Technical Definition and Classification

Let’s get specific about what we’re dealing with here. Microsoft Defender classifies HackTool:Win32/Crack as a potentially unwanted program (PUP), but in my experience, there’s nothing “potentially” about the problems these tools cause. The signature identifies modifications to software binaries that circumvent license verification through a variety of clever but ultimately harmful methods:

• Binary patching that alters license verification routines (directly modifying executable code)
• DLL injection that intercepts license verification API calls
• Emulation of activation servers to return fake validation responses
• Key generation algorithms that produce counterfeit license keys based on reverse-engineered algorithms

These tools typically show up on torrent sites, warez forums, and sketchy websites promising “free” versions of expensive software. I’ve seen countless users argue, “But it works fine for me!” Sure, it might—until it doesn’t. What many don’t realize is that these tools are increasingly sophisticated Trojans, designed specifically to appear helpful while quietly compromising systems.

How Software Cracks Actually Work

Having reverse-engineered numerous crack tools to understand their functionality, I’ve identified three main technical approaches they use. Understanding these methods helps explain exactly what security products are detecting when they flag HackTool:Win32/Crack.

Code Modification and Binary Patching

The oldest and most straightforward approach is binary patching. The crack developer locates specific bytes within a program’s executable that handle license verification and changes them. Think of it like removing the lock from a door—it’s effective but hardly elegant. These patches typically target:

• Conditional jump instructions (JNZ, JE) that control verification flow
• Memory locations storing license status flags (often changing 0x00 to 0x01)
• Return values from verification functions (forcing them to return “success” codes)

Registry paths commonly modified include:

HKEY_CURRENT_USER\Software\[ProductName]\License
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\[Product-specific]

I’ve seen many software developers combat this by implementing checksum verification and code signing. It creates a sort of cat-and-mouse game—developers implement new protections, and crack makers find new ways around them. This has driven the evolution of more sophisticated approaches.

License Server Emulation: The Man-in-the-Middle Approach

Modern applications typically verify licenses against remote servers—a significantly better security practice. Crack developers have adapted by creating local server emulation techniques that are quite clever, if malicious. These approaches include:

• Modifying hosts files to redirect activation requests to localhost (typically editing C:\Windows\System32\drivers\etc\hosts)
• Running local proxy servers (often on ports 80/443) that intercept and fake validation responses
• Implementing HTTPS certificate spoofing to intercept encrypted validation traffic
• Patching networking DLLs to return hardcoded successful responses

This explains that weird instruction you often see in crack readme files: “Block the application in your firewall.” They’re not being paranoid—they know that if the application reaches the real activation server, the jig is up and the fake license will be invalidated.

This is how a spoofed product activation looks like (screenshot is not ours!)

This is how a spoofed product activation looks like (screenshot is not ours!)

This is how a spoofed product activation looks like (screenshot is not ours!)

Key Generation: Mathematical Forgery

Perhaps the most sophisticated approach involves creating algorithms that generate product keys matching the software’s validation requirements. This requires significant reverse engineering, as the cracker needs to understand:

• The mathematical formulas used to validate license keys
• Checksum algorithms that verify key integrity
• Server-side validation protocols for online verification

What’s particularly concerning is that these techniques often involve compromising legitimate volume license keys (VLKs) intended for organizational use. I’ve tracked several cases where legitimate enterprise keys were extracted and distributed, leading to legal consequences for the organizations when hundreds or thousands of unauthorized activations suddenly appeared on their license reports.

Common file names associated with these tools include:

activator.exe
crack.exe
keygen.exe
patch.exe
[ProductName]_activation.exe

The Real Risk: Malware Distribution at Scale

Now we get to the heart of the matter. In my work analyzing malware samples at security incidents, I’ve repeatedly found that cracks and keygens serve as primary distribution vectors for dangerous payloads. The security risks extend far beyond simply violating terms of service.

Source: Microsoft Security Intelligence, combined with our GridinSoft Threat Lab analysis and data from Krebs on Security research, 2025

Let me share some hard numbers that I’ve gathered from our security incident response work:

• High infection rates: We found that over 50% of systems using HackTool:Win32/Crack-type tools contained additional malware. That’s not a coincidence—it’s by design.
• False positive claims debunked: In our lab testing, 90% of cases where users claimed their “crack” was a false positive turned out to be genuine malware. I’ve had countless arguments with users insisting their crack is “clean” despite overwhelming evidence to the contrary.
• Sophisticated disguises: Roughly one-third of malware samples in our collection disguise themselves as software cracks or activation tools. It’s the digital equivalent of poisoned candy.

One particularly troubling trend I’ve observed is attackers using legitimate platforms like YouTube to distribute these malicious tools. They create seemingly helpful tutorials that link to download portals where the real malware lies waiting. It’s frustratingly effective.

Infostealer Payloads: Your Data is the Target

Having responded to numerous incidents involving compromised systems, I can tell you that infostealer malware is frequently bundled with crack tools. These stealers target:

• Stored browser passwords (Chrome, Firefox, Edge credential stores)
• Cryptocurrency wallet files and seed phrases
• System configuration details to facilitate further attacks
• Payment card information from form-filling databases
• Email credentials and authentication tokens

The method is brutally effective. Just last month, I worked on a case where a graphic designer downloaded a “free” version of Adobe Creative Suite. Within 48 hours, attackers had accessed their PayPal, Amazon, and bank accounts using stolen credentials from the infected system. The total financial impact exceeded $12,000—far more than the software would have cost legitimately.

