Category: Passwords

Nearly 2 Million Android TVs Infected with Malware, Triggering Cybercrime Campaigns

Cybersecurity firm Xlab has recently reported that nearly 1.59 million Android-based smart TVs have been compromised by Vo1d malware, leading to the formation of a large botnet. This botnet poses a serious risk of triggering a wide-reaching cybercrime campaign in the near future.

Xlab’s security experts have stated that the malware’s spread is global, potentially affecting devices in 226 countries. The infection, which initially began with around 50,000 botnets in November 2024, has rapidly expanded, with estimates suggesting that over 800,000 bots are now active by January 2025. This growing threat could soon evolve into a much larger cyberattack.

The majority of the infected Android TVs are concentrated in countries such as Brazil, Indonesia, South Africa, Argentina, Thailand, and China, with little to no infection detected in Western regions—according to the latest figures.

DragonForce Ransomware Strikes Saudi Real Estate Firm, Leaks 6TB of Data

The notorious DragonForce ransomware has recently targeted a real estate and construction company based in Riyadh, Saudi Arabia, resulting in significant data theft and encryption. After the firm refused to pay the demanded ransom, cybercriminals released a portion of the stolen 6TB of data on a specialized leak site for financial gain.

US-based cybersecurity firm Resecurity was the first to confirm the attack, revealing that a ransomware-as-a-service group was behind the incident. The attack took place just days before the start of Ramadan, a sacred period for the global Muslim community, adding an extra layer of complexity to the cyberattack.

Over 3 Billion Passwords Stolen by Infostealer Malware

In another alarming cybersecurity breach, KELA, a threat intelligence firm, has reported that infostealer malware has successfully stolen over 3.9 billion password credentials. These stolen credentials, which are extracted from millions of infected devices, have raised significant concerns due to the high potential for phishing and brute-force attacks in the future.

Infostealer malware is a type of surveillance tool that secretly infiltrates devices and collects sensitive data, including login credentials, financial information, personal messages, photos, videos, and more. This bulk data exfiltration makes infostealers particularly dangerous, as they can evade security measures and compromise vast amounts of information quickly.

To protect against such threats, experts recommend deploying endpoint detection and response tools and utilizing multi-factor authentication, which can significantly reduce the risk of cyberattacks.

The post Cyber Attack news headlines trending on Google appeared first on Cybersecurity Insiders.

Microsoft Teams delivers ransomware

Microsoft Teams is back in the headlines, but this time, it’s not for its productivity features. Security researchers at Sophos have uncovered alarming evidence that the platform is being exploited to spread ransomware, specifically through vishing (voice phishing) and email bombing. Sophos’s Managed Detection and Response (MDR) team has identified two distinct ransomware distribution campaigns that leverage vulnerabilities in Microsoft Teams to infiltrate corporate networks, raising significant concerns for enterprise security.

The attacks are attributed to two different cybercriminal groups, labeled STAC5143 and STAC5777. These groups have been observed using varied techniques to deploy malware, but the overall approach revolves around social engineering and exploiting software vulnerabilities within Microsoft Teams.

One of the strategies involves bombarding a network with a massive flood of spam emails within a short window of time, typically an hour. These emails often contain malicious links designed to infect the recipient’s system with malware once clicked. The second tactic is more insidious—attackers pose as IT support personnel from Microsoft, using voice phishing calls to trick victims into providing sensitive information or even granting remote access to their corporate networks.

Both techniques aim to deliver file-encrypting ransomware, which is designed to cripple an organization’s systems. Once the ransomware infects a victim’s network, it collects vital system information, such as operating system details, and gathers valuable data like credentials, confidential files, and login information. The malware then uses Win API Functions to track keystrokes, capture sensitive data, and transmit it back to the attackers’ remote servers. The ultimate goal is typically data exfiltration, which can then be used for extortion or further exploitation.

This incident adds to the growing trend of phishing campaigns where cybercriminals impersonate trusted brands like Microsoft, Amazon, DHL, FedEx, and others. Over the past year, these threat actors have relied on well-crafted, convincing emails that use the names of reputable companies to lure victims. Although the email subject lines may vary, the malicious intent remains the same—infecting victims with malware, stealing sensitive data, and ultimately compromising corporate networks.

