vx-underground
The largest collection of malware source, samples, and papers on the internet.
Password: infected
https://vx-underground.org/
Password: infected
https://vx-underground.org/
TGlist рейтингі
0
0
ТүріҚоғамдық
Растау
РасталмағанСенімділік
СенімсізОрналасқан жері
ТілБасқа
Канал құрылған күніJul 30, 2020
TGlist-ке қосылған күні
Sep 22, 2023"vx-underground" тобындағы соңғы жазбалар
21.04.202520:49
wtf why this dissin us
20.04.202516:52
Happy Easter
He has AMD Ryzen
He has AMD Ryzen
20.04.202506:46
We've seen a bunch of dorks on Twitter use this meme format to insert mathematics and physics stuff into the Chad thought bubble.
Hate to be the bearer of bad news, but if you've ever actually spent your day doing something "intellectual intensive", your brain requires brain rot. You physically cannot brain science non-stop everyday. Do gym bros stay in the gym 24/7? Do athletes train 24/7? No. You need down time. The brain is (in some capacity) a muscle too which requires training.
The only people we've seen brain science hardcore non-stop are one of the following (sometimes multiple):
1. Autistic nerds (not memeing), some autistic people have God levels of focus
2. ADHD nerds, if you get them on that weird hyper-focus stuff they'll lock in for like, 4 days and not bathe or eat
3. Nerds on drugs, more common than you'd think, but the nerds abusing amphetamines (or nootropics in general) lock in pretty hard too, until they crash out and they're worthless slabs of meat for like, a week or more
Anyway, the entire point of this micro-rant is to tell some of you to not be brain washed by pseudo-intellectual grifters on social media. The entire part of braining is to have fun, explore, and learn. It isn't a competition, it isn't a "lOoK hOw SmaRt i Am" competition, it isn't a race to who can do the newest and coolest research.
When you're bored of a video game do you force yourself to like it? Same as brain stuff — you might try to force yourself through the boring parts, but eventually you'll be like, "this shit is lame", and move onto something you like more.
Look at cat pictures, laugh at edgy memes, understand there is time for braining and there is time for brain rot.
Okay, talk to you later, love you, mwah kissies kissies
-smelly smellington
Hate to be the bearer of bad news, but if you've ever actually spent your day doing something "intellectual intensive", your brain requires brain rot. You physically cannot brain science non-stop everyday. Do gym bros stay in the gym 24/7? Do athletes train 24/7? No. You need down time. The brain is (in some capacity) a muscle too which requires training.
The only people we've seen brain science hardcore non-stop are one of the following (sometimes multiple):
1. Autistic nerds (not memeing), some autistic people have God levels of focus
2. ADHD nerds, if you get them on that weird hyper-focus stuff they'll lock in for like, 4 days and not bathe or eat
3. Nerds on drugs, more common than you'd think, but the nerds abusing amphetamines (or nootropics in general) lock in pretty hard too, until they crash out and they're worthless slabs of meat for like, a week or more
Anyway, the entire point of this micro-rant is to tell some of you to not be brain washed by pseudo-intellectual grifters on social media. The entire part of braining is to have fun, explore, and learn. It isn't a competition, it isn't a "lOoK hOw SmaRt i Am" competition, it isn't a race to who can do the newest and coolest research.
When you're bored of a video game do you force yourself to like it? Same as brain stuff — you might try to force yourself through the boring parts, but eventually you'll be like, "this shit is lame", and move onto something you like more.
Look at cat pictures, laugh at edgy memes, understand there is time for braining and there is time for brain rot.
Okay, talk to you later, love you, mwah kissies kissies
-smelly smellington
20.04.202506:33
20.04.202506:04
One of my fondest memories of Lockbit ransomware group was when Lockbit ransomed a small nonprofit healthcare clinic in South America.
They begged him to decrypt the machines so they can provide treatment to people in need. They primarily provided healthcare to people in remote areas who have little to no money, education, or work.
Lockbit said: "If you have money for computers, you have money to pay me"
Wow, truly a heartwarming moment. Very cool.
They begged him to decrypt the machines so they can provide treatment to people in need. They primarily provided healthcare to people in remote areas who have little to no money, education, or work.
Lockbit said: "If you have money for computers, you have money to pay me"
Wow, truly a heartwarming moment. Very cool.
19.04.202521:10
Please drink and drive responsibly
19.04.202521:09
Removed weird balloon thing from car. Now can safely store beer in car
18.04.202517:49
18.04.202517:09
Hello,
We've removed the post on the Bubble zero day. The purpose of the post was to draw attention to the issue — which was indeed addressed.
As a recap, 2 researchers published a paper on Bubble-dot-io and how to exploit it. Bubble ignored them. We were requested to relay the issue loudly so it was addressed. It was addressed. Bubble asserts they do not consider this an exploit because this is the result of users failing to RTM and follow the Bubble security guidelines.
I will personally take the L that it was a stretch to classify this as zero day when this is the result of users not following the Bubble best practices guide. It does not impact Bubble in totality.
tl;dr 2 guys 1 bubble
We've removed the post on the Bubble zero day. The purpose of the post was to draw attention to the issue — which was indeed addressed.
As a recap, 2 researchers published a paper on Bubble-dot-io and how to exploit it. Bubble ignored them. We were requested to relay the issue loudly so it was addressed. It was addressed. Bubble asserts they do not consider this an exploit because this is the result of users failing to RTM and follow the Bubble security guidelines.
