Category Archives: Breaking News

APT, Breaking News, Hacking, Intelligence, Malware

New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict

March 21, 2023 Pierluigi Paganini

Threat actors are targeting organizations located in Donetsk, Lugansk, and Crimea with a previously undetected framework dubbed CommonMagic.

In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions with a previously undetected framework dubbed CommonMagic.

Researchers believe that threat actors use spear phishing as an initial attack vector, the messages include an URL pointing to a ZIP archive hosted on a web server under the control of the attackers. The archive contained two files, a decoy document (i.e. PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (i.e., .pdf.lnk) used to start the infection and deploy the PowerMagic backdoor.

***Malicious ZIP archive*** (Source Kaspersky)

Kaspersky attributes the attack to a new APT group operating in the area of Russo-Ukrainian conflict and tracked as Bad magic.

The experts noticed that TTPs observed during this campaign have no direct link to any known campaigns.

PowerMagic is a PowerShell backdoor that executes arbitrary commands sent by C2, then it exfiltrates data to cloud services like Dropbox and Microsoft OneDrive.

“When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.” reads the report published by Kaspersky.

The threat actor likely used the PowerMagic backdoor to deliver the modular CommonMagic framework.

Each module of the CommonMagic framework is used to perform a certain task, such as communicating with the C2 server, encrypting and decrypting C2 traffic, and executing plugins.

Kaspersky analyzed two plugins respectively used to capture screenshots every three seconds and collects the contents of the files with the following extensions from connected USB devices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.

“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors.” concludes the report. “However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CommonMagic)

Breaking News, Cyber Crime, Hacking, Malware

New ShellBot bot targets poorly managed Linux SSH Servers

March 21, 2023 Pierluigi Paganini

New ShellBot DDoS bot malware, aka PerlBot, is targeting poorly managed Linux SSH servers, ASEC researchers warn.

AhnLab Security Emergency response Center (ASEC) discovered a new variant of the ShellBot malware that was employed in a campaign that targets poorly managed Linux SSH servers.

The ShellBot, also known as PerlBot, is a Perl-based DDoS bot that uses IRC protocol for C2 communications.

The ShellBot performs SSH bruteforce attacks on servers that have port 22 open, it uses a dictionary containing a list of known SSH credentials.

“The ShellBot malware strains that are going to be covered in this post are believed to have been installed after threat actors used account credentials that have been obtained through the use of scanners and SSH BruteForce malware on target systems.” reads the ASEC’s report. “After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and uses a list of commonly used SSH account credentials to initiate their dictionary attack.”

Below is a list of the account credentials used by ShellBot operators to compromise the target servers:

User	Password
deploy	password
hadoop	hadoop
oracle	oracle
root	11111
root	Passw0rd
ttx	ttx2011
ubnt	ubnt

The researchers categorized the ShellBot into three different groups since threat actors can create their own versions: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK.

LiGhT’s Modded perlbot v2 and DDoS PBot v2.0 supports multiple DDoS attack commands using HTTP, TCP, and UDP protocols. The PowerBots (C) GohacK supports backdoor features, including reverse shell and file downloading capabilities.

The researchers recommend using strong passwords for admin accounts and changing them periodically to protect the Linux server from brute force attacks and dictionary attacks. They also recommend keeping the servers up to date and using security programs.

“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShellBot)

APT, Breaking News, Hacking, Intelligence, Reports, Security

2022 Zero-Day exploitation continues at a worrisome pace

March 21, 2023 Pierluigi Paganini

Experts warn that 55 zero-day vulnerabilities were exploited in attacks carried out by ransomware and cyberespionage groups in 2022.

Cybersecurity firm Mandiant reported that ransomware and cyberespionage groups exploited 55 zero-day flaws in attacks in the wild.

Most of the zero-day vulnerabilities were in software from Microsoft, Google, and Apple.

The figures show a decrease from 2021, but experts pointed out that they represent almost triple the number from 2020.

The majority of the zero-day vulnerabilities were exploited by China-linked threat actors as part of their cyberespionage campaigns.

The researchers reported that only four zero-day vulnerabilities were exploited by financially motivated threat actors, with 75% of these instances linked to ransomware attacks.

“Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6). ” reads the report published by Mandiant.

