IT NEWS

The Purple Fox rootkit is being spread as an installer for the popular Telegram instant messaging app for Windows, according to researchers.

It’s not clear how the installer in this case was distributed, although it seems like at least some were delivered via email. Common distribution methods for this type of installer are phishing campaigns, forum spam, YouTube posts and comments, as well as untrustworthy software download sites. We’ve also seen the same malicious downloader in a combination with a WhatsApp for Windows installer.

But what makes the newly found Telegram installer special is the fact that the malicious part of the install is done separately in several small files. This makes the malware harder to detect and makes it easier for the malware authors to replace parts that have a high detection rate.

It starts with an installer called “Telegram Desktop.exe” which is an AutoIT script that drops a legitimate Telegram installer and a malicious downloader called “TextInputh.exe”. The legitimate Telegram installer is not executed, but the malicious downloader is immediately used as a downloader for the next stage of the attack.

It downloads and executes more files, which get deleted after they have done their work. Then User Account Control (UAC) is disabled, specific antivirus initiations are blocked, and information about security tools on the affected system are gathered and sent to a hardcoded command and control (C2) address.

The malware checks specifically for the presence of 360 AV software and will shut it down and block initiation.

The final stage of the infection requires a reboot for the new registry settings to take effect, including the disabled UAC. The disabled UAC setting allows the malware to download and deploy the Purple Fox rootkit.

Purple Fox background

Purple Fox is the name given to a malware family that has been in constant development ever since it was discovered in 2018. Back then it was a relatively simple Trojan that relied on exploit kits and phishing emails to spread. By the end of 2020, however, Purple Fox was using brute force attacks over Server Message Block (SMB), a network protocol that allows Windows computer to share files.

Then, in March 2021, researchers discovered that the Purple Fox malware included a rootkit and was wormable. A rootkit allows the attackers to hide the malware on a machine and make it difficult to detect and remove. Wormable malware is capable of spreading from one vulnerable computer to another automatically.

The Purple Fox infrastructure consists mostly of exploited servers that are used to host payloads, act as C2 servers, or serve as worm nodes. This makes it harder to track down the threat actors, but it also makes the infrastructure vulnerable if key servers get cleaned up by their rightful owners.

In September 2021, researchers found a new backdoor written in .NET which is believed to be associated with PurpleFox. This backdoor leverages WebSocket to communicate with its C2 servers, resulting in a more robust and secure means of communication. WebSocket is a communication protocol that allows streams of data to be exchanged between a client and server over a single TCP connection.

Mitigation

The most important advice to avoid this kind of infection is to download software only from trusted sources. Sometimes easier said than done, but trust me, it pays off.

Malwarebytes protects against and detects the malicious downloader by using the Artificial Intelligence module of its real-time protection.

IOCs

A full list of IOCs can be found on the Minerva blog, but we have listed the most important ones below:

Folders:

C:UsersPublicVideos1640618495

C:Users{username}AppDataLocalTempTextInputh

Files:

Telegram Desktop.exe

TextInputh.exe

1.rar

360.tct (which gets renamed to 360.dll)

rundll3222.exe

svchost.txt

Calldriver.exe

Driver.sys

bmd.txt

dll.dll

kill.bat

speedmem2.hg

Registry:

HKEY_LOCAL_MACHINESYSTEMSelectMarkTime

IPs:

144.48.243.79

193.164.223.77

Hashes:

41769d751fa735f253e96a02d0cccadfec8c7298666a4caa5c9f90aaa826ecd1

bae1270981c0a2d595677a7a1fefe8087b07ffea061571d97b5cd4c0e3edb6e0

Stay safe, everyone!

The post Purple Fox rootkit now bundled with Telegram installer appeared first on Malwarebytes Labs.

Adidas has been making waves in the NFT space with a collection of footwear/bored ape crossover sales.

Demand was bound to be high among people who collect these things. As a result, Adidas tried to limit the number of sales to two per person. This is along the same lines as trying to prevent bid sniping on eBay, or ticket scalpers purchasing huge numbers of tickets then selling them on at huge profit. See also: console purchase shenanigans.

