Researchers share a list of passwords that Purple Fox attackers commonly brute force when targeting the SMB protocol.
Weak passwords used over the Windows Server Message Block (SMB) protocol are often part of attacks that result in the spread of Purple Fox malware, Specops researchers report.
Purple Fox, first detected in 2018, is a malware campaign that targets Windows machines. Until recently, its operators used phishing emails and various privilege escalation exploits to target Internet Explorer and Windows devices. However, in late 2020 and early 2021, a new infection vector began to infect Internet-facing Windows devices through SMB password brute force.
While Purple Fox's functionality didn't change post-exploitation, its distribution method caught the eye of Guardicore researchers. The team observing Purple Fox describes a "hodge-podge" of vulnerable and compromised machines hosting the initial payload, infected devices serving as nodes of worm campaigns, and server infrastructure believed to be related to other malware campaigns.
There are multiple ways Purple Fox can start spreading. In some attacks, the worm payload is executed after a target is compromised through an exposed service, such as an SMB; these services are targeted with weak passwords and hashes. In other attacks, the worm is sent through a phishing email that exploits a browser vulnerability.
Researchers with Specops created a global honeypot system to collect information on what these SMB attacks look like and the kind of passwords attackers are using. The team analyzed more than 250,000 attacks on the SMB protocol over a period of 30 days. In that time, "password" was seen used in attacks more than 640 times, they report.
"Password" was only the third most-common password used in these attacks. Most popular was "123," followed by "Aa123456." They also frequently tried "1qaz2wsx," "abc123," "password1," "welcome," "888888," and "112233."
Read the full list here.
About the Author(s)
You May Also Like
Unleash the Power of Gen AI for Application Development, Securely
March 19, 2024The Anatomy of a Ransomware Attack, Revealed
March 20, 2024How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
March 26, 2024Building a Modern Endpoint Strategy for 2024 and Beyond
March 27, 2024Building a Modern Endpoint Strategy for 2024 and Beyond
March 27, 2024