Hacker News: Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online

password-reuse-list

Hackers always first go for the weakest link to quickly gain access to your online accounts.

Online users habit of reusing the same password across multiple services gives hackers opportunity to use the credentials gathered from a data breach to break into their other online accounts.

Researchers from security firm 4iQ have now discovered a new collective database on the dark web (released on Torrent as well) that contains a whopping 1.4 billion usernames and passwords in clear text.

The aggregate database, found on 5 December in an underground community forum, has been said to be the largest ever aggregation of various leaks found in the dark web to date, 4iQ founder and chief technology officer Julio Casal noted in a blog post.

Though links to download the collection were already circulating online over dark-web sites from last few weeks, it took more exposure when someone posted it on Reddit a few days ago, from where we also downloaded a copy and can now verify its authenticity.

Researchers said the 41GB massive archive, as shown below, contains 1.4 billion usernames, email, and password combinations—properly fragmented and sorted into two and three level directories.

The archive had been last updated at the end of November and didn’t come from a new breach—but from a collection of 252 previous data breaches and credential lists.

data-breach-password-list

The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedInMySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.

“None of the passwords are encrypted, and what’s scary is that we’ve tested a subset of these passwords and most of the have been verified to be true,” Casal said. “The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.”

“This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”

The database has been neatly organized and indexed alphabetically, too, so that would-be hackers with basic knowledge can quickly search for passwords.

For example, a simple search for “admin,” “administrator” and “root,” returned 226,631 passwords used by administrators in a few seconds.

Although some of the breach incidents are quite old with stolen credentials circulating online for some time, the success ratio is still high for criminals, due to users lousy habit of re-using their passwords across different platforms and choosing easy-to-use passwords.

The most common yet worst passwords found in the database are “123456”, “123456789”, “qwerty,” “password” and “111111.”

worst-password-list

It is still unclear who is responsible for uploading the database on the dark web, but whoever it is has included Bitcoin and Dogecoin wallets for any user who wants to donate.

To protect yourself, you are strongly advised to stop reusing passwords across multiple sites and always keep strong and complex passwords for your various online accounts.

If it’s difficult for you to remember and create complex passwords for different services, you can make use of the best password manager. We have listed some good password managers that could help you understand the importance of such tool and choose one according to your requirement.

Mohit Kumar - Hacking News
      
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Hacker News: Newly Uncovered ‘MoneyTaker’ Hacker Group Stole Millions from U.S. & Russian Banks

hacking-bank-account

Security researchers have uncovered a previously undetected group of Russian-speaking hackers that has silently been targeting Banks, financial institutions, and legal firms, primarily in the United States, UK, and Russia.

Moscow-based security firm Group-IB published a 36-page report on Monday, providing details about the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at least May 2016.

In the past 18 months, the hacking group is believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million and sensitive documents that could be used for next attacks.

According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States).

Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US.” Group-IB says in its report.

Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.

MoneyTaker: 1.5 Years of Silent Operations

Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia and Florida, primarily targeting small community banks with limited cyber defenses.

Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed and unattributed by using various publicly available penetration testing and hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, and code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.

“To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators.” Group-IB says in its report.

money-taker

Besides using open-source tools, the group has also been heavily utilizing Citadel and Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.

“Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. That said, it is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server.”

The group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack,

 “To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials.

Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo and Federal Reserve Bank—to hide its malicious traffic.

hacking-banks

The hacking group also configure their servers in a way that malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, it relies on PowerShell and VBS scripts to ensure persistence in the targeted system.

The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data’s STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—and stole money.

In January 2017, the similar attack was repeated against another bank.

Here’s how the attack works:

“The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked,” Group-IB explains.

“Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules.”

The money mules then removed overdraft limits, which made it possible for them to overdraw cash even with debit cards. Using these cards, they “withdrew cash from ATMs, one by one.”

According to the report, the average money stolen by MoneyTaker from United States banks alone was about $500,000, and more than $3 million was stolen from at least three Russian banks.

The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.

The modular tool had capabilities to search for payment orders and modify them, replace original payment details with fraudulent ones, and carefully erase malware traces after completing its tasks.

While it is still unclear how MoneyTaker managed to get its foothold in the corporate network, in one specific case, the entry point of compromise of the bank’s internal network was the home computer of the bank’s system administrator.

Group-IB believes that the hackers are now looking for ways to compromise the SWIFT interbank communication system, although it found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Putin Makes Surprise Visit to Syria in the Company of Su-35 Jets to Announce the End of Op

Looks like the new Sheriff in town got the job done! So far the US plan to keep its troops operating in Syria on alleged counter-terror missions after the Russian military pullout, threatening real hopes at last for peace in the region, according to analysts.

Also US lied about the number of troops stationed, U.S. Has Four Times the Amount of Troops in Syria as Previously Acknowledged. The latest Pentagon announcement came a month after Army Maj. Gen. James B. Jarrard, told reporters at a news conference there were about 4,000 U.S. troops in Syria – a number which was immediately revised:

https://www.haaretz.com/us-news/1.828521

https://sputniknews.com/analysis/201712121059917104-us-russian-troops-withdrawal-syria/

Futurist Trendcast

Russian President Vladimir Putin paid surprise visit to Khmeimim Airbase in Syria’s Latakia province on Monday, December 11. As he prepared to land, he was met by an escort of Su-35 fighter jets.

During this unannounced visit Putin met with Syrian president Assad and made an important announcement regarding partial withdrawal of Russian troops from Syria following the defeat of ISIS. Putin added that if terrorists reappeared in Syria, Russian troops would be back.

Russia’s Enormous Victory & End of ISIS

Russian Syria op is one of the most successful military ops of all time. As a result of Russian BKC (Russian joint military-space forces) involvement along with Syrian ground troops, ISIS has been squeezed out of all cities in Syria, leaving only some straggling groups in the country, with which Syrian army is still dealing on the ground. Syrian government today controls most of the country’s territory. When Russia…

View original post 1,098 more words