When the idea of scarcity is built into what you’re selling, it makes sense that you’d want to give anyone interested a fair chance to buy the item(s) on sale.

Unfortunately, as with all the best laid plans, things went sideways very quickly once the sale opened. When you see what approximates to an apology thread, you know something’s gone wrong. The question is: what?

Let the bidding begin

When an NFT sale opens, people have to bid to obtain their desired NFT and pay a gas fee. This fee can go up or down, but they may be higher or lower depending on supply and demand when you make your payment. The fee itself is needed to compensate for the processing required to make the transaction. There are also numerous ways to avoid higher fees.

So far, so good. Unfortunately, the replies to the announcement are filled with people complaining about minting gone awry, and gas fees lost.

Drafting up a contract

Smart contracts in the NFT space are how people know who owns what after an NFT has been created.

Someone looking to bypass the two item limit created a custom smart contract, which fired up an additional 165 subcontracts to make additional purchases. That’s 330 NFTs purchased at a cost of around $350,000 for gas fees and purchase price, which could easily have gone wrong. As annoying as this is for anyone who lost out on fees, the thing which really interested me in the replies of woe was this:

Customer support scammers move to new realms

Someone dived into the complaints claiming to be “Adidas Originals Support”, eager to help anyone fretting about lost money. Sadly, all is not as it seemed.

“Hello,

This is Adidas Original Support.

We are sorry for any inconveniences so far.

Kindly send a direct message; our best team will attend to you to ensure it is fixed ASAP.

Well, it looks convincing. For one thing, it has a blue ape in a yellow hat for a profile pic. Nobody would pretend to be a fake ape in a yellow hat, would they?

You bet they would. This is the customer support scam we’ve seen many times down the years. It started out targeting FIFA gamers in need of assistance. People doing it realised they could make more money jumping into customer support chats between banks and their customers.

We’ve seen this scam deployed against users of Trust Wallet just this year.

In it for the long run

It stands to reason we’d see this approach work its way over to the NFT space eventually. There’s simply too much speculative money being thrown around to resist. If we had to guess, the scammer would eventually ask for wallet credentials. If you lose your wallet in this way, you’re almost certainly never getting it back again.

The account sending the message has since been suspended by Twitter. However, it’s incredibly easy to set up bogus profiles and we expect to see this one happening a lot more. If a supposedly official account ends up in your replies after something goes wrong, check it has a verified profile. If it doesn’t, there’s a very good chance something may be amiss. As I said earlier: if you lose your wallet in this way, it’s probably gone for good.

Keep your friends close, your monkey jpegs closer, and your cryptowallets closest of all.

The post Customer support scammers take aim at NFT enthusiasts appeared first on Malwarebytes Labs.

We are just three days into 2022, which means what better time for a 2021 retrospective? But rather than looking at the biggest cyberattacks of last year—which we already did—or the most surprising—like we did a couple of years ago—we wanted to offer something different for readers and listeners.

On today’s episode of Lock and Code, with host David Ruiz, we spoke with Malwarebytes Labs’ editor-in-chief Anna Brading and Labs’ writer Mark Stockley about what upset them the most about cybersecurity in 2021. These two have seen it all in the past year, helping either assign, write, edit, and publish every single blog that went onto Malwarebytes. That means every ransomware attack, every inadequate backup, every VPN blunder, and every industry-shifting vulnerability, has been reviewed, read, and understood by our guests. And for everything covered on Lock and Code in 2021? Well, host David Ruiz joins the conversation this time, equipped with any information he gleaned about cybersecurity basics, critical infrastructure, and much more.

Interestingly, when you get a trio of news writers into the same (Zoom) room to talk about a certain industry, they also, invariably, begin talking about how that industry was reported on. Like Mark Stockley said in today’s episode, his top complaint about cybersecurity in 2021 wasn’t even about the industry’s failings, but about the way that newspapers and outlets write about the industry.

I think that there’s a sort of dispassionate view of the world that comes through in a lot of cybersecurity news that’s kind of calling balls and strikes, as if computer security is a thing that happens to computers.