Remote Access Trojans: Giving Away the Keys

RATs are particularly dangerous because they provide attackers with comprehensive control over infected systems. I’ve analyzed samples that enable:

• Complete file system access (read/write/delete operations)
• Remote command execution (allowing attackers to run any code)
• Keylogging that captures passwords even for secure sites
• Screen capture functionality that records everything you do
• Webcam and microphone hijacking (yes, they can watch and listen)

In many corporate espionage cases I’ve investigated, the initial access vector was traced back to an employee who installed a cracked application on a work system. The damage often extends far beyond that individual’s account.

Ransomware: The Ultimate Betrayal

Perhaps most concerning is the growing connection between crack tools and ransomware deployment. I’ve observed a pattern where these infections remain dormant for weeks or months, allowing attackers to:

1. Map your network and identify valuable data
2. Locate and corrupt backup systems
3. Exfiltrate sensitive data for double-extortion attacks
4. Deploy encryption routines during off-hours for maximum impact

The typical ransom demands I’ve seen in cases stemming from crack-related infections range from $5,000 to $50,000 for individuals, and much higher for businesses. That “free” software doesn’t seem like such a bargain anymore, does it?

How Defense Systems Detect These Threats

Having worked closely with detection technologies, I can tell you that Microsoft Defender’s approach to identifying HackTool:Win32/Crack is multi-layered and increasingly sophisticated. The systems use:

1. Signature-based detection: Identifying known binary patterns from a database of analyzed crack tools
2. Heuristic analysis: Detecting behavioral patterns associated with license circumvention
3. Machine learning models: Analyzing file characteristics to identify previously unknown variants
4. Runtime behavior monitoring: Watching for suspicious actions like DLL injection into licensed software

Known detection names across different security vendors include:

Microsoft Defender: HackTool:Win32/Crack
Kaspersky: HEUR:Trojan.Win32.Generic
Symantec: Hacktool.Crack
McAfee: RiskTool-KMS
ESET: Win32/HackTool.Crack.A

While these detections are generally accurate, I have occasionally seen false positives triggered when legitimate software uses similar code patterns to those found in cracks. This is rare but worth mentioning for completeness.

Is That Really a False Positive?

Before you dismiss a HackTool:Win32/Crack detection, consider my checklist for evaluating potential false positives:

• Where did you get the software? (Official channels vs. torrent sites)
• Does the file have a valid digital signature from a known publisher?
• What do multiple security vendors say? (One detection could be a mistake, five is a pattern)
• Does the software request unusual system permissions during installation?

In my experience investigating suspected false positives, around 90% turn out to be legitimate detections. If you’re unsure, I’d recommend our GridinSoft online scanner for a quick second opinion. I’ve designed this tool specifically to help distinguish between genuine threats and rare false positives.

Cleaning Up After an Infection

If you’ve found HackTool:Win32/Crack on your system, here’s my recommended cleanup protocol:

1. Immediate Containment Steps

1. Disconnect from networks immediately to prevent lateral movement or data exfiltration
2. Run a full system scan with updated security definitions (not a quick scan)
3. Remove the detected files and check for associated components in startup locations
4. Search for persistence mechanisms in scheduled tasks, registry, and startup folders

Common persistence locations to check include:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

2. Post-Infection Security Measures

1. Change passwords for all important accounts (especially if infostealers were detected)
2. Enable two-factor authentication wherever possible
3. Monitor financial accounts for unauthorized activity for at least 30 days
4. Consider credit monitoring services if sensitive data may have been compromised

In severe cases, I’ve had to recommend complete system rebuilds to clients when persistent malware resisted removal attempts. Prevention is vastly easier than cure in these scenarios.

If standard antivirus tools aren’t completely removing the infection, consider using our specialized removal tool:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

3. Prevention for the Future

Based on the thousands of cases I’ve worked on, here are my top recommendations for avoiding these threats:

• Budget for legitimate software licenses—they’re cheaper than recovery from malware
• Explore legitimate free alternatives when cost is an issue (many professional tools have excellent open-source counterparts)
• Maintain current security software with real-time protection enabled
• Implement application control policies that restrict execution of unauthorized software
• Keep regular, tested backups that are disconnected from your main system
• Use properly configured Windows Defender with all protections enabled (it’s actually quite good)

The Numbers Don’t Lie: Statistical Evidence of the Problem

Let’s look at some hard data I’ve compiled from various research sources and our own threat intelligence:

Data ID: threat-stats-2025-04-cracktool-analysis

These aren’t just abstract numbers—each percentage point represents thousands of real people whose systems, data, and often finances were compromised. I’ve personally responded to hundreds of these incidents, and the pattern is distressingly consistent.

The Bottom Line on HackTool:Win32/Crack

After years of analyzing these threats, my position is clear: HackTool:Win32/Crack detections should be taken seriously. While the tools themselves might not always contain directly malicious code, their role as delivery mechanisms for genuinely harmful malware is well-established.

I understand the appeal of “free” software, especially when budgets are tight. But having seen the aftermath of these infections firsthand, I can tell you that the potential costs far outweigh the savings. Between data theft, system damage, and potential ransomware, that “free” Photoshop could end up being the most expensive software you’ve ever used.

If you’re looking to secure your system against these and similar threats, consider implementing our proactive URL verification tool to identify malicious download sources before you’re exposed. It’s one layer in what should be a multi-layered approach to staying safe online.

The post HackTool:Win32/Crack: Analysis and Security Risks appeared first on Gridinsoft Blog.

Instagram Account Hacking Scams Overview

Hacking into someone’s Instagram account was – and remains – a dream for quite a few people out there. Moral aspect of this, well, I won’t discuss that in that article, but the scammers definitely aim at exploiting this gray-zone wish. Quite a few websites popped up recently, offering the ability to hack the password of any Instagram account in just a few clicks.

