Malware stole internal PowerSchool passwords from engineer’s hacked computer

That's what I said in another topic that was removed, but if built-in protection like XProtect and Windows Defender are so good in blocking malware, then how do these hacks happen?

That's why I take many of the AV tests with a grain of salt. AV's often fail to block ''zero day'' malware. You always need to combine your AV with specialized protection tools like anti-exploit and anti-logger, not to forget about the good old firewall.

https://techcrunch.com/2025/01/17/m...ool-passwords-from-engineers-hacked-computer/

 

And here is another one, like I said, I'm guessing these PC's are probably only protected by built-in security like Windows Defender. In a recent test, Win Defender failed to detect 20 infostealers, both with realtime and on demand scanning.

https://www.securityweek.com/infost...-telefonica-internal-ticketing-system-breach/

 

If a competent hacker targets you no amount of programs will stop them.

I thought you take these with a grain of salt, I think we all know that these tests are for entertainment purposes only and that any premier AV is enough for most people.

 

I have to disagree, that's what I'm trying to explain. These particular attacks could have easily been stopped. The problem is, AV's are mostly focused on blocking malware pre execution, but once malware like infostealers run, you should still be able to block them from accessing important folders.

No, I said I take certain tests with a grain of salt. Namely, the sponsored tests where most AV's get a 100% score because they use samples that have been ''in the wild'' for a couple of days. If you perform the same test with true ''zero day'' malware (yes this malware exists), then we would probably see different results.

 

Not so sure about that, there are big business, gov't departments, banks etc getting hacked all the time and I'm sure they have far better protection then some average Joe throwing 2 or 3 programs on their computers.

 

Agreed, if someone targets you, they will get you. There are so many holes in any OS that someone skilled will find a way.

 

Absolutely, but its very hard for the average person to get affected by a zero day.

 

That's the thing, people aren't getting affected by zero day exploits, but they are getting infected with zero day malware, there is a difference. With that I mean, they simply download stuff from the web, either from cracked software sites, or they are being tricked by Google Search into downloading legitimate apps bundled with malware.

Fact of the matter is, AV's often don't detect this stuff. Just a couple of months ago there was a newsreport that 40000 people were infected with infostealers in The Netherlands. You are not going to tell me that none of them used any AV. In fact, I bet most of them used Win Defender because how many people bother to install third party AV's nowadays.

 

That's what I'm trying to explain, these weren't sophisticated hacks on PowerSchool and Telefonica. They probably used social engineering to trick employees (could have been you and me) into running zero day infostealers. Most likely these are not detected by AV's. However, behavior blocking tools should be able to detect this stuff, so it's not like it's unstoppable.

 

To clarify, you're talking about sophisticated attacks that are often triggered by hacking hardware appliances. These companies do indeed have better protection, but apparently those hacks are much harder to protect against.

And BTW, I was wrong about that infostealers are pretty basic. Nowadays they seem to getting a bit more advanced because they are trying to bypass Chrome's new ''cookie protection'' feature.

But again, this stuff is not unstoppable. This article explains the various techniques they are using. I believe that HitmanPro.Alert is able to block certain infostealers who have already bypassed AV.

https://www.elastic.co/security-labs/katz-and-mouse-game

 

Never underestimate the universe's ability to create better idiots. If you can fool people you always have a way in. Most employees at most places are not held to rules that IT lays out, it is too inconvenient for them. As long as this laziness persists this is not a solvable problem.

 

Yes, but the thing what we're talking about is that AV's are apparantly still not good enough. What we need are better behavior blockers. It's difficult to block people from downloading and running apps unless Windows switches to a whitelisting model.

But in my view, it should be easy to block infostealers with behavior blocking and firewalls. Cloud based AV's like Windows Defender are simply not good enough eventhough they might detect 99% of all malware that have been in the wild for a couple of hours or days.

https://www.wired.com/story/infostealer-malware-password-theft/

 

There is no way for AV to be 100% accurate. Security software has little to no way to know if an encrypting process is ransomware or legitimate. Info stealers only have to read files. How does one determine that a process reading files is doing something nefarious? Computers run the programs written by the person that coded it. It likely isn't smarter than that programmer is. Most firewalls don't block most outgoing traffic. It could prompt to ask you to approve traffic but that gets tiresome quickly and you could be as wrong as the AV/Firewall. Whitelisting is extremely inconvenient and still prone to human error so you won't see it as a solution that everyone would use. What you want to see won't happen until computers can think and they would have to be somewhat smart while doing so. Unfortunately the effectiveness of your security solution still ends with the end user and I don't see that changing anytime soon, if ever.

 

All correct, but that doesn't change the fact that it's possible to implement almost bulletproof protection against ransomware and infostealers. Tools like HMPA are in fact already able to detect many ransomware samples with CryptoGuard. I don't know the details, but it probably looks at rapid modification of files that are out of the ordinary, and can even rollback already encrypted files.

And if you protect files on disk (and memory) from being accessed by untrusted processes, then infostealers can't do a thing. And this can all be done without causing major annoyance to the user. That $1.5 billion hack on crypto companies like Safe Wallet and Bybit could have been prevented. I don't know the exact details but hackers planted some infostealer on a macOS laptop, and it managed to steal cookies/credentials of the AWS cloud. So if the browser (like Safari or Chrome) or S3 client (like Cyberduck or Commander One) was protected, it would have been stopped.