Mark Stockley

Tune in to hear all this and more on this week’s Lock and Code podcast—the first episode in our third season—by Malwarebytes Labs.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post What angered us most about cybersecurity in 2021: Lock and Code S03E01 appeared first on Malwarebytes Labs.

IP sniffers, also known as packet sniffers, network analyzers, or protocol analyzers, are tools which play an essential role in the monitoring of networks, and in troubleshooting network-related issues. In essence, IP sniffing is monitoring traffic over a TCP/IP network.

IP sniffers intercept the traffic flowing in a digital network and log the data, which is then presented in a human-readable form for analysis. Network administrators and hackers of all stripes can use them to understand the state of a network at any time, find network vulnerabilities, and measure network performance.

What is packet sniffing?

When a distinction is made between IP sniffing and packet sniffing, a packer sniffer is a tool that analyzes all the inbound and outbound packets of a network. In addition, it looks at the path taken by each packet and interprets the logs to give users more visibility into their network. Some of these tools can also be used to monitor routers, switches, server traffic, network hardware, and even networks as a whole.

What is a Wi-Fi sniffer?

A Wi-Fi sniffer is a specific type of network analyzer or packet sniffer that is designed to work with wireless networks. Wi-Fi sniffing can be accomplished with a dedicated piece of electronic equipment or a software application.

What is meant by “sniffing attack”?

A sniffing attack involves the illegal extraction of unencrypted data by capturing network traffic through packet sniffers. They are used by cybercriminals to steal customer data and compromise network security. Sniffing attacks, which pose a significant security risk, enable common network threat types such as man-in-the-middle attacks, insider threats, etc.

By placing a hardware or software packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. There are two types of sniffing attacks:

• Active sniffing

Sniffing in the switch is called active sniffing. A switch is a point-to-point network device. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target. In order to capture the traffic between targets, a sniffer has to actively inject traffic into the LAN to enable sniffing of the traffic.

• Passive sniffing

Any traffic that is passing through the non-switched or unbridged network segment can be seen by all machines on that segment. Passive sniffers operate at the data link layer of the network. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. This is called “passive” since sniffers placed by the attackers wait for the data to be sent to them and don’t inject any additional network traffic.

IP sniffing vs IP spoofing

Spoofing and sniffing are two very different things. IP spoofing means creating IP packets with a false source IP address. To carry out IP spoofing, attackers need the following:

• A trusted IP address that the receiving device would permit to enter the network. There are numerous ways to find device IPs. One way is Shodan, a searchable database of IP address-to-device mappings.
• The ability to intercept the packet and swap out the real IP header for the fraudulent one. A network sniffing tool or an Address Resolution Protocol (ARP) scan can be used to intercept packets on a network and gather IP addresses to spoof.

Is IP sniffing legal?

Port sniffing is a process of reading and interpreting data that is transferred on a specific network communication port. Security analysts typically rely on port sniffing programs to determine software vulnerabilities. These analysts must inspect software applications for proper encryption and unwanted data exposure.

Whether IP sniffing is legal or not depends on a few circumstances.

• Location and applicable laws

There are about as many, very, different laws as there are legislators. In the US several Federal laws prohibit or restrict network monitoring and the sharing of records of network activity. These laws were drawn up to protect online privacy.

• Who is doing the monitoring

Ownership of the data is a key differentiator. Certain types of network monitoring and data access are prohibited. People who violate the prohibitions may be sued by the people whose privacy they invade.

• What they do with the gathered data

Again, if sharing gathered information results in a breach of privacy, it could result in legal consequences.

As a rule of thumb, you are allowed to monitor traffic in a private network that falls under your responsibility for troubleshooting purposes, and as long as you don’t share the gathered data with anyone else.

The post What is IP sniffing? appeared first on Malwarebytes Labs.

People that predict tomorrow’s weather by looking at today’s are often right. Cloudy today? It’ll probably be cloudy tomorrow. The same is often true for cybersecurity threats. Looking back at 2021 it looks a lot like 2020: A lot of ransomware attacks.

So, when I was asked to write about the three most significant cyber-attacks of 2021, it was no real surprise that my thoughts turned to ransomware attacks.