Upon opening the site and entering the username in question, the user will see the alleged Instagram hacking process. Some of the sites talk about performing a brute force attack (which is fairly realistic), while others are “injecting commands” or “RCE injections“. For anyone who is at least remotely familiar with how these things work, these sites look as nothing but ridiculous lies.

List of scam hacking websites (updating)

But the ending of all this is even more interesting. The site shows the alleged “Hack successful” page, but then a pop-up message appears saying that the account is well-protected. For hacking it, the user should click the button and follow the instructions. And this is where the main course of this scam kicks in.

In my observation, the button on several different websites redirected me to a payment page of a shady commercial spyware; each scam appears to promote a different one. Buying the spyware should allegedly help with accessing this Instagram account. However, other people, particularly from North America, report about the click throwing them to other, much less safe sites. Among them are notification spam sites, websites that offer to download some sketchy software, or even outright phishing pages.

Promoting Through Hacked Legitimate Websites

The way these scams are promoted is also worth attention. They primarily target Google search results for queries like “Instagram hacking” or “Hack Instagram account”. But the search engine will never let the exact hacker page get to the top of results. What they do instead is inject corresponding keywords into files and directories of legit and well-established websites. That practice is also known as SEO poisoning, however, in this case, we see the modernized variant of one. This does not in fact require any hacking; the sites of choice should have the indexing of uploaded documents enabled, so the keyword spam will get into Google search index.

Once the user clicks on what looks like a result from a well-established site, they are getting redirected to one of the scam pages from the list above. Among the sites infested with such documents are mostly ones of government organizations. There are also several GitHub pages that Google may display, but all of them are taken down at the moment. Government sites, as usual, have much less snappy moderation, so I expect these poisoned results to hold up for some time. In the past, other fraudsters used the same exact practice to redirect people searching for Roblox money generator cheats to fake tech support pages.

Is Instagram Hacking Any Real?

In fairness, it is really possible to hack someone’s account, not only on Instagram, but on pretty much any website. Of course, I am not talking about dodgy sites I’ve mentioned above. With a fair amount of social engineering, OSINT, brute force or even phishing, one can get access to almost anything. All these methods, complemented with phishing and infostealer malware injection, form the basis for modern cyberattacks.

The ways to secure your account against such tricks are simple and are repeated in different places dozens of times. Set secure passwords, multi-factor authentication, login notifications to your devices, change passwords once in a 2-3 months, and chances of getting hacked will decrease by orders of magnitude.

How to Avoid Scam Instagram Account Hacking Pages?

To be sure about online services you have stumbled upon, regardless of their purpose, consider using Website Checker. This free service checks websites for safety through the selection of characteristics, and will clearly show whether you may or may not trust the site.

But to have an on-the-move online security, opt for using GridinSoft Anti-Malware, that has the same exact website checking system built into Online Security module. Such protection will stop any malicious sites from opening even before they can harm you.

The post Fake Instagram Hacking Services appeared first on Gridinsoft Blog.

MITRE Reports About NERVE Being Hacked

MITRE, known to the cybersecurity community for its MITRE ATT&CK database, published a notice about suspicious activity on April 19. This activity generally took place in their NERVE environment, with only a few detailes disclosed at the moment. The organization mentions that no network elements of MITRE or its partners were compromised.

In a separate statement, that appeared shortly after the official text note, the CTO of the organization claims that hackers managed to leverage one of the Ivanti Connect Secure vulnerabilities. Executive specifically emphasized that they took all the actions the government and Ivanti offered to patch the flaw. That, however, was not enough.

What is NERVE?

NERVE is the abbreviation for Networked Experimentation, Research and Virtualization Environment – a rather self-explaining name. Launched back in 2017, it offers a shared space for all the activities mentioned in its naming. At the moment, however, the service is offline, and will likely stay unavailable for some time into the investigation.

Cybersecurity Research Organizations Under Attack

Hack of one of the MITRE subdivisions appears to me directly related to the recent hack of the US Cybersecurity and Insfrastructure Security Agency (CISA). They have a similar purpose, and even the flaw that led to the compromise is the same – Ivanti Connect Secure got quite an ill fame over the last year. But what is the purpose of hacking into cybersecurity agencies?

By nature, such organizations work with a lot of data from companies. This data includes info about network architecture, software they use, potential vulnerabilities they have, and so on. NERVE, aside from that, offers a development space for network engineers, meaning that compromising one can lead to a huge supply chain attack. All this is a desired target for adversaries – not for profit, but for unique reconnaissance data that will make the future attacks more successful.

NERVE hack confirms that no corporations are resilient against cyber attacks, not even the ones that live off cybersecurity. All the disruption in ”commercial” cybercrime does not affect state-sponsored threat actors. They are in fact more active than ever, and are not likely to be bothered by law enforcement agencies. I reckon we will see more and more attacks like that in the near future.

The post MITRE NERVE Hacked, Service Taken Offline appeared first on Gridinsoft Blog.

Hewlett Packard Enterprise Hacked

A post on the infamous BreachForums published on February 1 offers to purchase an extensive database, leaked from Hewlett Packard Enterprise (HPE) internal network. The seller, known under the name IntelBroker, claims hacking into the network and obtaining the said data. That means the company has suffered a new security breach, or the hacker was present in the network for quite some time.

As it usually happens with Darknet forum posts offering to buy leaked information, there are several screenshots attached as evidence. Among the leaked data types, hacker claims CI/CD access, system logs, config files, access tokens, HPE StoreOnce files and access passwords. Albeit being representative to the types of data claimed in the leak, the screenshots do not include any data that allows identifying the time frame, e.g. there is no way to find how old this breach is.

