Hack Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/hack/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 02 Apr 2024 01:19:01 +0000 en-US hourly 1 https://wordpress.org/?v=83647 200474804 HackTool:Win32/Crack https://gridinsoft.com/blogs/hacktool-win32-crack/ https://gridinsoft.com/blogs/hacktool-win32-crack/#respond Sat, 30 Mar 2024 10:43:57 +0000 https://gridinsoft.com/blogs/?p=20852 HackTool:Win32/Crack is related to hacking tools for bypassing license verification. These are often activators of Windows, MS Office, and other proprietary software. Contrary to the widespread belief that such tools are safe, they can carry a threat. The most popular sources of such hacking tools are torrent distributions and websites with hacked software. Let me… Continue reading HackTool:Win32/Crack

The post HackTool:Win32/Crack appeared first on Gridinsoft Blog.

]]>
HackTool:Win32/Crack is related to hacking tools for bypassing license verification. These are often activators of Windows, MS Office, and other proprietary software. Contrary to the widespread belief that such tools are safe, they can carry a threat.

The most popular sources of such hacking tools are torrent distributions and websites with hacked software. Let me explain, what hacked software is, what risks its use entails, and whether it is profitable to use it compared to licensed software.

What is HackTool:Win32/Crack

HackTool:Win32/Crack is a generic detection that Microsoft Defender attributes to a piece of code that bypasses the license check. It is worth clarifying that it rarely refers to a stand-alone program but to a modified element of a benign app. Win32/Crack means a change in the program files or a part of it aimed at disabling the license verification mechanism.

HackTool:Win32/Crack detection screenshot
HackTool:Win32/Crack detection popup

Win32/Crack is often distributed via torrents or websites dedicated to cracked software that has its licensing system tweaked or disabled. It can be either a separate file or embedded into the executable file of the target program. By its nature, HackTool:Win32/Crack does not pose a direct threat to the system, even though the thing it does is illegal. The Defender’s detection of such tools is compulsory to fight piracy.

Is Hacktool:Win32/Crack Dangerous?

Although Win32/Crack is not dangerous, a lot of them come with other malware embedded in the same executable file. Particularly greedy authors of such software do this to monetize their effort. Such “bonuses” can include infostealers and more severe malware like ransomware. As a result, instead of saving money, the user pays a higher price, in the form of stolen confidential data or encrypted files.

How does Win32/Crack Work?

There are two different types of software cracking: by making the program believe it has a proper activation and by disabling this check completely. Both have pros and cons, and both are illegal to perform and use. Let’s have a closer look at how this works.

The methods of software cracking below are listed exclusively for educational purposes. I discourage using unlicensed software, due to both legal dangers and malware hazards. These hacking approaches are here to make a clear understanding of what exactly Microsoft Defender means as Win32/Crack.

Disabling the license check

One way to protect software from unauthorized use is by including a check license function in its startup procedures. Essentially, the software program is a set of instructions, represented as a series of bytes, executed by the CPU. During reverse engineering, the checkLicense section is identified and decompiled. A programmer may patch the binary by replacing specific bytes to bypass the check license requirement.

Poking around code screenshot
Poking around code

The patched bytes typically satisfy the check license requirement by writing values into registers or memory addresses or returning a particular status code. After patching the binary, the handyman manipulates the check license function, and the software program is considered “cracked.” However, with most apps now checking keys on their servers, this method is becoming less common.

Embedding the key

Such a crack approach emulates an online key verification process and results positively without a real internet connection. Often, in the instructions for using the app, one of the points is “deny the application access to the Internet”. This is because the license will be deactivated once the app connects to the server and uncovers that it is fake. These days, most cracks are not dependent on the connection and allow you to enter any text instead of the key.

In the real world, things are more complicated now, as the software will “phone home” and see if those keys are any good. This can be bypassed by sniffing/decrypting HTTPS traffic and finding the Web request that asks if the key is valid. From there, it can be intercepted, thus never letting the request reach its final destination and replying with your own (fake) response.