According to the report, 13 zero-days in 2022 were exploited by cyber espionage groups, a figure that is consistent with 2021. Seven zero-days (CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328) were exploited in attacks in the wild by China-linked cyberespionage groups, while two zero-day vulnerabilities were exploited by suspected North Korea-linked APT groups.

“We identified four zero-day vulnerabilities for which we could attribute exploitation by financially motivated threat actors, a quarter of the total 16 zero-days for which we could determine a motivation for exploitation. 75% of these instances appear to be linked to ransomware operations, consistent with 2021 and 2019 data in which ransomware groups exploited the highest volume of zero-day vulnerabilities compared to other financially motivated actors.” continues the report. “However, the overall count and proportion of the total of financially motivated zero-day exploitation declined in 2022 compared to recent years.”

Multiple China-linked APT groups exploited the vulnerability CVE-2022-30190, aka Follina, while the exploitation of FortiOS vulnerabilities CVE-2022-42475 and CVE-2022-41328 was observed in particularly notable campaigns in 2022.

Mandiant believe that there is a shared development and logistics infrastructure behind the attacks.

Mandiant also observed two instances of Russian state zero-day exploitation. A first campaign carried out by the Russia-linked APT28 group exploited the CVE-2022-30190 flaw (aka Follina) in early June 2022. A second activity is related to a months-long campaign exploiting Microsoft Exchange vulnerability CVE-2023-23397 conducted by a threat actor tracked as UNC4697 (likely linked to the APT28 group).

The experts explained that increased focus on disrupting Russian cyber operations since Russia’s invasion of Ukraine may have discouraged Russia-linked groups from widely using zero-day exploits for access they expected to lose quickly. This implies that the exploitation of the CVE-2022-30190 flaw was likely opportunistic.

“Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives. While information disclosure vulnerabilities can often gain attention due to customer and user data being at risk of disclosure and misuse, the extent of attacker actions from these vulnerabilities is often limited.” concludes the report. “Alternatively, elevated privileges and code execution can lead to lateral movement across networks, causing effects beyond the initial access vector.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

Breaking News, Cyber Crime, Data Breach

Ferrari confirms data breach after receiving a ransom demand from an unnamed extortion group

March 21, 2023 Pierluigi Paganini

Ferrari disclosed a data breach after receiving a ransom demand from an unnamed extortion group that gained access to some of its IT systems.

Ferrari disclosed a data breach after it received a ransom demand from an unnamed extortion group that breached its IT systems. The threat actor claims to have stolen certain client details. The company immediately launched an investigation into the incident with the support of a third-party cybersecurity firm and informed relevant authorities.

“Ferrari N.V. (NYSE/EXM: RACE) (“Ferrari”) announces that Ferrari S.p.A., its wholly-owned Italian subsidiary, was recently contacted by a threat actor with a ransom demand related to certain client contact details.” reads the noticed published by the luxury car maker. “Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm. In addition, we informed the relevant authorities and are confident they will investigate to the full extent of the law.“

The threat actor had access to a limited number of systems in our IT environment. According to the company the exposed data include customers’ names, addresses, email addresses, and telephone numbers. Financial data, such as payment details and, bank account info was not accessed by the attackers.

“As a policy, Ferrari will not be held to ransom as paying such demands funds criminal activity and enables threat actors to perpetuate their attacks.” continues the statement. “Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident.”

In October 2022, the Italian luxury sports car manufacturer confirmed the availability of internal documents online, but said it has no evidence of cyber attack.

The RansomEXX ransomware group claimed to have stolen 6.99GB of data, including internal documents, datasheets, repair manuals, etc.

At the time of this writing, the statement published by the company suggests that the two events are not linked.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ferrari)

Breaking News, Cyber Crime, Digital ID, Hacking

Crooks stole more than $1.5M worth of Bitcoin from General Bytes ATMs

March 21, 2023 Pierluigi Paganini

Cryptocurrency ATM maker General Bytes suffered a security breach over the weekend, the hackers stole $1.5M worth of cryptocurrency.

Cryptocurrency ATM manufacturers General Bytes suffered a security incident that resulted in the theft of $1.5M worth of cryptocurrency. GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer.