As I’ve mentioned in the introduction, HPE knows about the data posted on the forum and investigates the case. At the same time, representatives of the company do not have any evidence of a cyberattack or a security breach over the last time.

Data Leak, But No Ransomware

The fact that the attack that leaked extensive amounts of data may sound absurd, considering that there is typically a ransomware deployment that finalizes the attack. Though, such an approach is not new: adversaries may practice leak-only attacks to speed up the overall process or avoid possible detection. In some cases, this works as the way to get at least something from the attack, when the security manages to block malware.

Still, there is a positive part of this story – no customer data appears to be involved. Both what is claimed and things that appear on the screenshots are purely internal data. And this is good not only to the HPE customers, as the company itself has much less headache notifying the ones whose data have been leaked.

Any Relation to HPE Corporate Email Accounts Breach?

Despite the company’s representative saying that no cyberattacks were detected, there apparently was one that can be a culprit. Back in mid-January 2024, HPE reported that their corporate email accounts were hacked by APT29, a threat actor related to Russian SVR. The breach itself took place in May 2023, with the fact of the adversary having access to the environment acknowledged on December 12, 2023.

Why can this data be sourced from this old breach? The official company note regarding the case mentions a selection of data categories, which matches with what we see in the BreachForums post. More specifically, the company talked about hackers accessing several mailboxes of employees of their cybersecurity, go-to-market, business segment and several others. Logs, configs and access tokens is a normal occurrence in those emails, though there could have also been access to customer data. Nonetheless, that won’t be much of a surprise if the ongoing investigation will lead to the past APT29 hack.

The post Hewlett Packard Enterprise Hacked, Darknet Forum Sales Data appeared first on Gridinsoft Blog.

X/Twitter Crypto Scams From Verified Accounts

Today, we are witnessing an unpleasant trend: hackers increasingly target verified Twitter accounts. To be more specific, this refers to individuals who are part of government or business organizations. Usually, these accounts are distinguished by ‘gold’ and ‘gray’ checkmarks, which indicates that this account belongs to a reputable company or person. Crooks hijack such accounts to promote cryptocurrency scams, phishing websites, and platforms equipped with crypto drainers.

Just yesterday, we wrote about the incident with the Mandiant X/Twitter account, a Google subsidiary and a prominent player in cyber threat intelligence. Thing is – they are not alone. With just a bit of difference, the same hacks-and-scams were happening to dozens of verified accounts on X. Within the 5 days of the new year alone, researchers have reported hacking three public accounts. We are talking about the nonprofit consortium “The Green Grid”, Canadian senator Amina Gerba and Brazilian politician Ubiratan Sanderson. Despite the absolute incoherence of the victims, they were united by one thing – a sudden ardent interest in cryptocurrency.

How Does Twitter Crypto Scams Work?

To start, scammers create a fake profile of a famous person. Most often, it is Elon Musk, as it is his style to promote dubious things. Next, the fake account tries convincing users to click the link. The further scenario depends on the type of fraud – either a crypto draining scam, an investment fraud, or a fake airdrop scheme. Let’s briefly check each one out.

Fake investment is an attempt by fraudsters to trick the victim into investing money. It can be a dubious cryptocurrency, artificially inflated and then dumped, thanks to which the value falls sharply. As a result, the victim loses his investment and is left with worthless coins.

Another method of fraud is crypto drainers. In short, the victim is tricked into agreeing to fraudulent transactions. The peculiarity of this method is that the victim signs a transaction that looks legitimate but allows fraudsters to withdraw money from the victim’s wallet without confirmation.

Fake airdrop scams are designed for those who want easy money. The scammers offer users the option to send any money to the specified wallet and promise to send double the amount in return. However, no one will send anything in return after the victim sends money.

Eligibility and Trust Undermined

Initially, a blue check mark was the sign of a verified Twitter account. It was obtained by providing a document proving the user’s identity. Later, anyone could get a checkmark for $8 a month, leading to a flood of scammers creating fake celebrity accounts and successful cryptocurrency scams. These days, the division of the ticks into gold, gray, and blue. The gold checkmark is given to the accounts of large companies—and the gray tick is to government organizations. The blue checkmark is given to individuals, regardless of their fame. Obviously, the first two options have caused a stir among cybercriminals.

The Black Business for Verified Twitter Accounts

According to a report from CloudSEK, a digital risk monitoring platform, a black market is thriving where compromised gray and gold X accounts are being sold. This illicit market is based on selling high-profile accounts marked with gold and gray checkmarks, indicating their verified status. Although these accounts should symbolize trust and authenticity, they are sold for $1,200 to $2,500. For example, one such account, inactive since 2016, has 28k subscribers and sold for 2500 dollars.

The process often involves hijacking dormant accounts with the potential for high follower counts and converting them into verified profiles using dubious means. In some cases, the hackers offer additional services by attaching scam accounts as affiliates to these verified profiles. This lends the scam accounts an aura of legitimacy and allows them to bypass more stringent verification processes, facilitating easier manipulation of unsuspecting victims.

Recommendations for Account Security

It is concerning that many well-known companies’ Twitter profiles have been hacked recently to spread crypto scams. This poses a risk of falling victim to such scams and the possibility of misinformation or more severe scams. Thus, knowing how to respond when encountering a hacked account and spreading questionable links is essential.

Firstly, avoiding following any links posted by such accounts is advisable. Whether they lead to a crypto drainer, fake airdrop, or investment scam page, it is best to avoid visiting them.

Secondly, you can report the hacked account to moderators. The reports menu has an option called Deceptive Identities, which will allow the system to take the necessary action.

Lastly, spread the word about the hack with your friends and subscribers. The more people are aware of this type of scam, the lower the chances they fall victim to it now or in the future.