But what made these three stand out from the other attacks this year, and from many we’ve seen before, were not the direct consequences for the targeted systems, or even the people in the organizations that were attacked, but the consequences for people far beyond those organizations.

The three I’ve chosen are:

• The Conti ransomware attack on Ireland’s Health Service Executive
• The REvil ransomware attack on Kaseya VSA
• The Darkside ransomware attack on the USA’s Colonial Pipeline

Let me explain why I chose these three from the multitude of ransomware attacks we went through in 2021.

The human cost of a ransomware attack

On May 14, Ireland’s Health Service Executive (HSE) was paralyzed by a cyberattack which turned out to be Conti Ransomware. The attack forced the organization to shut down more than 80,000 affected endpoints and plunged it back into the age of pen and paper.

Our colleague, Mark Stockley interviewed a doctor working in one of the affected hospitals.

Because of the ransomware attack, the doctor had to put in hours of extra effort after his day’s work just to determine which of the next day’s appointments he would have to cancel for lack of information. And then he could expect to deal with those anguished, sometimes angry patients, when he told them their appointment cannot go ahead.

“Imagine the scenario,” he said. “Patients will wait literally two years to see us. After two years they get a call saying ‘I’m sorry I can’t see you and I have to reschedule you and I can’t say when, because of the ransomware’. They know it’s not my fault but they are upset and very annoyed.” The doctor’s understatement kicks in. “They teach us ways to speak to angry patients, but it’s not nice.”

Asked what he would say to the attackers if he could speak to them , he responded with:

“If your loved one was sick. Would you do this? If you had somebody you cared about, would you do this to them. That’s what I’d ask them.”

“I think they lost their humanity.”

Four months later, after drafting in the army to help restore its systems, and after cancelling tens of thousands of appointments, HSE was still not fully recovered.

The ultimate supply-chain attack

On July 2, a severe ransomware attack against the popular remote monitoring and management software tool Kaseya VSA forced Kaseya into offering this urgent advice to its customers: Shutdown VSA servers immediately.

Members of the REvil ransomware gang had managed to push out a malicious Kaseya VSA update that encrypted machines and networks running the highly privileged software. The impact of the attack was enormous. Kaseya VSA is one of the more popular remote monitoring and management tools used by Managed Service Providers (MSPs) to administer their customers’ systems. The MSPs that were hit by the attack saw not only their own systems encrypted, but also the systems of their customers too.

An attack on one organization quickly became an attack on thousands.

The attack hit at a painful point in time for the Dutch Institute for Vulnerability Disclosure (DIVD), a volunteer-run organization that found a remote code execution flaw in Kaseya VSA on April 1, 2021. It was working with Kaseya to patch the VSA vulnerabilities for months prior to the attack. It took Kaseya quite a lot of effort and time, and more and more expertise to get the right patch out—to get it tested, to get it through quality assurance. And then, disaster struck just before the patches went out.

Only rarely do companies allow us a look inside their organization while they are recovering from a ransomware attack. Many find it more convenient to keep a low profile or to be secretive. We went over the work that had to be done by a Dutch MSP to repair the damage done by this attack. Doing this provided us with some valuable insights.

And our colleague David Ruiz talked to Victor Gevers, chair of the DIVD, on an episode of Malwarebytes’ Lock and Code podcast, about the ransomware attack that his organization was racing to prevent.

Gevers’ damning verdict on the current state of software: “The quality of products that are online and are exposed to the Internet are not up to par for the current situation that we are in and this is going to screw us over in the long term.”

Vital infrastructure is called vital for a reason

On May 10 the FBI confirmed that the Colonial Pipeline had been attacked by Darkside ransomware. The pipeline exists to supply gasoline and other products across the southern and eastern United States. It is the largest of its kind in the US, reportedly transporting almost half of the fuel consumed by the east coast. The US government declared an emergency and brought in emergency powers to ensure people would still be supplied with fuel.

The attack spurred new rules for critical infrastructure that represent a tidal shift in how the Transportation Security Administration (TSA) has protected pipeline security in the country for more than a decade. But it also made clear that the federal government is no longer satisfied with private industry’s lagging cybersecurity protections. President Joe Biden signed an Executive Order to place new restrictions on software companies that sell their products to the federal government.