Handyman can make this or log and copy an already valid response. The program will believe it got the go-ahead from the server and continue operating as normal. In that case, you can/need to modify the binary so that it always thinks the answer from the server is positive. Another trick of this grade is to run a fake HTTP server that always replies positively and redirects the check.

Is it a False Positive?

In most cases, HackTool:Win32/Crack is not a false positive, with just a few exceptions. As I said at the beginning, it detects specific changes done to the program file. Microsoft Defender can mistakenly detect HackTool:Win32/Crack if there are changes in the program’s code that could be interpreted as signs of a crack. For instance, if a program uses code strings, jumpers or calls typical for Win32/Crack, the antivirus might incorrectly classify it as one. In such cases, I recommend you check the file using our free online checker.

Safety Recommendations

I’d emphasize once again – do not use pirated software at all for your safety. In addition to being illegal, pirated software is a breeding ground for malware. Once a user adds any malware or potentially unwanted software to the antivirus exceptions, it can take on a life of its own. Therefore, if you see HackTool:Win32/Crack detection, download GridinSoft Anti-Malware and perform a full scan of your device.

HackTool:Win32/Crack

The post HackTool:Win32/Crack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hacktool-win32-crack/feed/ 0 20852
Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data https://gridinsoft.com/blogs/hewlett-packard-enterprise-hacked/ https://gridinsoft.com/blogs/hewlett-packard-enterprise-hacked/#respond Tue, 06 Feb 2024 12:29:31 +0000 https://gridinsoft.com/blogs/?p=19435 On February 1, 2024, a post on a Darknet hacker forum selling Hewlett Packard Enterprise data appeared. Threat actor known as IntelBroker claims hacking into the company’s network and grabbing a whole lot of data, including access tokens and passwords. The company themselves acknowledges the breach, but cannot confirm any cybersecurity incidents happened in the… Continue reading Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data

The post Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data appeared first on Gridinsoft Blog.

]]>
On February 1, 2024, a post on a Darknet hacker forum selling Hewlett Packard Enterprise data appeared. Threat actor known as IntelBroker claims hacking into the company’s network and grabbing a whole lot of data, including access tokens and passwords. The company themselves acknowledges the breach, but cannot confirm any cybersecurity incidents happened in the recent time.

Hewlett Packard Enterprise Hacked

A post on the infamous BreachForums published on February 1 offers to purchase an extensive database, leaked from Hewlett Packard Enterprise (HPE) internal network. The seller, known under the name IntelBroker, claims hacking into the network and obtaining the said data. That means the company has suffered a new security breach, or the hacker was present in the network for quite some time.

BreachForums post Hewlett Packard hack
Forum post that offers Hewlett Packard data for sale

As it usually happens with Darknet forum posts offering to buy leaked information, there are several screenshots attached as evidence. Among the leaked data types, hacker claims CI/CD access, system logs, config files, access tokens, HPE StoreOnce files and access passwords. Albeit being representative to the types of data claimed in the leak, the screenshots do not include any data that allows identifying the time frame, e.g. there is no way to find how old this breach is.

As I’ve mentioned in the introduction, HPE knows about the data posted on the forum and investigates the case. At the same time, representatives of the company do not have any evidence of a cyberattack or a security breach over the last time.

At this time we have not found evidence of an intrusion, nor any impact to HPE products or services. There has not been an extortion attempt.Adam R. Bauer, HPE’s Senior Director for Global Communication

Data Leak, But No Ransomware

The fact that the attack that leaked extensive amounts of data may sound absurd, considering that there is typically a ransomware deployment that finalizes the attack. Though, such an approach is not new: adversaries may practice leak-only attacks to speed up the overall process or avoid possible detection. In some cases, this works as the way to get at least something from the attack, when the security manages to block malware.

Still, there is a positive part of this story – no customer data appears to be involved. Both what is claimed and things that appear on the screenshots are purely internal data. And this is good not only to the HPE customers, as the company itself has much less headache notifying the ones whose data have been leaked.

Any Relation to HPE Corporate Email Accounts Breach?