The post Verified X/Twitter Accounts Hacked to Spread Cryptoscams appeared first on Gridinsoft Blog.

Who are Moneris and Medusa?

Moneris, a joint venture between the Royal Bank of Canada and the Bank of Montreal, is Canada’s largest payment processor. They were handling over 3.5 billion credit and debit card transactions annually. The company serves as a critical intermediary for businesses of all sizes, making its compromise a significant threat to the country’s economic stability. Sure enough, any cybersecurity incidents, as companies prefer to call ransomware attacks, will set the community abuzz.

The Medusa ransomware group is a relatively new cybercrime gang that has gained notoriety for its ruthless strategies. Criminals operate under a ransomware-as-a-service (RaaS) model, providing its hacking tools and expertise to affiliates in exchange for a share of the ransom proceeds. This approach has enabled the group to expand its reach and inflict damage on a wide range of victims.

Medusa Ransomware attempt to compromise Moneris

Moneris has confirmed the attempted ransomware attack but has assured its customers that no critical data has been compromised. The company has also stated that it has implemented measures to restore its systems and continue operations.

In response to the Medusa ransomware attack, Moneris has taken steps to mitigate the damage and protect its customers. The company has engaged cybersecurity experts to investigate the incident. It also implemented additional security protocols and communicated regularly with its customers to keep them informed.

The fallout from this breach extends beyond Moneris itself. A disruption in Moneris services lasting 90 minutes in late September caused widespread issues across the country. The company’s extensive contracts with the US military raise additional concerns. Considering the potential compromise of sensitive information related to military equipment and weapons.

Critical Financial Institutions Under Attack

Attack on Moneris seems to be one more element of a chain of attacks on critical financial infrastructure. Just a couple of days ago, another infamous ransomware group – LockBit – successfully hacked ICBS – the biggest commercial bank in the world. Such an interest in financial companies is obvious, though the trend is not less concerning.

Huge money flow, probability of handling sensitive information, having tremendous amounts of statistics – this is what attracts the hackers, and what makes these two breaches so dangerous. Even though attacks are most likely unrelated, crooks may start targeting them much more often. And while Moneris hack is mostly about disruptions of money transactions, hacks of institutional orgs like ICBS puts the global financial system at risk.

How to Protect Against Ransomware?

The incident highlights the growing sophistication and severity of ransomware attacks, targeting not just individual users but also large, well-established corporations like Moneris. The financial and reputational implications of such attacks can be devastating, making it crucial for businesses to invest in robust cybersecurity measures and maintain vigilance against evolving cyber threats. Here are some tips on how to protect against ransomware:

• Regularly backing up your data is crucial for its safety. Create an offline backup of your hard disk-stored files to protect your data. This is a copy of your data saved on a separate device not connected to your computer or network. If ransomware attacks your computer, the backup files will not be affected, and you can restore them without paying a ransom.
• It is important to keep your software up to date as software updates include crucial security patches that protect against ransomware attacks. Most software programs offer the option for automatic updates which will ensure that your software is always updated with the latest security patches.
• Train your employees. Conduct regular cybersecurity awareness training for employees to educate them about ransomware threats and safe online practices.
• Use reliable software. Install reputable antivirus and anti-malware software on your devices. Consider using additional security tools that offer real-time protection against ransomware.
• Be careful with user privileges. Follow the principle of least privilege (PoLP) to restrict user access to the minimum necessary for their roles.

The post Moneris Hacked, Medusa Ransomware Claims appeared first on Gridinsoft Blog.

What happened to Okta?

At the end of October 2023, Okta released a notification on social media about the security breach. The named reason is the lack of session token validation, which made it possible for hackers to access the computers of tech support employees. From this point, cybercriminals were able to access files sent by other customers; these files commonly contain cookies, their session tokens and the like.

This is not the first time when Okta gets into trouble with hackers. In March 2022, hackers from Lapsus cybercrime group managed to hack into the laptop of their tech support engineer. This affected a small portion of Okta customers – only ~2.5%, still a large enough number as the company is a major identity management provider. Such recurring hacks, especially within one specific division of the company, strikes its image pretty hard, to say the least.

1Password Hacked Through the Okta Hack

Despite how bad the Okta hack sounds, it is not that bad for 1Password. At the moment, the company reports about ceasing any operations related to the accounts of their employees that used Okta services. Further investigation showed that it is nothing to worry about – no accounts were compromised whatsoever.

On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing. — the report upon the situation.

Although things appear to be fine on the 1Password side, it may not be over yet. New details of the hack appear each day, even though all the key events happened almost a month ago, on September 29.

Should you be worried?

In all this situation, the best part of it is that companies do not hesitate to notice exposed customers. Actually, no 1Password user data was touched, though it is different for Okta. They were – and continue – sending emails to users whose credentials are potentially in danger with recommendation upon further actions. Hence, keep track of emails from Okta, and this will be it for keeping up to date with the situation.

The post 1Password Hacked Following the Okta Hack appeared first on Gridinsoft Blog.

Detection of data breach

Freecycle, a nonprofit organization that promotes sustainability through community involvement, recently discovered a severe data breach. The organization’s security team detected the breach on August 30th, 2023, several weeks after a cybercriminal had already put the stolen data up for sale on a hacking forum on May 30th. Accordingly hacker’s warning emphasized the situation’s urgency, urging affected individuals to change their passwords immediately.

After analyzing the screenshots posted by the attackers, experts concluded that the attackers had stolen the credentials of Freecycle founder and executive director Deron Beal. As a result, the attackers had gained access to sensitive information.

After detecting the data breach, the organization informed the police. The company also advised users to be cautious of phishing attacks and scams that may target them. The warning states that despite most email providers efficiently filtering spam, users may receive an increased amount of spam emails.

