This Week In Security - 02/10/2020
A new study of stolen passwords from the Dark Web has been published.
ID Agent, a Kaseya company has rummaged through billions of compromised email addresses and passwords found on the Dark Web since the new year. Looking for interesting trends in password behaviors, it has been discovered that the most popular password is a name, and the name is George.
“Passwords are often deeply personal expressions of oneself, with the goal of making them easier to remember. However, remembering which extension is becoming increasingly difficult in our hyper-digital daily lives. In fact, it is estimated that the average US adult has between 90 and 135 different applications that require a set of credentials (usernames and/or email addresses and password combination) needed for access.”
The most popular passwords included the name, “George”, the word, “sunshine”, and animals, like “monkey”. The average password was on average 7.7 characters long and abcd1234 was the most common keystroke-pattern password.
Hackers are using new techniques to target Ashley Madison users.
Extortion campaigns are very much on the rise. Hackers have crafted a campaign using the data pulled from the infamous Ashley Madison hack of 2015. The so-called “Impact Team”, a hacking group, stole as many as 32 million records from users of the world’s extramarital site. This included names, passwords, addresses, phone numbers, credit card payments, as well as what it was members were seeking from the affair site.
The emails that are threatening users of sharing their Ashley Madison account with the victim’s friends via email and social media.
The aim of the hackers is to receive a Bitcoin ransom of over one thousand dollars, a demand which isn’t made in the email body itself but is found within a password-protected PDF attachment. The PDF file also includes a QR code at the top, a phishing technique that is an increasingly common tool used to avoid detection by sandboxing technologies and URL scanning.
Several hundred examples of this extortion scam targeted people in the United States, Australia, and India, with more of these extortion scams expecting to pop up within the following weeks.
As with most scam and phishing emails, hackers are setting a deadline, this time of six days for the Bitcoin payment to be made so that the recipients Ashley Madison account data isn’t shared with the public.
This remains one of the most advanced trojans which uses innovative channels for delivering malware.
The TrickBot Trojan has transferred to a new Windows 10 UAC bypass to implement itself with higher privileges without showing a User Account Control prompt. Windows always use a security tool called User Account Control or UAD, which displays a prompt any time a program runs with administrative rights. When said prompts are shown, they will ask the user whether they allow for the program, to make changes. If the program is in any way suspicious, the user is allowed to prevent it from running.
In order to avoid being detected, cybercriminals will sometimes use a UAC bypass so that the malware in question runs with administrative privilege without ever displaying a UAC prompt or alerting the user at all.
“On almost a daily basis, malicious actors reinvent TrickBot and work to find new pathways to deliver the trojan onto user machines,” he said. “This is what makes TrickBot among the most advanced malware delivery vehicles; the constant evolution of methodologies used for delivery.”
TeickBot has new features that go after remote desktop IDs and an update to its password grabber to steal data from OpenSSH and OpenVPN apps.
The new spear-phishing campaign targets US government workers masquerading as a well-known government survey service.
Iranian government-backed cybercriminals are targeting US federal employees in order to compromise US government systems with malware. These hacking attempts have been linked to cyber-espionage ground named APT34 y cybercriminal group that has been active for the past six years, known to be working in the interests of the Iranian government.
The spear-phishing emails mimic Westat surveys. Westat is a well-known US government contractor which manages and administers surveys to more than 80 federal agencies and has done so for more than 16 years.
“Westat understands that in their effort to identify threats and malware, Intezer has identified a malicious file that uses the Westat name and logo,” according to a Westat statement, published Thursday. “This file was not created by, hosted by or sent from Westat, and is likely the result of a bad actor stealing the Westat brand name and logo. Our cybersecurity team is working with Intezer and others to fully understand the nature of this report. We will continue to monitor the situation and respond accordingly.”
Intezer researchers Paul Litvak and Michael Kajilolti said, “The technical analysis of the new malware variants reveals this Iranian government-backed group has invested substantial efforts into upgrading its toolset in an attempt to evade future detection.”