Despite the company’s representative saying that no cyberattacks were detected, there apparently was one that can be a culprit. Back in mid-January 2024, HPE reported that their corporate email accounts were hacked by APT29, a threat actor related to Russian SVR. The breach itself took place in May 2023, with the fact of the adversary having access to the environment acknowledged on December 12, 2023.

HPE SEC filing
Details regarding the previous HPE hack shared in the official SEC filing

Why can this data be sourced from this old breach? The official company note regarding the case mentions a selection of data categories, which matches with what we see in the BreachForums post. More specifically, the company talked about hackers accessing several mailboxes of employees of their cybersecurity, go-to-market, business segment and several others. Logs, configs and access tokens is a normal occurrence in those emails, though there could have also been access to customer data. Nonetheless, that won’t be much of a surprise if the ongoing investigation will lead to the past APT29 hack.

The post Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hewlett-packard-enterprise-hacked/feed/ 0 19435
1Password Hacked Following the Okta Hack https://gridinsoft.com/blogs/1password-hacked-after-okta-hack/ https://gridinsoft.com/blogs/1password-hacked-after-okta-hack/#respond Wed, 25 Oct 2023 16:00:48 +0000 https://gridinsoft.com/blogs/?p=17308 Recent security breach in the 2FA provider Okta appears to affect some of its clients. Among others, a password management service 1Password reported about the “suspicious activity” that is most likely related to the situation in Okta. What happened to Okta? At the end of October 2023, Okta released a notification on social media about… Continue reading 1Password Hacked Following the Okta Hack

The post 1Password Hacked Following the Okta Hack appeared first on Gridinsoft Blog.

]]>
Recent security breach in the 2FA provider Okta appears to affect some of its clients. Among others, a password management service 1Password reported about the “suspicious activity” that is most likely related to the situation in Okta.

What happened to Okta?

At the end of October 2023, Okta released a notification on social media about the security breach. The named reason is the lack of session token validation, which made it possible for hackers to access the computers of tech support employees. From this point, cybercriminals were able to access files sent by other customers; these files commonly contain cookies, their session tokens and the like.

Okta hack notice
Official note from Okta regarding the hack

This is not the first time when Okta gets into trouble with hackers. In March 2022, hackers from Lapsus cybercrime group managed to hack into the laptop of their tech support engineer. This affected a small portion of Okta customers – only ~2.5%, still a large enough number as the company is a major identity management provider. Such recurring hacks, especially within one specific division of the company, strikes its image pretty hard, to say the least.

1Password Hacked Through the Okta Hack

Despite how bad the Okta hack sounds, it is not that bad for 1Password. At the moment, the company reports about ceasing any operations related to the accounts of their employees that used Okta services. Further investigation showed that it is nothing to worry about – no accounts were compromised whatsoever.

On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing. — the report upon the situation.

Although things appear to be fine on the 1Password side, it may not be over yet. New details of the hack appear each day, even though all the key events happened almost a month ago, on September 29.

Should you be worried?

In all this situation, the best part of it is that companies do not hesitate to notice exposed customers. Actually, no 1Password user data was touched, though it is different for Okta. They were – and continue – sending emails to users whose credentials are potentially in danger with recommendation upon further actions. Hence, keep track of emails from Okta, and this will be it for keeping up to date with the situation.

1Password Hacked Following the Okta Hack

The post 1Password Hacked Following the Okta Hack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/1password-hacked-after-okta-hack/feed/ 0 17308
7 Million Freecycle Users Exposed In a Massive Data Breach https://gridinsoft.com/blogs/freecycle-hacked-7-million-users-exposed/ https://gridinsoft.com/blogs/freecycle-hacked-7-million-users-exposed/#respond Tue, 05 Sep 2023 20:06:14 +0000 https://gridinsoft.com/blogs/?p=16714 Freecycle has alerted its users that sensitive information of over 7 million of them may have been compromised in a recent data breach. The organization suspects that over seven million users may have been affected. They have urged its users to change their login credentials immediately to prevent any further unauthorized access to their accounts.… Continue reading 7 Million Freecycle Users Exposed In a Massive Data Breach

The post 7 Million Freecycle Users Exposed In a Massive Data Breach appeared first on Gridinsoft Blog.