A spokeswoman for the National Security Council explained at the time the importance of a requirement, that contractors would only gain access to federal systems on a “need-to-know” basis. Further, contractors would also have to notify government customers of any breach, bringing new transparency to the government about ongoing and increasingly frequent cybercrimes.

One other remarkable aspect of this attack that led to an 11-day shutdown and gas shortages in the eastern US, is that the US Department of Justice recovered much of the ransomware payment.

Ransom payments are the fuel that propels the digital extortion engine, and the recovery of the payment marked something of a turning point in the year. Ransomware attacks continued, but life became more uncomfortable for the gangs involved.

In August, we welcomed Lesley Carhart to the Lock and Code podcast to talk about critical infrastructure cybersecurity. Surprisingly, she managed to reassure us that while there are improvements to be made to critical infrastructure security, it’s not nearly as bad as some people think.

Have a safe 2022, everyone!

The post The three most significant cyberattacks of 2021? appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• When a deepfake “empire” continues to grow
• Everything you always wanted to know about NFTs (but were too afraid to ask): Lock and Code S02E24
• Police forces pipe 225 million pwned passwords into ‘Have I Been Pwned?’
• Logistics giant warns of scams following ransomware attack
• FBI traces and grabs back $150 million theft that was turned into bitcoins
• Dridex affiliate dresses up as Scrooge

Stay safe, everyone!

The post A week in security (Dec 20 – 26) appeared first on Malwarebytes Labs.

German logistics giant Hellmann Worldwide Logistics has issued a warning that data was stolen from the company when it was hit with a ransomware attack on December 9, 2021. It is not entirely clear what type of data was extracted, but the company says it is warning partners and customers to double check their communications with it, as a precaution. Criminals could use the leaked data to make social engineering attacks more believable, so Hellmann is asking people that do business with it to look out for fraudulent mails and calls.

…the forensic investigation has meanwhile confirmed that data was extracted from our servers before our systems were taken offline on December 9. We are currently investigating what type of data was extracted and will proactively provide further information as soon as possible. We are in regular contact with relevant government authorities.

Please note that the number of so-called fraudulent calls and mails has generally increased. Whilst communication with Hellmann staff via email and telephone remains safe (inbound and outbound), please make sure that you are actually communicating with a Hellmann employee and beware of fraudulent mails/ calls from suspicious sources, in particular regarding payment transfers, change bank account details or the like.

Hellmann is one of the largest international logistics providers. Founded in 1871, it handles 16 million shipments per year by air, sea, road, and rail, and is active in 173 countries.

Stolen data

On December 9 it became obvious that there were problems at Hellmann Worldwide Logistics.

By the time the firm’s IT team responded, the threat actors had already exfiltrated sensitive files from the compromised servers. Many ransomware operators use the threat of leaking stolen data for extra leverage during the ransom negotiation stage. While companies can use backups to recover from data encryption without paying the ransom, they can’t use them to contain leaks.

And indeed, when the negotiations between Hellmann and the threat actor fell apart, the RansomExx group published some 70 GB of stolen documents on its leak site. The data reportedly included business agreements, intra-company emails, and more.

Free to download

The stolen data can be downloaded by anyone, including other criminals, who may use it to add insider knowledge to business email compromise (BEC) attacks and phishing attempts, to give them more credibility.

RansomExx

While RansomExx is not one of the ransomware operators that you see in the news often, they do have a reputation for going after big targets. In the past the group has attacked Konica Minolta, Gigabyte, and the Lazio region in Italy (including its COVID-19 vaccination registration portal).

The RansomExx ransomware is a rebranded Defray777 ransomware, which has become a lot more active since June 2020. The ransomware itself is highly targeted. Each sample contains a hardcoded name of the victim organization.

The group uses different methods to gain entry into a target’s network. In earlier cases the threat actors established an initial foothold through common banking trojans such as IcedID or Trickbot. From there, they deployed the Vatet loader, the PyXie RAT, and Cobalt Strike, before executing the ransomware entirely in memory.