I will personally take the L that it was a stretch to classify this as zero day when this is the result of users not following the Bubble best practices guide. It does not impact Bubble in totality.
tl;dr 2 guys 1 bubble
18.04.202515:13
They also called us an embarrassment and said our post is borderline malicious because it is misleading because (or the researchers, whoever), did not read the security guidelines.
18.04.202515:11
Bubble-dot-io employees have responded.
Bubble (or individuals representing the company) assert the code we shared yesterday is not a zero day exploit and we (or the researchers mentioned) failed to take appropriate measures to read the documentation provided by Bubble
In summary, they state each user is responsible for the security of their data and users must follow the appropriate Bubble-dot-io security guidelines. The issues we relayed yesterday do not impact Bubble-dot-io in totality, rather these are customers who failed to follow the guidelines
Bubble (or individuals representing the company) assert the code we shared yesterday is not a zero day exploit and we (or the researchers mentioned) failed to take appropriate measures to read the documentation provided by Bubble
In summary, they state each user is responsible for the security of their data and users must follow the appropriate Bubble-dot-io security guidelines. The issues we relayed yesterday do not impact Bubble-dot-io in totality, rather these are customers who failed to follow the guidelines
18.04.202504:17
18.04.202504:17
In 2024, 2 security researchers discovered a flaw in Bubble-dot-io, a self-described AI-based app development and publishing service.
Upon discovering the vulnerability, these 2 researchers notified Bubble. Unfortunately, for whatever reason, this fell on deaf ears.
These individuals subsequently did a talk on the vulnerability, published a proof-of-concept, and even wrote a paper on it. The code and paper show how easy it is to compromise websites and/or applications on Bubble. Despite all of this, Bubble still did nothing.
These 2 individuals then contacted me to request I relay the message loud and clear: you need to fix your software immediately.
In essence, this exploit allows the execution of arbitrary requests to the applications Elastic search which allows data dumping and/or exfiltration.
The applications encryption workflow is performed in the front-end, because Bubble-dot-io uses fixed IV's (shared between ALL clients), exploiting Bubble-dot-io is possible due to the creation of arbitrary payloads by abusing the recovery keys.
All tables can be dumped, including custom tables defined as "custom.(table_name)".
Furthermore, it's possible to attack other clients from Bubble-dot-io because the application does all hosting internally (shared).
- Cryptography keys do not rotate, hence an attacker can reuse the same keys in new Elastic searches
- Timestamps are not verified
- Attackers can enumerate customer subdomains by fuzzing *.bubbleapps-dot-io domain, making identification of targets easier
- If domain doesn't match target, response header will return correct target in 'X-BUBBLEAPP-NAME'
Please note the time date stamp in the attached images.
See subsequent post for link to paper and proof-of-concept.
Upon discovering the vulnerability, these 2 researchers notified Bubble. Unfortunately, for whatever reason, this fell on deaf ears.
These individuals subsequently did a talk on the vulnerability, published a proof-of-concept, and even wrote a paper on it. The code and paper show how easy it is to compromise websites and/or applications on Bubble. Despite all of this, Bubble still did nothing.
These 2 individuals then contacted me to request I relay the message loud and clear: you need to fix your software immediately.
In essence, this exploit allows the execution of arbitrary requests to the applications Elastic search which allows data dumping and/or exfiltration.
The applications encryption workflow is performed in the front-end, because Bubble-dot-io uses fixed IV's (shared between ALL clients), exploiting Bubble-dot-io is possible due to the creation of arbitrary payloads by abusing the recovery keys.
All tables can be dumped, including custom tables defined as "custom.(table_name)".
Furthermore, it's possible to attack other clients from Bubble-dot-io because the application does all hosting internally (shared).
- Cryptography keys do not rotate, hence an attacker can reuse the same keys in new Elastic searches
- Timestamps are not verified
- Attackers can enumerate customer subdomains by fuzzing *.bubbleapps-dot-io domain, making identification of targets easier
- If domain doesn't match target, response header will return correct target in 'X-BUBBLEAPP-NAME'
Please note the time date stamp in the attached images.
See subsequent post for link to paper and proof-of-concept.
18.04.202504:05
Chat, it's Friday.
Please hold.
Please hold.
18.04.202500:37
We've got a 0day exploit.
The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L'Oreal
The exploit was reported, but the vendor ignored it.
Chat, do we drop a 0day on a Friday?
The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L'Oreal
The exploit was reported, but the vendor ignored it.
Chat, do we drop a 0day on a Friday?
21.04.202520:49
wtf why this dissin us
08.04.202519:39
Hello,
"Sean" has informed us that, somewhere in the midst of our kitty cat collection, is a photo of a cute doggie making homophobic remarks.
This is terrible news. The entire collection is contaminated.
"Sean" has informed us that, somewhere in the midst of our kitty cat collection, is a photo of a cute doggie making homophobic remarks.
This is terrible news. The entire collection is contaminated.
07.04.202517:24
Chat, we've got a problem.
Over 5,000 people are trying to download our kitty cat collection file. It is 159GB.
What is 159GB x 5,000 downloads at the same time? Unironically, we are DDoSing ourselves with cat pictures.
Over 5,000 people are trying to download our kitty cat collection file. It is 159GB.
What is 159GB x 5,000 downloads at the same time? Unironically, we are DDoSing ourselves with cat pictures.
18.04.202517:49
19.04.202521:09
Removed weird balloon thing from car. Now can safely store beer in car
Көбірек мүмкіндіктерді ашу үшін кіріңіз.
