl;dr Disney has an army of lawyers (and probably nerds)

The vx-underground Microblog is designed as a place to store vx-underground staff members thoughts, opinions, or notes.

Microblog update:
2024-07-12 - Chrome COM Interface abuse potential?

https://vx-underground.org/Microblog

If non-nerdy people saw the pure chaos that we see everyday their hair would fall out their head, their eyes would wither up into the skull, and their skin would turn into dust

When we began programming and delving into the hobby of malware development – YouTube and StackOverflow didn't exist.

Our only source of information was zines, IRC, MSDN documentation (sometimes distributed via ISO files in case your internet sucked), and VxHeaven.

Be thankful you nerds have so much information readily available. The 90's sucked, it was impossible to find good documentation, people on IRC were often wrong (also crazy), and the internet was sooooo slow

Updates to vx-underground:

Malware collections:
- InTheWild.0128
- Bazaar.2024.06
- Virussign.2024.07.03
- Virussign.2024.07.04
- Virussign.2024.07.05
- Virussign.2024.07.06
- Virussign.2024.07.07
- Virussign.2024.07.08
- Virussign.2024.07.09
- Virussign.2024.07.10
- Virussign.2024.07.11
- Virussign.2024.07.12

Administrative:
- Black Mass Volume III is being developed
- Large addition of malware papers in queue
- The new Eminem album is almost not bad

Xitter is currently experiencing technical difficulties following the attempted assassination of Donald J. Trump.

Today is the day of rest.

We hope all of you have had a good week.

We'll see all of you tomorrow morning.

We've seen a lot of people discussing the Disney compromise. Let's talk about it.

tl;dr prolly data stealer, not insider threat, leak is real but not going to destroy walt disney

First, the individual(s) who take credit for the compromise allege they had help from an insider. We don't believe this to be true. When the Threat Actor(s) asserted they received insider help, they also openly distributed this individuals PII – including medical information. This is not indicative of an Insider Threat. A Threat Actor(s) weaponizing an Insider Threat is going to bleed their insider dry (e.g. more data) and an Insider Threat is (probably) going to remain anonymous. Very rarely is an Insider Threat going to openly operate under their real identity (unless they're happy to get raided).

Secondly, and regarding the data, we have not reviewed the data. It's over 1TB of Slack conversations and we're not going to pull all of that. But, while there is indeed a leak, 1TB of Slack conversations isn't necessarily going to result in the downfall of the Disney corporation. Any involuntary disclosure of information is bad, but Slack conversations will primarily be project discussion, meeting scheduling, and generic day-to-day work-related conversations. Following the leak we have not seen any evidence of damaging information disclosure – no Star wars films, no video games, no unreleased content, etc.

Third and finally, if this was the result of an Insider Threat, more information would be disclosed. Not Slack conversations. You would expect Jira data, or source code, or hidden secrets, or something other than people chatting.

Our guess is that this Disney employee was hit by an Information Stealer. Their Slack session was stolen, or some stored credentials locally which do not require MFA was stolen. This is sufficient enough to scrape data. If this data was indeed a result an Insider Threat – they did a terrible job as an Insider Threat because nobody cares about work banter.

We're seeing people on Xitter discuss being approached by brands and companies – offering them thousands of dollars for a single tweet.

This is absolutely disgusting. Why aren't we being approached?

The only people offering us large sums of money are criminals 😂😂😂

"Can I advertise our drainer?"

"Can I advertise my new Breached-like forum?"

"Can I advertise my Infostealer?"

Bro, we're probably on every watchlist on the planet. The very nanosecond we took dirty money we'd hear helicopters and the "COPS" theme song.

dulge 🙏🙏🙏

There's a cool and badass cybersecurity conference taking place in Amsterdam, the Netherlands on September 5th. It is called OrangeCon

Tickets are cheaper for students.

We weren't paid to bring attention to this conference, but we wish we were.

https://orangecon.nl/

This was almost a paid advertisement

(we said no because we have no problem giving smaller conferences publicity)

(we aren't financially motivated)