And, similar to other ransomware operations, RansomEXX has also been known to breach networks using vulnerabilities or stolen credentials.

In February, the group was found abusing vulnerabilities in the VMWare ESXi product, allowing them to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives. Malwarebytes blocks RansomExx as Malware.Ransom.Agent.Generic.

Stay safe, everyone!

The post Logistics giant warns of scams following ransomware attack appeared first on Malwarebytes Labs.

On December 1, 2021, the Tokyo police arrested an employee of Sony Life Insurance on suspicion of fraudulently obtaining 17 billion yen through an illegal money transfer from an overseas unit.

On the same day 3,879 bitcoins, worth about $150 million, were seized by law enforcement, and on the December 20 the US government took action in federal court to return it back to Sony.

The theft

The funds were embezzled by Sony employee Rei Ishii, who pretending to conduct a legal fund transfer in May 2021. He allegedly transferred the money from SA Reinsurance Ltd’s bank account to a different bank account overseas, by falsifying transaction instructions, which caused the funds to be transferred to an account that Ishii controlled at a bank in La Jolla, California. He then quickly converted the funds to bitcoins, as criminals do.

Although Sony had a double authentication process set up for international money transfers, requiring both Ishii and his supervisor to sign them off, Ishii is said to have instructed the company’s bank to change the contact email address for his boss, which enabled him to initiate and sign-off money transfers.

Sony Life Insurance discovered the unapproved money transfer in August, and US law enforcement were able to trace the bitcoin transfers to a specific Bitcoin address, and then to an offline cryptocurrency cold wallet.

The recovery

The FBI—in cooperation with Japan’s National Police Agency, the Tokyo Metropolitan Police Department, Tokyo District Public Prosecutors Office, the Japan Prosecutors unit on Emerging Crimes (JPEC), and with assistance from Sony and Citibank—then obtained the private key needed to control the Bitcoin address. This allowed them to recover all the bitcoins that could be traced back to the theft.

An FBI press release on the matter spells out how long the long arm of the law is when agencies in different countries cooperate:

Second, the FBI’s footprint internationally through our Legal Attaché offices and the pre-existing relationships we have established in foreign countries—in this instance with Japan—enabled law enforcement to coordinate and identify the subject. The FBI’s technical expertise was able to trace the money to the subject’s crypto wallet and seize those funds … Criminals should take note: You cannot rely on cryptocurrency to hide your ill-gotten gains from law enforcement.

The end?

The FBI intends to return the stolen funds to the victim, and Ishii has been charged in Japan. However, the FBI continues to investigate the crime. The Major Frauds and Public Corruption Section and Asset Recovery Section of the US Attorney’s Office for the Southern District of California is handling the proceedings, with significant assistance from the Department of Justice Criminal Division’s Money Laundering and Asset Recovery Section and Computer Crime and Intellectual Property Section.

The post FBI traces and grabs back $150 million theft that was turned into bitcoins appeared first on Malwarebytes Labs.

Threat actors are hoping to catch a few more victims before they leave work for the Christmas holidays. The recent malicious spam campaigns (malspam) we and others have observed appear to have been created by someone who wants to play Scrooge and add onto people’s already heightened state of anxiety.

The lures are particularly mean playing on people’s fears for job security and Covid infections. Unsuspecting users will open those attachments and get infected with Dridex a multi-purpose loader that can drop additional payloads, including ransomware.

Dark lures

An email captured by TheAnalyst shows fake termination letters being sent out by a Dridex affiliate. What kind of employer would terminate someone on Christmas eve?

We’ve also seen similar morbid subjects using the latest Covid variant, Omicron, likely from the same threat actor.

The email claims that 80% of the company’s employees have tested positive for Omicron and that you were a close contact. Opening at the so-called test results in the attached document delivers malware.

Maldoc leads to Dridex

The Excel document is password protected in order to prevent sandboxes from analyzing and flagging it as malicious. In fact, it also requires user interaction to click on a pop-up dialog in order to run the macro.

It drops a .rtf file into %programdata% and executes via mshta.exe:

This is used to download the actual payload, hosted on a Discord server.