Passwords of major Cybersecurity Vendors leaked on darkweb

In a separate but equally concerning development, a new report has surfaced revealing that passwords belonging to employees of major cybersecurity vendors have been leaked on the dark web. Investigations by Cyble Security uncovered that over 14 cybersecurity companies were impacted by this breach, with the credentials likely stolen from infostealer malware logs.

These credentials are being sold for as little as $10-$21 on underground forums. If purchased, they grant attackers access to highly sensitive platforms, such as cloud-based management tools, R&D databases, Okta, GitHub, AWS, Zoom, and SolarWinds. The cybersecurity vendors affected include some of the most prominent names in the industry, such as CrowdStrike, Exabeam, Fortinet, LogRhythm, McAfee, Palo Alto Networks, Qualys, Rapid7, SentinelOne, RSA Security, Sophos, Tenable, TrendMicro, and Zscaler.

The implications of this leak are significant. With access to internal systems and cloud platforms, attackers could potentially bypass defenses, escalate privileges, and gain entry to critical data and intellectual property. The exposure of such credentials underscores the vulnerabilities within the cybersecurity sector itself, further fueling the urgency for tighter security measures and more advanced threat detection capabilities.

Conclusion

Both of these developments—the exploitation of Microsoft Teams to spread ransomware and the leak of credentials from major cybersecurity vendors—highlight the increasingly sophisticated nature of cyberattacks. Organizations must remain vigilant, ensuring they have the necessary security protocols in place to defend against phishing attempts, ransomware, and other forms of malicious activity. As the cybersecurity landscape continues to evolve, it’s essential for both companies and individuals to stay informed about emerging threats and adopt proactive measures to safeguard their systems.

Stay tuned for more updates on these ongoing incidents as further details emerge.

The post Microsoft Teams delivers ransomware and passwords of Cybersecurity vendors leaked appeared first on Cybersecurity Insiders.

It was created in 1973 by Peter Kirstein:

So from the beginning I put password protection on my gateway. This had been done in such a way that even if UK users telephoned directly into the communications computer provided by Darpa in UCL, they would require a password.

In fact this was the first password on Arpanet. It proved invaluable in satisfying authorities on both sides of the Atlantic for the 15 years I ran the service ­ during which no security breach occurred over my link. I also put in place a system of governance that any UK users had to be approved by a committee which I chaired but which also had UK government and British Post Office representation.

I wish he’d told us what that password was.

The United Kingdom’s Ministry of Defense (MoD) has recently made headlines after it was revealed that over 560 staff members’ passwords were exposed on the dark web, triggering widespread concern within Parliament.

The breach is believed to be the work of hackers, possibly linked to Russian military intelligence, who are known for targeting foreign government networks. Sources familiar with the situation suggest that the hack may have compromised sensitive information, including military and civilian data, as well as that of defense contractors. The leaked information reportedly includes login credentials, email addresses tied to the Defense Gateway portal—a platform used by the British military to exchange classified data.

An anonymous source on Telegram indicated that the attack likely occurred in September, but the details have only recently surfaced. This source also mentioned that the breach includes classified data such as human resources information, personnel salaries, and medical records for military personnel and their families stationed in regions like Iraq, Cyprus, Mainland Europe, and Qatar. Additionally, some research and development communications shared over the internal network are believed to have been exposed.

The leak of such sensitive credentials could open the door to threats like phishing, blackmail, and further cyberattacks by state-sponsored actors. These could involve infiltrating networks with surveillance tools or malware, disrupting operations and compromising security.

According to reports from Cybersecurity Insiders, while the hackers have obtained the passwords, there is no evidence yet that they have used them to access the network. Fortunately, incident response teams have acted quickly to mitigate the damage, resetting passwords and implementing necessary security measures to protect the network.

The MoD has acknowledged the breach and confirmed it is working alongside the National Cyber Security Centre (NCSC), the cyber division of Britain’s GCHQ, to investigate the incident thoroughly.

The post UK Ministry of Defense MoD passwords leaked on Dark Web appeared first on Cybersecurity Insiders.

Stuart Schechter makes some good points on the history of bad password policies:

Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades.

First, was Morris and Thompson’s confidence that their solution, a password policy, would fix the underlying problem of weak passwords. They incorrectly assumed that if they prevented the specific categories of weakness that they had noted, that the result would be something strong. After implementing a requirement that password have multiple characters sets or more total characters, they wrote:

These improvements make it exceedingly difficult to find any individual password. The user is warned of the risks and if he cooperates, he is very safe indeed.