Consequences of data leakage

The compromise of Deron Beal’s credentials, the founder and executive director of Freecycle, is one of the most concerning aspects of this data breach. This security breach allowed the threat actor to gain full access to member information and forum posts, which could lead to further data manipulation or unauthorized actions.

The data that was stolen includes a variety of important user information, such as:

• User IDs. Each user assigned a numerical identity for identification purposes.
• Usernames. The platform uses unique identifiers that members can use to identify themselves.
• Email Addresses. The contact information used for communication and notifications.
• MD5-hashed Passwords. Passwords encrypted using the MD5 hashing algorithm. (Which is now considered relatively weak and vulnerable to attacks.)

Fortunately, no additional personal information was exposed beyond this dataset. However, compromising MD5-hashed passwords is concerning since weak passwords can be decrypted.

Freecycle response

Freecycle assured users that no personal data beyond the specified dataset was compromised. In addition, the breach has been contained, and the organization cooperates with privacy authorities.

Minimization of Data Breaches

The following tips can help reduce the risk of a data breach in your organization:

• Keeping your system updated is critical to ensure that vulnerabilities patched, and cybercriminals cannot exploit them.
• It’s highly recommended to encrypt your data as it can prevent fraudsters from taking advantage of it.
• Regularly back up your data, as it allows for quick and efficient recovery in case of any damage.
• Zero-trust model prevents cybercriminals from infiltrating and moving laterally by not trusting any entity inside or outside the network perimeter.
• To strengthen cybersecurity, all users must use multi-factor or biometric authentication.

Users who reuse passwords across multiple online services should change them immediately to prevent security breaches.

The post 7 Million Freecycle Users Exposed In a Massive Data Breach appeared first on Gridinsoft Blog.

What are cryptocurrency scams?

Crypto scams are investment frauds that can take many forms, from phishing scams to rug pulls. Since a central authority like a bank doesn’t regulate crypto’s blockchain technology, bad actors can easily exploit hopeful investors. That, actually, has made cryptocurrencies and all related topics an ideal harbor for different scams. Due to the lack of experience, people were prone to falling victims even to the least complicated schemes – leave alone tricky ones.

With time, cybercriminals become more sophisticated in their phishing techniques. Primary reason for that is the uprising of average folks’ knowledge – it just became not that easy to scam someone. They impersonate legitimate exchanges and wallets and use convincing social engineering tactics to gain unauthorized access to digital assets. These scammers use various social engineering methods to manipulate users’ emotions and create a sense of trust and urgency. It’s essential to be aware of these tactics and take the necessary measures to protect yourself.

Hot and Cold Wallets Difference

To assess the risks, let’s review the different types of wallets. First, it’s important to note that wallets do not hold the actual crypto assets. Instead, the blockchain records information about the support, while the wallet provides secure storage for the private (secret) key.

The “Hot” wallets.

A hot wallet is a cryptocurrency wallet that has constant internet access. It includes any online service that offers cryptocurrency storage, such as crypto exchanges and specialized apps. The keys in a hot wallet are stored encrypted on the server. These are online or custodial wallets offered by popular exchanges, including Binance and Coinbase.
The key can be used to sign a transaction on the blockchain anytime.

The “Cold” wallets.

In the case of a cold wallet, the keys are stored on a standalone device or as an alphanumeric sequence written on a piece of paper. A device solely for storing keys is known as a hardware wallet, while software wallets are applications designed to store keys on regular computers and smartphones.

Attack on “Hot” wallets

Many people use hot wallets to store their cryptocurrency because they are easy to create and convenient. However, cybercriminals often target hot wallets because they are frequently online and popular. Storing large amounts in hot wallets is not recommended due to their susceptibility to attacks. Although cybercriminals may use phishing techniques to attack hot wallets, their tactics are often simple and aimed at less experienced users.

A standard method in crypto phishing scams is impersonating trusted entities, like cryptocurrency exchanges or wallet providers. The scammers send emails or messages that look like they come from these legitimate organizations, using similar branding, logos, and email addresses. Their goal is to trick people into thinking they are receiving a message from a trustworthy source.

One common phishing scam targets users of hot wallets. Scammers will send emails posing as a well-known crypto exchange, asking users to confirm a transaction or verify their purse. Once the user clicks the link, they are taken to a page. Then they are asked to enter their seed phrase. A seed phrase consisting of either 12 or 24 words is required to regain access to a crypto wallet. This is the primary password for the wallet and should be kept secure. If the seed phrase is lost or given to scammers, the user risks permanently losing access to their wallet and compromising their account.

Scams that are straightforward and don’t involve software or social engineering tactics are usually aimed at people who are not tech-savvy. The form for entering a seed phrase usually looks simple, with just an input field and a logo for a cryptocurrency exchange.

Phishing attacks targeting cold wallets

Cold wallets seem to be more safe because they are not always connected to the Internet. However, it would be a mistake to assume that a hardware wallet can only be hacked by stealing or physically accessing it. As with hot wallets, scammers use social engineering techniques to access users’ funds. Recently, experts noticed an email campaign explicitly targeting hardware cold wallet owners.

A typical attack involves a crypto email campaign where the user is sent an email from a cryptocurrency exchange inviting them to participate in a giveaway of XRP tokens, the platform’s internal cryptocurrency. When the user clicks on the link, they will be directed to a blog page with a post outlining the “giveaway” rules. This post also includes a direct link for registration. Where scammers are already finding sophisticated methods to trick the user.

Fake support requests

Beware of crypto phishing scams where scammers pretend to be customer support reps from real cryptocurrency exchanges or wallet providers. They may send messages or emails to users, tricking them into believing there’s a problem with their account or a transaction that needs urgent attention. These scammers often provide a link to a fake support website or contact method, where users are asked to provide their login credentials or sensitive information. Stay vigilant, and avoid falling for these tactics.