The company revealed that the threat actors exploited a zero-day vulnerability, tracked as BATM-4780, that resides in the master service interface that Bitcoin ATMs use to upload videos. Once exploited the flaw, the remote attackers uploaded a JavaScript script and executed it with ‘batm’ user privileges.

“The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.” reported the Security Incident notice published by the company.

“The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider). Using this security vulnerability, attacker uploaded his own application directly to application server used by admin interface. Application server was by default configured to start applications in its deployment folder.”

Once executed the uploaded script the attackers gained access to the database and were able to read and decrypt API keys used to access funds in hot wallets and exchanges.

The attackers were able to send funds from hot wallets and download user names and password hashes. The hackers were also able to turn off the two-factor authentication (2FA).

The threat actors also gained access to terminal event logs and scan for any instance where customers scanned private key at the ATM.

On March 17-18th, 2023, GENERAL BYTES experienced a security incident.

We released a statement urging customers to take immediate action to protect their personal information.

We urge all our customers to take immediate action to protect their funds and https://t.co/fajc61lcwR… https://t.co/g5FGqvqZQ7
— GENERAL BYTES (@generalbytes) March 18, 2023

The company provided information on how to secure GB ATM servers (CAS) and recommends all its customers to implement the recommended measures.

“Please keep your CAS behind a firewall and VPN. Terminals should also connect to CAS via VPN. With VPN/Firewall attackers from open internet cannot access your server and exploit it. If your server was breached please reinstall the whole server including operation system.” continues the notice. “Additionally consider your all user’s passwords, and API keys to exchanges and hot wallets to be compromised. Please invalidate them and generate new keys & password. The CAS security fix is provided in two server patch releases, 20221118.48 and 20230120.44.”

The notice provides a list of crypto addresses used in the attack along with three IP addresses used by attackers.

The analysis of the wallets included in the notice revealed that the attackers stole more than $1.5 million worth of Bitcoin (56 BTC) from roughly 15 operators. Attackers also stole funds in other cryptocurrencies.

In August, threat actors exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to steal BTC from multiple customers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, General Bytes)

Breaking News, Hacking, Mobile

Acropalypse flaw in Google Pixel’s Markup tool allowed the recovery of edited images

March 20, 2023 Pierluigi Paganini

The Acropalypse flaw in the Markup tool of Google Pixel allowed the partial recovery of edited or redacted screenshots and images.

Security researchers Simon Aarons and David Buchanan have discovered a vulnerability, named ‘Acropalypse,’ in the Markup tool of Google Pixel. The Markup tool is a built-in Markup utility, released with Android 9 Pie that allows Google Pixel users to edit (crop, add text, draw, and highlight) screenshots.

The vulnerability allowed the partial recovery of the original, unedited image data of a cropped and/or redacted screenshot.

Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to @David3141593 for his help throughout! pic.twitter.com/BXNQomnHbr
— Simon Aarons (@ItsSimonTime) March 17, 2023

Aarons described how to exploit the vulnerability via Twitter. Let’s imagine a user uploading a screenshot from a bank app or website that includes an image of his payment card.

The user uses the Markup’s Pen tool to remove the payment card data number from the image before sharing it on a service, like Discord.

The vulnerability in the Markup tool could have allowed an attacker that downloaded the image to perform a “partial recovery of the original, unedited image data of cropped and/or redacted screenshot.”

Just realised the alt text got swallowed up when I updated the diagram in the draft tweet…

Image description: A three-panel diagram.

The first panel is titled "Discord message" and depicts a Discord message sent by SimonTime to Retr0id, with an attached cropped photo of a… https://t.co/oFvzAj82NY
— Simon Aarons (@ItsSimonTime) March 18, 2023

The exploitation of the bug can allow an attacker to remove the black lines used to hide the card number, as well as ~80% of the full screenshot, which might include other sensitive information.

“The third panel is titled “Recovered image” and depicts a fake bank website. The top 20% of the image is corrupted, but the remainder of the image – including a photo of the credit card with its number visible – is fully recovered.” Aarons explained.

The duo has also published a demo utility that allows the owners of the Pixel devices to test their own redacted images and see if they are recoverable. The experts also announced that they will publish a FAQ shortly.

“When an image is cropped using Markup, it saves the edited version in the same file location as the original. However, it does not erase the original file before writing the new one. If the new file is smaller, the trailing portion of the original file is left behind, after the new file is supposed to have ended.” states the 9to5google website.