As should be obvious now, a user who chooses “p@ssword” to comply with policies such as those proposed by Morris and Thompson is not very safe indeed. Morris and Thompson assumed their intervention would be effective without testing its efficacy, considering its unintended consequences, or even defining a metric of success to test against. Not only did their hunch turn out to be wrong, but their second mistake prevented anyone from proving them wrong.

That second mistake was convincing sysadmins to hash passwords, so there was no way to evaluate how secure anyone’s password actually was. And it wasn’t until hackers started stealing and publishing large troves of actual passwords that we got the data: people are terrible at generating secure passwords, even with rules.

Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in “highly evasive” password spraying. Not sure about the “highly evasive” part; the techniques seem basically what you get in a distributed password-guessing attack:

“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.”

Some of the characteristics that make detection difficult are:

  • The use of compromised SOHO IP addresses
  • The use of a rotating set of IP addresses at any given time. The threat actors had thousands of available IP addresses at their disposal. The average uptime for a CovertNetwork-1658 node is approximately 90 days.
  • The low-volume password spray process; for example, monitoring for multiple failed sign-in attempts from one IP address or to one account will not detect this activity.

NIST’s second draft of its “SP 800-63-4“—its digital identify guidelines—finally contains some really good rules about passwords:

The following requirements apply to passwords:

  1. lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
  2. Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
  3. Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
  4. Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a signgle character when evaluating password length.
  5. Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
  6. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
  7. Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
  8. Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
  9. Verifiers SHALL verify the entire submitted password (i.e., not truncate it).

Hooray.

News article.Shashdot thread.

This isn’t good:

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it’s not clear when it was taken down.

The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

[…]

These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren’t clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.

Researchers from a security firm( name withheld) have uncovered a significant data breach involving Twitter user data, revealing a leaked dataset of approximately 9.86GB. This trove includes over 200 million user records linked to account profiles, names, email addresses, and in some cases, contact numbers. The leaked information has surfaced on a data leak forum, posing a serious risk for potential social engineering attacks such as phishing and identity theft.

The authenticity of the data, purportedly leaked by an entity named ‘Michupa’, has not yet been confirmed to belong to Twitter, which has commercialized its social networking services extensively over the past two years.

In a separate incident, details of a password leak have emerged on platforms like Facebook, where a hacker known as “Obamacare” has publicly disclosed a dataset containing plaintext passwords. This file allegedly comprises around 1.5 billion passwords, in addition to the staggering 8 billion passwords leaked in various incidents since 2009.

Such leaks significantly heighten the risk of cyber attacks, including brute force attacks aimed at compromising individual and corporate accounts.

As more online services adopt single-password login solutions like Google’s, users must prioritize multi-layer security measures to safeguard their accounts effectively against brute force attacks. It is essential for account holders to regularly update their passwords – ideally every month – and enable two-factor authentication (2FA) to fortify defenses against emerging cyber threats such as malware.

Additionally, users are advised to exercise caution by avoiding clicking on suspicious URLs sent via email or messages. Conducting regular cybersecurity audits is crucial to proactively identify and mitigate any potential vulnerabilities that could be exploited by malicious actors.

The post Twitter Data breach and 10 billion password leak details appeared first on Cybersecurity Insiders.

Interesting story of breaking the security of the RoboForm password manager in order to recover a cryptocurrency wallet password.

Grand and Bruno spent months reverse engineering the version of the RoboForm program that they thought Michael had used in 2013 and found that the pseudo-random number generator used to generate passwords in that version—­and subsequent versions until 2015­—did indeed have a significant flaw that made the random number generator not so random. The RoboForm program unwisely tied the random passwords it generated to the date and time on the user’s computer­—it determined the computer’s date and time, and then generated passwords that were predictable. If you knew the date and time and other parameters, you could compute any password that would have been generated on a certain date and time in the past.

If Michael knew the day or general time frame in 2013 when he generated it, as well as the parameters he used to generate the password (for example, the number of characters in the password, including lower- and upper-case letters, figures, and special characters), this would narrow the possible password guesses to a manageable number. Then they could hijack the RoboForm function responsible for checking the date and time on a computer and get it to travel back in time, believing the current date was a day in the 2013 time frame when Michael generated his password. RoboForm would then spit out the same passwords it generated on the days in 2013.