Poking Windows with a stick exploring really silly and overly complicated malware concept.
> need to enumerate windows
> use EnumWindows
> look inside
> Win32u!NtUserBuildHwndList
> shrimple
> need to get window attributes
> use IsWindowVisibile
> look inside
> hWnd->style & WS_VISIBLE
> shrimple
> need to get super accurate screen coords
> documentation says DwmGetWindowAttribute
> DwmGetWindowAttribute better than GetWindowRect
> ok
> use DwmGetWindowAttribute
> look inside
> dwmapi!DwmGetWindowAttribute
> minimum supported client Vista
> forwards to user32!GetWindowCompositionAttribute
> minimum supported client Windows 7
> ???
> GetWindowCompositionAttribute just fills struct
> look inside
> win32u!NtUserGetWindowCompositionAttribute
Documentation says to use DwmGetWindowAttribute in dwmapi.dll but really just uses GetWindowCompositionAttribute in user32.dll and forwards to win32u.dll for syscall
DwmGetWindowAttribute works on Vista... but its forward to GetWindowCompositionAttribute needs at minimum windows 7...
lol ok whatever man
> need to enumerate windows
> use EnumWindows
> look inside
> Win32u!NtUserBuildHwndList
> shrimple
> need to get window attributes
> use IsWindowVisibile
> look inside
> hWnd->style & WS_VISIBLE
> shrimple
> need to get super accurate screen coords
> documentation says DwmGetWindowAttribute
> DwmGetWindowAttribute better than GetWindowRect
> ok
> use DwmGetWindowAttribute
> look inside
> dwmapi!DwmGetWindowAttribute
> minimum supported client Vista
> forwards to user32!GetWindowCompositionAttribute
> minimum supported client Windows 7
> ???
> GetWindowCompositionAttribute just fills struct
> look inside
> win32u!NtUserGetWindowCompositionAttribute
Documentation says to use DwmGetWindowAttribute in dwmapi.dll but really just uses GetWindowCompositionAttribute in user32.dll and forwards to win32u.dll for syscall
DwmGetWindowAttribute works on Vista... but its forward to GetWindowCompositionAttribute needs at minimum windows 7...
lol ok whatever man
π₯°61π18β€16π€6π€£6π€3π2
Lab52 released a paper on APT29 and suspected state-sponsored computer espionage by the Russian Federation targeting Spain
I was going to read the paper, but then I saw it's 142 pages
This is a book bro wtf
I was going to read the paper, but then I saw it's 142 pages
This is a book bro wtf
π€£96π₯9π8β€5π₯°1π―1
ShinyHunters compromised Canvas (to a currently unknown extent) which resulted in a "this system has been compromised" to over 9,000 universities.
As ridiculous as that sounds, I'm not memeing. It has been speculated it is actually over 9,000 universities.
ShinyHunters is having their ALPHV moment. They're now going to get attention at a serious scale outside of the information security circle.
As ridiculous as that sounds, I'm not memeing. It has been speculated it is actually over 9,000 universities.
ShinyHunters is having their ALPHV moment. They're now going to get attention at a serious scale outside of the information security circle.
π€£119π₯°16π€―13β€7π₯6π4
vx-underground
ShinyHunters compromised Canvas (to a currently unknown extent) which resulted in a "this system has been compromised" to over 9,000 universities. As ridiculous as that sounds, I'm not memeing. It has been speculated it is actually over 9,000 universities.β¦
I briefly spoke with "Shiny" online. He wouldn't give me any information on the compromise.
I tried advanced interrogation tactics (silly pictures of cats) and he still wouldn't tell me anything.
smh
I tried advanced interrogation tactics (silly pictures of cats) and he still wouldn't tell me anything.
smh
π149β€27π’17π€£13π₯°8π€3
ShinyHunters has successfully hit the big leagues.
ShinyHunters successfully disrupting exams, schooling, grading, government funded research projects, dissertation work, graduations, financial aid, financial loss, potentially immigration complications, and more, has elevated this from "a silly shenanigan" to "major national security incident" and being labeled as an attack on United States critical infrastructure.
If I had to guess, the FBI, NSA, CIA, DIA, CISA, ICE, and DOE are all involved due to the disruption of this.
This isn't the largest extortion campaign I've seen, but this is definitely in the top ten. This is what the kids call a "Certified Hood Classic".
ShinyHunters successfully disrupting exams, schooling, grading, government funded research projects, dissertation work, graduations, financial aid, financial loss, potentially immigration complications, and more, has elevated this from "a silly shenanigan" to "major national security incident" and being labeled as an attack on United States critical infrastructure.
If I had to guess, the FBI, NSA, CIA, DIA, CISA, ICE, and DOE are all involved due to the disruption of this.
This isn't the largest extortion campaign I've seen, but this is definitely in the top ten. This is what the kids call a "Certified Hood Classic".
β€106π€£67β€βπ₯6π₯°6π2π₯2π2π1
vx-underground
ShinyHunters has successfully hit the big leagues. ShinyHunters successfully disrupting exams, schooling, grading, government funded research projects, dissertation work, graduations, financial aid, financial loss, potentially immigration complications, andβ¦
On social media parents are outraged and are commenting they want the United States to respond MILITARILY.
They're unironically calling for Hegseth to authorize military action against ShinyHunters and DRONE STRIKE them.
Holy cow
They're unironically calling for Hegseth to authorize military action against ShinyHunters and DRONE STRIKE them.
Holy cow
π€£174β€10π₯°10π€―6π4β€βπ₯3π±3π’3π2π₯2π1
vx-underground
On social media parents are outraged and are commenting they want the United States to respond MILITARILY. They're unironically calling for Hegseth to authorize military action against ShinyHunters and DRONE STRIKE them. Holy cow
Note: there is a 0% chance they're drone striked. I've only seen a nerd drone striked once. These are just angry normies who don't understand computers and are raging online.
