Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2 Million Stolen Passwords Recovered

The stash includes purloined Facebook, Google, Twitter, and Yahoo access credentials. Researchers promise to help people who were affected.

Security researchers have recovered a hacker stash of approximately 2 million access credentials for multiple social media networks, webmail accounts, and other online services.

That disclosure came this week from Trustwave's SpiderLabs, which said it found the information after gaining access to the control panel of a single -- albeit rather large -- instance of a Pony botnet, built using version 1.9 of the botnet software. "With the source code of Pony leaked and in the wild, we continue to see new instances and forks of Pony 1.9," wrote SpiderLab researchers Daniel Chechik and Anat (Fox) Davidi in a blog post.

After gaining access to the Pony botnet's control panel, the researchers found that the botnet's controller -- a.k.a. herder -- had amassed approximately 3,000 remote desktop access credentials, 320,000 email account access credentials, and 41,000 FTP account credentials.

But the stolen credential mother lode was the botnet herder's collection of almost 1.6 million stolen website login credentials, which comprised 326,129 Facebook passwords (or 59% of all recovered stolen passwords), followed by 70,532 passwords for Google (13%), 59,549 for Yahoo (11%), 21,708 for Twitter (4%), and 8,490 LinkedIn (2%).

Also on the list were two Russian-language social networking sites, 9,321 passwords for odnoklassniki.ru (2%) and 6,867 for vk.com (1%), which suggested that many infected PCs were used by Russian language speakers. The bot herder is likely also a Russian speaker, since the Pony control panel's language preference was set to Russian.

[TechAmerica says current laws don't protect us from unreasonable search and seizure. See why it says Electronic Privacy Laws Need An Overhaul.]

The SpiderLabs researchers found that 7,978 of the recovered passwords -- or 1.4% of the haul -- were for payroll service ADP, thus demonstrating attackers' ongoing interest in such services. "Facebook accounts are a nice catch for cyber criminals, but payroll services accounts could actually have direct financial repercussions," they said.

Based on control panel information, researchers determined that the active zombie PCs -- or botnet nodes -- were predominantly located in the Netherlands (97% of machines). But compromised machines appeared to be located in more than 100 countries, including about 860 machines in the United States (0.08%) and 285 in Iran (0.03%). Still, the geolocation of the infected PCs would suggest that the botnet was engaged in a targeted attack against people in the Netherlands.

"Taking a closer look at the IP log files, however, revealed that most of the entries from [the Netherlands] IP range are in fact a single IP address that seems to have functioned as a gateway or reverse proxy between the infected machines and the command-and-control server, which resides in the Netherlands as well," the researchers said.

Using a gateway or reverse-proxy server, however, turns out to be a way for attackers to make their malicious infrastructure more resilient to would-be takedown attempts. "This technique of using a reverse proxy is commonly used by attackers in order to prevent the command-and-control server from being discovered and shut down -- outgoing traffic from an infected machine only shows a connection to the proxy server, which is easily replaceable in case it is taken down," according to the researchers.

(Source: Image courtesy of Flickr user david.nikonvscanon)
(Source: Image courtesy of Flickr user david.nikonvscanon)

SpiderLab's detailing of the recovered Pony botnet password horde has led to calls for the information to be made available. "How about providing a portal to search against the database to see if I -- or people in my company -- are impacted?" read one online comment. "Sharing it with services like shouldIchangemypassword.com? Emailing the victims?"

In response to those requests, the researchers promised they would "responsibly share some of this information with the community," once they figured out how. SpiderLab researcher Chechik tweeted: "We are [intending] to create a page, so users can check whether their account was compromised."

Knowing your enemy is the first step in guarding against him or her. In this Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, we examine the world of cybercriminals -- including their motives, resources and processes -- and recommend what enterprises should do to keep their data and computing systems safe in the face of an ever-growing and ever-more-sophisticated threat. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LetsTalkPaymnts
50%
50%
LetsTalkPaymnts,
User Rank: Apprentice
12/7/2013 | 3:11:48 AM
Fraud is growing
Even in other sectors like Payments fraud is creating issues http://letstalkpayments.com/fraudsters-make-hay-sun-shines-payment-system-attacks/
Kristin Burnham
50%
50%
Kristin Burnham,
User Rank: Apprentice
12/6/2013 | 9:44:30 AM
Re: Passwords are meaningless without privacy!
Facebook reportedly alerted those users whose account information was stolen (and it probably wouldn't have been that difficult for a hacker gain access anyway: I read that most of the passwords were along the lines of "password" or "123456").
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/6/2013 | 8:23:14 AM
Re: website logins
Definitely, and to be fair, the company suggested it was working on a range of responses. I'd expect that if it hasn't done so already, it will feed the details to larger online service providers. But for stolen email and FTP credentials, that might not be feasible, if their numbers are too great?
WKash
50%
50%
WKash,
User Rank: Apprentice
12/5/2013 | 11:05:31 PM
Passwords
Another reason why it's time we move beyond passwords to protect our privacy.

 
chrisp114
50%
50%
chrisp114,
User Rank: Apprentice
12/5/2013 | 10:35:46 PM
Passwords are meaningless without privacy!
So what if your facebook account is hacked. Don't you know that facebook is already scanning your information and making it available to other businesses and government? Everyone should consider using privacy-based services such as Ravetree, DuckDuckGo, and HushMail.
mak63
50%
50%
mak63,
User Rank: Apprentice
12/5/2013 | 7:22:36 PM
website logins
We are [intending] to create a page, so users can check whether their account was compromised

Instead of creating a page with almost 1.6 million stolen website logins, isn't it easier to contact the companies involved (Google, FB, Yahoo, etc) so these companies can contact each affected person?

Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
12/5/2013 | 5:48:16 PM
Recovered the right term?
These passwords were detected - "recovery" implies getting the horse back in the barn.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17123
PUBLISHED: 2019-12-13
The eGain Web Email API 11+ allows spoofed messages because the fromName and message fields (to /system/ws/v11/ss/email) are mishandled, as demonstrated by fromName header injection with a %0a or %0d character. (Also, the message parameter can have initial HTML comment characters.)
CVE-2019-19774
PUBLISHED: 2019-12-13
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential...
CVE-2019-19790
PUBLISHED: 2019-12-13
Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. NOTE: RadChart was discontinued in 2014 in favor of RadHtmlChart. All...
CVE-2019-19793
PUBLISHED: 2019-12-13
In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Windows, a local or remote user from the same domain can gain privileges.
CVE-2019-19722
PUBLISHED: 2019-12-13
In Dovecot before 2.3.9.2, an attacker can crash a push-notification driver with a crafted email when push notifications are used, because of a NULL Pointer Dereference. The email must use a group address as either the sender or the recipient.