According to a technical analysis published by David Buchanan, the root cause of the flaw was due to this horrible bit of API “design”: https://issuetracker.google.com/issues/180526528.

“Google was passing “w” to a call to parseMode(), when they should’ve been passing “wt” (the t stands for truncation). This is an easy mistake, since similar APIs (like POSIX fopen) will truncate by default when you simply pass “w”. Not only that, but previous Android releases had parseMode(“w”) truncate by default too! This change wasn’t even documented until some time after the aforementioned bug report was made.” wrote Buchanan. “The end result is that the image file is opened without the O_TRUNC flag, so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind.”

The vulnerability, tracked as CVE-2023-21036, was reported to Google in January 2023, and the IT giant addressed it on March 13, 2023.

Despite Google has addressed the issue, the images edited with the tool and shared in the past five years are vulnerable to the Acropalypse attack.

The experts verified that there are a lot of cropped screenshots on platforms like Discord.

Buchanan wrote a script to scrape his own message history to look for vulnerable images and discovered that there were lots of them.

“The worst instance was when I posted a cropped screenshot of an eBay order confirmation email, showing the product I’d just bought. Through the exploit, I was able to un-crop that screenshot, revealing my full postal address (which was also present in the email). That’s pretty bad!” Buchanan concluded.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Pixel)

Breaking News, Hacking, Malware

Threat actors abuse Adobe Acrobat Sign to distribute RedLine info-stealer

March 20, 2023 Pierluigi Paganini

Threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the RedLine information stealer.

Avast researchers reported that threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the RedLine information stealer.

Adobe Acrobat Sign allows registered users to sign documents online and send a document signature request to anyone. This latter process consists of generating an email that is sent to the intended recipients. The message includes a link to the document that that will be hosted on Adobe itself.

The experts pointed out that the users can also add a text to the email, this option can be abused by the attackers.

Le e-mail generate dai servizi hanno come indirizzo del mittente ‘adobesign@adobesign.com’, che ovviamente è un indirizzo e-mail legittimo considerato affidabile da qualsiasi soluzione di difesa.

When the victim clicks on the “Review and sign” button, it takes them to a page hosted in “eu1.documents.adobe.com/public/”, which is another legitimate source that belongs to Adobe. As I mentioned earlier, people using this service can upload a broad variety of file types to Adobe Acrobat Sign, which will be displayed in the email with the option to sign them.

Avast researchers observed crooks including text with a link in a document that attempts to trick the victim into thinking that they’ll be through the content before signing it. Once clicked on the link, the victim is redirected to another site where they’re asked to enter a CAPTCHA that is hardcoded.

Upon providing the CAPTCHA, the victim will be asked to download a ZIP archive containing the Redline Trojan variant.

The experts also observed threat actors targeting the same recipient days later by adding another link to the email sent by Adobe. Upon clicking on that link, the recipient is redirected to a page that is hosted on dochub.com, which offers electronic document signing too.

The archive used in this second attack includes another Redline Trojan variant and some non-malicious executables belonging to the Grand Theft Auto V game.

The attackers also employed a simple trick in an attempt to avoid detection, they artificially increased the size of the Redline Trojan to more than 400MB.

“One of the characteristics of the two variants of Redline that these cybercriminals used in these attacks is that they’ve artificially increased the size of the Trojan to more than 400MB. This is not noticeable by the victim during the download, as the file is compressed and most of that artificial size has just been filled with zeros.” reads the anaysis published by Avast. “The reason for this is unknown; it’s possible that the cybercriminals are using it in the hope of bypassing some antivirus engines that could behave differently with big files.”

The experts concludes that the abuse of Adobe Acrobat Sign to distribute malware is a new technique used by attackers in targeted attacks.

“Our team has yet to detect other attacks using this technique; nevertheless, we fear that it may become a popular choice for cybercriminals in the near future.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Breaking News, Cyber Crime, Hacking, Malware

Emotet is back after a three-month hiatus

March 20, 2023 Pierluigi Paganini

The infamous Emotet malware is back after a short hiatus, threat actors are spreading it via Microsoft OneNote email attachments.

The Emotet malware returns after a three-month hiatus and threat actors are distributing it via Microsoft OneNote email attachments to avoid detection.