This binary belongs to the Dridex malware family:

Malwarebytes customers are protected against this attack thanks to our Anti-Exploit layer which automatically closes the malicious attachment before it can deliver its payload.

As always, we recommend users to stay particularly vigilant when opening emails, especially if those sound urgent and require immediate attention. When in doubt, it is best to contact your IT or HR department to ask for more information and confirm whether the email is legitimate.

Indicators of compromise

Malicious documents

Dridex payloads

Network IOCs

cdn[.]discordapp[.]com/attachments/914830201811238985/923509961307357205/cPRBQdzjCbfmuhammadismyfriend.bin

The post Dridex affiliate dresses up as Scrooge appeared first on Malwarebytes Labs.

On his blog, Troy Hunt has announced a major milestone in the ‘Have I Been Pwned?’ project, thanks to the contributions of two of the world’s foremost law enforcement agencies, the FBI and the NCA (the UK equivalent of the FBI, the National Crime Agency).

This enormous injection of used passwords has puffed up the world’s largest publicly available password database by 38%, according to Hunt.

‘Have I Been Pwned?’

‘Have I Been Pwned?’ (HIBP) allows users to type in an email address, phone number or password and find out how many times they’ve been involved in a data breach. So, if HIBP says your email address was involved in the great big LinkedIn breach of 2012, the Canva breach of 2019, or any other notable episode of credential theft, you know to change your passwords on those systems, and not use them anywhere else. If it says a password you use has breached, you know to never use it again.

In recent years, HIBP has been integrated with a number of third-party systems like password managers and web browsers, so they can alert users immediately if they attempt to use a credential that might already be in the hands of cybercriminals.

The site has been around for almost a decade, and through the years it has proven itself to be an extremely useful tool for everyday Internet users, governments, and organizations alike. The project is run by Troy Hunt with support from the community. The model he uses makes sure that privacy is maintained and passwords can safely be checked without any risk of disclosure. And it’s extremely well used. To give you some perspective, in the last month, there were 1,260,000,000 occasions where a service somewhere checked a password against HIBP’s Pwned Password API.

Hunt says the system stores minimal information about each user, and it only stores SHA-1 hashes of passwords (because you can generate a hash from a password, but you can’t generate a password from a hash). If you enter a password to see if it’s been pwned, it’s immediately turned into a SHA-1 hash and checked against the database.

Police pipeline

In May of 2021, Hunt announced that the FBI had reached out to him and discussed what it might look like if the FBI were to feed compromised passwords into HIBP and surface them via the Pwned Passwords feature.

Over the last few months the HIBP project has been revamped to allow data be fed into the system as they are made available by law enforcement. This new pipeline enables the ingestion of passwords from law enforcement agencies, like the FBI and the NCA.

The NCA contribution has been enormous. At some point the NCA indicated it had hundreds of millions of passwords it believed weren’t already in the Pwned Passwords store of 613 million password hashes. After cross-checking, 225,665,425 turned out to be brand new. Adding them has inflated the total Pwned Passwords count to 847,223,402.

Have you been pwned?

While it is useful to know whether your personal details or credentials have been leaked, it is much more important to act on the information. So, what do you do now, knowing that your account might have been compromised?

For starters, change your password. Your new password needs to be hard to guess, and the best way to ensure that is to let a password manager do it for you. If you’re doing it yourself, pick something that is hard to guess: Avoid individual words, and avoid passwords that look like words with a few numb3r5 sprinkled in them. Instead, go for lengthy pass phrases or long, meaningless combinations of letters, numbers, and other characters.

Lastly, use two-factor authentication (2FA) to add a layer of protection to your accounts. We strongly suggest using a hardware key like a YubiKey. The next best option is a one-time password (OTP) app like Google Authenticator. Take note that some big-name companies like Facebook have already started giving their users the option to use a hardware key. So if you want to do that, check if your online service provider offers it, too, and take advantage of it.

Stay safe!

The post Police forces pipe 225 million pwned passwords into ‘Have I Been Pwned?’ appeared first on Malwarebytes Labs.