Scammers exploit users’ trust in legitimate customer support channels by pretending to be support personnel. They also capitalize on users’ eagerness to resolve issues promptly, which leads them to reveal their private information willingly. Scammers can then use this information for malicious purposes.

How to protect users from crypto-phishing

To stay safe while using cryptocurrency, there are measures users can take. One is enabling two-factor authentication, a helpful tool to prevent phishing scams from compromising their crypto accounts.

• Use of hardware or software authenticators. Hardware authenticators, or security keys, are physical devices that generate one-time passwords and provide an extra layer of security. Software-based authenticators, such as Google Authenticator, generate time-based codes on users’ smartphones.
• Be careful with links and attachments. Phishing scammers use a trick where they display a different URL text to what the actual destination is. To avoid falling for this, users can hover over the link to check for inconsistencies and suspicious URLs that may indicate a phishing attempt.
• Scanning attachments with antivirus. To protect your device and cryptocurrency accounts from malware, always be careful when downloading and opening attachments, particularly from unknown or suspicious sources. Attachments may contain harmful software, such as keyloggers or trojans, which can jeopardize security. To reduce this risk, scanning all attachments with trustworthy antivirus software is advisable before opening them.
• Keep software updated. It is crucial to keep the operating systems, web browsers, devices, and other software up to date to ensure the security of the user’s devices. These updates may contain security patches to address known vulnerabilities and protect against new threats.

As crypto phishing scams constantly change, users must stay current on the latest tactics and scams targeting the cryptocurrency community. Educating yourself on these techniques and staying informed about recent phishing incidents and security best practices can help keep you safe. To stay informed about phishing scams, security vulnerabilities, and how to protect your crypto assets, it’s essential to follow trustworthy sources that provide accurate information and alerts.

The post Hot and Cold Crypto Wallets Hacking appeared first on Gridinsoft Blog.

Windows Kernel Driver Signature Hacks

Microsoft has a long history of protecting its operating system from being exploited with malicious drivers. In fact, they have a continuous battle going since early 2007 – the release date of Windows Vista. In this patch, the developers implemented a mechanism that forbids unsigned drivers from running. Kernel-level drivers have access to any possible functionality of both the OS and hardware components. Further, in 2016, Microsoft created a centralised driver signature authority – Developer Portal – which is the only place to sign Windows drivers since Windows 10 1607 release. All this was done to decrease the possibility of malicious use of a signed driver.

This, however, was not suitable for all developers of benevolent software. Similar to pretty much any centralised authority, Developer Portal has a lag between sending the driver, its review, and receiving a signature. As a result, urgent processes like real-world tests or even simple debugging have become impossible. Another industry where cert forging is in use is game cheats, that circumvent anti-cheat engine protection by implementing on the same, kernel level. Once again – the system simply refuses to run the driver once it is not signed. The only way here was creating a detour, and in this case such was a free open-source utilities called HookSignTool and FuckCertVerifyTimeValidity.

How do driver certificate hacktools work?

Both of these programs have pretty much the same mechanism. They exploit one of three rules of backward compatibility for legacy drivers. Microsoft left them to make drivers signed prior to July 29, 2015 possible to use – which is essential for old programs and hardware. Those rules are:

1. System was upgraded from an earlier Windows version to Windows 10 1607
2. Drivers was signed with an end-entity cert by the cross-signed certificate authority before July 29, 2015
3. System has the Secure Boot option disabled in the BIOS.

Actually, utilities aim at exploiting the second rule. They simply spoof the driver signature with the one issued by a legit CA before the date. And while it is useful for software developers that urgently need to test something and have no time to wait for DevPortal’s reaction, it is similarly useful to cybercriminals.

During the first half of 2023, security analysts have noticed numerous examples of these utilities exploitation for signing malware that integrates into the system as kernel-level drivers. Such a deep integration, especially considering the total system acceptance of that driver, grants malicious programs with unlimited capabilities. Such malware is hard to detect with anti-malware software and, what’s even worse, particularly hard to remove without wiping the disk out.

Microsoft Keeps Dozens of Expired Certificates

To operate properly, the mentioned utilities require an expired, but non-revoked certificate installed in the system. HookSignTool offers its own one, FuckCertVerify uses a pack of leaked certs to forge the signature. And these exact certs were detected during recent cyberattacks. Deeper analysis reveals that Windows carries over a hundred exploitable certs that were expired long ago. Among them, analysts name several that were actively used in cyberattacks:

High number of Chinese certs is explained by the fact that the HookSignTool utility is made by Chinese programmers. As it carries certificates for signature forging inside of its installation package, their location is to be expected. Another interesting element there is that hackers who use these utilities appear to be Chinese as well. Such a guess comes from the language code of the malware samples from the attacks that used certificate forging utilities.

How to protect against malware with forged certificates?

Fortunately, there is a particularly easy advice, though some people may hate its very essence. Update your Windows – new patches have the certificates that appear in these attacks marked as untrusted. Microsoft cooperates with cybersecurity researchers and vendors, and any certs used in such circumstances are reported instantly. Well, delivering updates can take some time, but be sure to check your Update tab, if you want to avoid such an unpleasant thing to run on your PC.

The problem here is the fact that antivirus system can have problems with detecting such a threat. Classic antivirus programs, that does not have behaviour analysis features, will simply miss an item that has been legitimized in such a way. For that reason, an advanced solution is a must-have. For corporations, those are EDR/XDR solutions, which have behaviour analysis as their primary source of information. Home users can try GridinSoft Anti-Malware to detect and remove malicious programs even before they’re active.