π€£77π₯°16β€8π€5π3π―3π1
I can assert with a high degree of confidence ShinyHunters did not exfiltrate highly sensitive information.
Based on information I've received the primary information stolen from the schools is student names and email addresses. Furthermore, this has been confirmed by various media outlets.
This in of itself isn't bad.
The primary issue with this however is that it would expose children in K-12 online (first and last name). Adults having their full legal name and email address online is something you could (probably) find on LinkedIn or a university directory. Adults will be ignored if data is leaked. K-12 will be a nightmare. Hence, educational institutions must put together a strategy to handle a K-12 potential data leak.
Presumably parents will be outraged and this will inevitably result in a lawsuit against the schools or Canvas.
The much larger issue however is the catastrophic damage ShinyHunters has done to Canvas both operational and reputational.
Exfiltrating data from a compromised host is as simple as initializing a file transfer. The question then: why is Canvas still "in maintenance mode"? The only logical conclusion is ShinyHunters did SOMETHING to prevent Canvas from working as intended.
This places Canvas is a terrible, terrible, terrible position. Their service has resulted in minors having their names (potentially) leaked and educational institutions can't use the platform they pay for. Furthermore, this makes major educational institutions look like a bunch of morons.
Students are paying top dollar for an education and suddenly ... poof ... a good chunk of their work or study material has vaporized because it was stored in a 3rd party platform outside the control of the educational institution.
Basically, the data breach itself isn't bad except the K-12 part. The operational impact is devastating and the fallout will be a nightmare. Canvas employees are probably scrambling, their cybersecurity team is probably having panic attacks, and executive leadership is probably drunk right now screaming at the wall.
Based on information I've received the primary information stolen from the schools is student names and email addresses. Furthermore, this has been confirmed by various media outlets.
This in of itself isn't bad.
The primary issue with this however is that it would expose children in K-12 online (first and last name). Adults having their full legal name and email address online is something you could (probably) find on LinkedIn or a university directory. Adults will be ignored if data is leaked. K-12 will be a nightmare. Hence, educational institutions must put together a strategy to handle a K-12 potential data leak.
Presumably parents will be outraged and this will inevitably result in a lawsuit against the schools or Canvas.
The much larger issue however is the catastrophic damage ShinyHunters has done to Canvas both operational and reputational.
Exfiltrating data from a compromised host is as simple as initializing a file transfer. The question then: why is Canvas still "in maintenance mode"? The only logical conclusion is ShinyHunters did SOMETHING to prevent Canvas from working as intended.
This places Canvas is a terrible, terrible, terrible position. Their service has resulted in minors having their names (potentially) leaked and educational institutions can't use the platform they pay for. Furthermore, this makes major educational institutions look like a bunch of morons.
Students are paying top dollar for an education and suddenly ... poof ... a good chunk of their work or study material has vaporized because it was stored in a 3rd party platform outside the control of the educational institution.
Basically, the data breach itself isn't bad except the K-12 part. The operational impact is devastating and the fallout will be a nightmare. Canvas employees are probably scrambling, their cybersecurity team is probably having panic attacks, and executive leadership is probably drunk right now screaming at the wall.
β€78π₯°9π€£8π€4π2
vx-underground
Students are reporting Canvas is back up. Your finals have been resumed. Yay!
Oh, only some are back up. Not all.
Nevermind. Please continue suffering and panicking
Nevermind. Please continue suffering and panicking
π₯°60π€£41β€4π«‘3π2
This media is not supported in your browser
VIEW IN TELEGRAM
Students all across the world react to ShinyHunters
π120π€£114β€12π«‘3π₯°1π€1π€1
π¨BREAKINGπ¨
Newly declassified and unsealed UFO documents, released by the Trump administration, suggest that weird looking rock you showed your friends in middle school was likely an old dog turd
Follow vx-underground for more updates
Newly declassified and unsealed UFO documents, released by the Trump administration, suggest that weird looking rock you showed your friends in middle school was likely an old dog turd
Follow vx-underground for more updates
π€£139β€62π€―13π₯5π’5π4π3π―2π₯°1
This media is not supported in your browser
VIEW IN TELEGRAM
π€£111π₯°11π’5π«‘4π3π€3β€2π€―2π1π±1π1
vx-underground
Happy Mother's Day weekend to all of the Mommy's. To celebrate the occasion, here is a picture of a cat wearing a hat. Cheers
Also, accidentally sent the GIF version on Telegram without the text. Oopsies doopsies.
β€39π₯°11π5π₯1π€1
vx-underground
Happy Mother's Day weekend to all of the Mommy's. To celebrate the occasion, here is a picture of a cat wearing a hat. Cheers
I have updates to vx-underground, but in honor of Mother's Day weekend I promised Mrs. Smellington I'd watch the baby so she can do whatever girls do for fun (I actually have no idea what they do for fun)
β€76π₯°24π€9π€£8π₯1π1
Hello
I have collected more malware. It's like, ... 200,000 malware, I think. I don't know. I've stopped counting.
It is enough malware for your friends, family, extended family, neighbors, and co-workers.
Please download it. The malware is lonely.
https://vx-underground.org/Updates
I have collected more malware. It's like, ... 200,000 malware, I think. I don't know. I've stopped counting.
It is enough malware for your friends, family, extended family, neighbors, and co-workers.
Please download it. The malware is lonely.
https://vx-underground.org/Updates
π55π18β€13π₯°5π₯3π’2π1π«‘1