The Emotet banking trojan has been active at least since 2014, the botnet is operated by a threat actor tracked as TA542.

The infamous banking trojan was also used to deliver other malicious code, such as Trickbot and QBot trojans, or ransomware such as Conti, ProLock, Ryuk, and Egregor.

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default.

In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser.

Over time, Emotet operators have enhanced their attack chain by employing multiple attack vectors to remain under the radar.

The operators remained inactive between July and November 2022. In November, Proofpoint researchers warned of the return of the Emotet malware after having observed a high-volume malspam campaign delivering payloads like IcedID and Bumblebee.

MalwareBytes researchers noticed that the new campaign was powered by the botnet Epoch 4.

“Last week, Emotet returned after a three month absence when the botnet Epoch 4 started sending out malicious emails with malicious Office macros. While the extracted attachments were inflated to several hundred megabytes, it was surprising to see that Emotet persisted in using the same attack format.” reads the post published by MalwareBytes. “One noticeable change was the use of Microsoft OneNote documents by several other criminal gangs. Now, it is Emotet’s turn to follow along.”

The OneNote file attachment poses as a fake notification stating that the document is protected. The recipient is instructed to double-click on the View button in the content of the mail causing the victims inadvertently double-click on an embedded script file instead.

Then the Windows scripting engine (wscript.exe) executes the following command:

%Temp%\OneNote\16.0\NT\0\click.wsf"

to execute a heavily obfuscated script that retrieves the Emotet binary payload from a remote server.

The malicious DLL is then executed via regsvr32.exe to install the notorious malware on the target system.

Cofense researchers also reported that Emotet malicious activity resumed on March 7, 2023, the messages detected by the company contain attached .zip files that are not password protected.

The attached .zip files deliver weaponized Office documents that download and execute the Emotet .dll.

“It is unclear how long this round of email activity will last. While an earlier round of activity in 2022 extended across multiple weeks, the last round occurred over less than two weeks in November 2022, with more than three months of inactivity on either side.” states Cofense.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

Breaking News, Cyber Crime, Hacking, Malware

Play ransomware gang hit Dutch shipping firm Royal Dirkzwager

March 20, 2023 Pierluigi Paganini

Dutch maritime logistics company Royal Dirkzwager suffered a ransomware attack, the company was hit by the Play ransomware gang.

The Play ransomware group hit the Dutch maritime logistics company Royal Dirkzwager.

Royal Dirkzwager is specialized in optimizing shipping processes and managing maritime and logistic information flows.

The ransomware group added the company to its Tor data leak site and announced the theft of stolen private and personal confidential data, employee IDs, passports, contracts and etc.

The gang initially leaked a 5 GB archive as proof of the hack and threatens to release the full dump if the company will not pay the ransom.

Company CEO Joan Blaas said that the ransomware attack did not impact the operations of the company. He confirmed that threat actors have stolen sensitive data from its infrastructure.

“It has had a huge impact on our employees. Over the last year, because of the company’s bankruptcy, we had to let go of people and not everyone could stay. We had to move offices and now this. It’s been a very difficult time,” Company CEO Joan Blaas told The Record.

The company notified the Dutch Data Protection Authority and confirmed it is in negotiations with the ransomware group.

The Play ransomware group has been active since July 2022, the list of victims includes the City of Oakland and the Cloud services provider Rackspace.

The shipping industry is a privileged target of cybercrime organizations. In January, about 1,000 vessels have been impacted by a ransomware attack against DNV, one of the major maritime software suppliers.

DNV GL provides solutions and services throughout the life cycle of any vessel, from design and engineering to risk assessment and ship management. The Norwegian company provides services for 13,175 vessels and mobile offshore units (MOUs) amounting to 265.4 million gross tonnes, which represents a global market share of 21%.

In February 2022, a cyber attack hit Oiltanking GmbH, a German petrol distributor that supplies Shell gas stations in the country, severely impacting its operations. According to the media, the attack also impacted the oil supplier Mabanaft GmbH. The two companies belong to the Marquard & Bahls group.

In November 2021, researchers from threat intelligence firm Intel 471 published an analysis of cybercrime underground trends online, warning that initial access brokers were offering credentials or other forms of access to shipping and logistics organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Royal Dirkzwager)