The post Forged Driver Signatures Exploited In The Wild appeared first on Gridinsoft Blog.

Legion Stealer Attacks PUBG Players

Cyble Research and Intelligence Labs (CRIL) recently uncovered a fraudulent GitHub page pretending to be a PUBG bypass hack project. However, instead of providing game hacks, it distributes a malicious file. Although GitHub is a legitimate code hosting platform, Threat Actors (TAs) also misuse it to distribute malware through repositories. They develop repositories that seem to contain authentic or appropriate code, but they have hidden malware. When users download the project and execute the solution (.sln) file, it unknowingly installs an information stealer named “Legion Stealer” on their systems as a payload.

Nobody likes a cheater

To understand the problem, you need to understand the cause. The problem is quite simple in this scenario – some players desire to gain an unfair advantage over their opponents. Specifically, a PUBG bypass hack is a form of exploit or cheat used by players to gain an unfair advantage. These hacks bypass the game’s anti-cheat systems, enabling players to use cheats such as aimbots, wallhacks, speed hacks, and other unfair gameplay advantages. Using these hacks allow a player to dominate over others, as it can foresee and outplay anyone. However, it is essential to note that using bypass hacks violates the game’s terms of service and can result in penalties, including temporary or permanent bans.

Btw, this tactic is something that has been introduced previously. In the early days of online games, when anti-cheat systems were beginning to appear, it was fashionable to punish cheaters by Winlocks. Thus, the cheater was sent the file, masked as another cheat or hack. But once such a file was launched, Winlock was blocking the computer. Though nowadays, tactics are different, and hackers prefer stealing personal information rather than asking for a single-time ransom.

Is It Safe Using Cheats After All?

As we said earlier, the user receives Legion Stealer malware instead of the game cheats. After being executed, Legion Stealer carries out several commands. These commands involve altering the settings of Windows Defender, collecting data from the registry, and obtaining details about the system. These actions aim to avoid detection, prevent unauthorized access, and take advantage of any weaknesses in the affected system. After performing the defense evasion techniques, the stealer gathers next system information:

It then checks for web browsers:

Thus it accesses sensitive information such as passwords and cookies. Stealer is also interested in cryptocurrency wallets. It scans the system for:

When it found them, it read files in their respective directories. Of course, such malware will not get past other games on the infected machine. It also focuses on Minecraft session files, extracting information from follow applications:

In addition, the program also collects session files from messaging applications like Discord and Telegram, Roblox cookies, webcam images, and screenshots of the victim’s system.

Gamers often feel tempted to use cheats or hacks to gain an unfair game advantage. So, some malicious individuals exploit this desire by disguising their malware as game cheats or hacks. However, it takes one to know one.

The post Legion Stealer targeting PUBG players appeared first on Gridinsoft Blog.

WhatsApp hacked with used data exposition

WhatsApp, one of the most popular messaging applications under the sun, was reportedly hacked a couple of weeks ago. The messenger offers end-to-end encryption, but the breach seems to rely upon the back-end issue. As the hacker assures, the information it leaked from WhatsApp contains the phone numbers of the messenger users. The forum post where the hacker offers the data it stole was posted on November 16, hence the exact breach happened around this date.

The leak includes the data of more than 487 million users from 84 countries. Among them are European, Middle Eastern, Asian, African countries, and both Americas. Cybercriminal offers to purchase the database partially, by country or region. It is not clear if someone can buy the entire leak, but the prices for parts show that it will not be cheap. For instance, the UK database is priced at $2500, same as Germany. Meanwhile, the price for the pack with US users will cost $7000. To try out the leak, hackers offer a test sample of ~1000 numbers from the list.

What is the danger of such a leak?

Phone number is an important identifier of a person, which allows performing phishing attacks and impersonation. Threat actors can use phone numbers to perform mass spamming through SMS, as well as robocalls. Alternatively, crooks may spam you through messengers, including the same WhatsApp. These messages are not dangerous themselves, but any interaction with this thing can end up with more intensive spam or, if you are not careful, losing your money or reputation.

The other side of that sad story is security questions about WhatsApp. Apparently, that’s not the first time WhatsApp gets hacked. All other Meta products – Facebook and Instagram – did not avoid this ill fame as well. Besides being vulnerable to hackers’ attacks, these apps are also famous for their data collection capabilities. Nothing else can track your activity and interests in such an intensive manner. Targeted ads there, however, have subpar quality, so it is questionable if there’s any useful motive for using these services.

How can I protect myself?

As you can see from the recent cases with WhatsApp, Facebook and other social media, you should help yourself on your own when you’re gonna get drowned. It is not clear how did the hack happen, but it is clear how you can decrease the number of your data hackers can reach.

1. Don’t share personal information. Untargeted spam in social networks has become a usual thing, but in more sophisticated cases, crooks rely upon the details you share on your profile. The less information you post – the less convincing phishing can possibly crooks perform.
2. Keep your eye on recent breaches. In some cases, not phone numbers, but usernames and passwords are exposed. If you witness the news which tells you about the possible breach, it is better to preventively change your credentials. This or another way, such a procedure greatly increases your security.
3. Use anti-spam apps. Not all of the hacks are loud enough to become public as soon as they happen. Most of the time, hackers will be able to sell considerable amounts of data they stole on the Darknet. To preventively avoid the consequences of this, use programs that automatically detect and delete spam SMS. They usually work by comparing the sender’s number with a pre-composed database. However, be careful with these apps as well, since they can malfunction sometimes, or leak your info to a third party. Use only well-proven ones.

The post WhatsApp Hacked, Almost 500 Million Users Exposed appeared first on Gridinsoft Blog.