]]>
Freecycle has alerted its users that sensitive information of over 7 million of them may have been compromised in a recent data breach. The organization suspects that over seven million users may have been affected. They have urged its users to change their login credentials immediately to prevent any further unauthorized access to their accounts.

Detection of data breach

Freecycle, a nonprofit organization that promotes sustainability through community involvement, recently discovered a severe data breach. The organization’s security team detected the breach on August 30th, 2023, several weeks after a cybercriminal had already put the stolen data up for sale on a hacking forum on May 30th. Accordingly hacker’s warning emphasized the situation’s urgency, urging affected individuals to change their passwords immediately.

Massive Freecycle Data Breach
Stolen personal data for sale on a hacking forum

After analyzing the screenshots posted by the attackers, experts concluded that the attackers had stolen the credentials of Freecycle founder and executive director Deron Beal. As a result, the attackers had gained access to sensitive information.

After detecting the data breach, the organization informed the police. The company also advised users to be cautious of phishing attacks and scams that may target them. The warning states that despite most email providers efficiently filtering spam, users may receive an increased amount of spam emails.

Consequences of data leakage

The compromise of Deron Beal’s credentials, the founder and executive director of Freecycle, is one of the most concerning aspects of this data breach. This security breach allowed the threat actor to gain full access to member information and forum posts, which could lead to further data manipulation or unauthorized actions.

The data that was stolen includes a variety of important user information, such as:

  • User IDs. Each user assigned a numerical identity for identification purposes.
  • Usernames. The platform uses unique identifiers that members can use to identify themselves.
  • Email Addresses. The contact information used for communication and notifications.
  • MD5-hashed Passwords. Passwords encrypted using the MD5 hashing algorithm. (Which is now considered relatively weak and vulnerable to attacks.)

Fortunately, no additional personal information was exposed beyond this dataset. However, compromising MD5-hashed passwords is concerning since weak passwords can be decrypted.

Freecycle response

Freecycle assured users that no personal data beyond the specified dataset was compromised. In addition, the breach has been contained, and the organization cooperates with privacy authorities.

We apologize for the inconvenience and would ask that you watch this space for further pending background.“Freecycle”
As always, please remain vigilant of phishing emails, avoid clicking on links in emails, and don’t download attachments unless you are expecting them.“Freecycle”

Minimization of Data Breaches

The following tips can help reduce the risk of a data breach in your organization:

  • Keeping your system updated is critical to ensure that vulnerabilities patched, and cybercriminals cannot exploit them.
  • It’s highly recommended to encrypt your data as it can prevent fraudsters from taking advantage of it.
  • Regularly back up your data, as it allows for quick and efficient recovery in case of any damage.
  • Zero-trust model prevents cybercriminals from infiltrating and moving laterally by not trusting any entity inside or outside the network perimeter.
  • To strengthen cybersecurity, all users must use multi-factor or biometric authentication.

Users who reuse passwords across multiple online services should change them immediately to prevent security breaches.

The post 7 Million Freecycle Users Exposed In a Massive Data Breach appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/freecycle-hacked-7-million-users-exposed/feed/ 0 16714
Legion Stealer targeting PUBG players https://gridinsoft.com/blogs/legion-stealer-targeting-pubg-players/ https://gridinsoft.com/blogs/legion-stealer-targeting-pubg-players/#respond Wed, 12 Jul 2023 10:23:55 +0000 https://gridinsoft.com/blogs/?p=15876 Scammers are using a misleading GitHub page to distribute Legion Stealer to fans of rogue PUBG games. Under the guise of cheats, users download malware. Legion Stealer Attacks PUBG Players Cyble Research and Intelligence Labs (CRIL) recently uncovered a fraudulent GitHub page pretending to be a PUBG bypass hack project. However, instead of providing game… Continue reading Legion Stealer targeting PUBG players

The post Legion Stealer targeting PUBG players appeared first on Gridinsoft Blog.

]]>
Scammers are using a misleading GitHub page to distribute Legion Stealer to fans of rogue PUBG games. Under the guise of cheats, users download malware.

Legion Stealer Attacks PUBG Players

Cyble Research and Intelligence Labs (CRIL) recently uncovered a fraudulent GitHub page pretending to be a PUBG bypass hack project. However, instead of providing game hacks, it distributes a malicious file. Although GitHub is a legitimate code hosting platform, Threat Actors (TAs) also misuse it to distribute malware through repositories. They develop repositories that seem to contain authentic or appropriate code, but they have hidden malware. When users download the project and execute the solution (.sln) file, it unknowingly installs an information stealer named “Legion Stealer” on their systems as a payload.

Malicious file hosted on GitHub screenshot
Malicious file hosted on GitHub

Nobody likes a cheater

To understand the problem, you need to understand the cause. The problem is quite simple in this scenario – some players desire to gain an unfair advantage over their opponents. Specifically, a PUBG bypass hack is a form of exploit or cheat used by players to gain an unfair advantage. These hacks bypass the game’s anti-cheat systems, enabling players to use cheats such as aimbots, wallhacks, speed hacks, and other unfair gameplay advantages. Using these hacks allow a player to dominate over others, as it can foresee and outplay anyone. However, it is essential to note that using bypass hacks violates the game’s terms of service and can result in penalties, including temporary or permanent bans.

Btw, this tactic is something that has been introduced previously. In the early days of online games, when anti-cheat systems were beginning to appear, it was fashionable to punish cheaters by Winlocks. Thus, the cheater was sent the file, masked as another cheat or hack. But once such a file was launched, Winlock was blocking the computer. Though nowadays, tactics are different, and hackers prefer stealing personal information rather than asking for a single-time ransom.

Is It Safe Using Cheats After All?

As we said earlier, the user receives Legion Stealer malware instead of the game cheats. After being executed, Legion Stealer carries out several commands. These commands involve altering the settings of Windows Defender, collecting data from the registry, and obtaining details about the system. These actions aim to avoid detection, prevent unauthorized access, and take advantage of any weaknesses in the affected system. After performing the defense evasion techniques, the stealer gathers next system information:

  • Computer name
  • OS name
  • RAM size
  • UUID
  • CPU/GPU details
  • Product key
  • Region
  • Country
  • Time zone
  • Cellular data connectivity
  • Proxy/VPN usage
  • Reverse DNS

It then checks for web browsers:

  • Brave
  • Chrome
  • Chromium
  • Comodo Dragon
  • Edge
  • Epic Privacy
  • Iridium
  • Opera/Opera GX
  • Slimjet
  • UR Browser
  • Vivaldi
  • Yandex

Thus it accesses sensitive information such as passwords and cookies. Stealer is also interested in cryptocurrency wallets. It scans the system for:

  • Armory
  • AtomicWallet
  • Bytecoin
  • Coinomi
  • Electrum
  • Ethereum
  • Exodus
  • Guarda
  • Jaxx
  • Zcash

When it found them, it read files in their respective directories. Of course, such malware will not get past other games on the infected machine. It also focuses on Minecraft session files, extracting information from follow applications:

  • Badlion
  • CheatBreakers
  • Impact
  • Feather
  • Lunar
  • Meteor
  • Microsoft Store
  • Novoline
  • Palladium
  • PolyMC
  • Rise
  • TLauncher

In addition, the program also collects session files from messaging applications like Discord and Telegram, Roblox cookies, webcam images, and screenshots of the victim’s system.

Gamers often feel tempted to use cheats or hacks to gain an unfair game advantage. So, some malicious individuals exploit this desire by disguising their malware as game cheats or hacks. However, it takes one to know one.

The post Legion Stealer targeting PUBG players appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/legion-stealer-targeting-pubg-players/feed/ 0 15876