Unidentified malware stole personal information from 3 million PCs

Hackers steal 26 MILLION logins for Amazon, Apple, Facebook and other tech giants after targeting PCs and making off with payment information from three million devices in latest major security breach

  • Researchers discovered an unidentified malware that created a 1.2TB database of personal records stolen from 3.25 million PCs
  • Cybersecurity provider NordLocker discovered the malware database, which includes 26 million login credentials
  • The information was collected by the malware between 2018 and 2020
  •  The news comes amid a spike in cybersecurity and ransomware attacks, such as the infamous hacks affecting JBS and Colonial Pipeline

Hackers have stolen 26 million user logins for tech giants including Amazon, Apple, Facebook as well as vital payment information in the latest online security breach.

The malware hack, exposed by cybersecurity provider NordLocker, also saw payment details nabbed from 3.25 million computers that run Windows software. It was uncovered after researchers discovered a 1.2 terabyte database filled with stolen personal information. 

The other firms whose accounts were targeted include eBay, Instagram, Netflix, Paypal, Roblox, Steam, Twitch and Twitter. It saw victims computers’ infected by opening emails, or downloading bootleg software, and enabled the malware to take screenshots of their browsing activity – including private login details. 

According to a report released by NordLocker on Wednesday, an unidentified, Trojan-type malware stole the files, including 26 million login credentials, between 2018 and 2020. It saw victims’ webcams taken over by the malware, which then took screenshots as people used their computers to reveal personal information. 

It remains unclear if any of that data was then used to scam or defraud its rightful owners. People who fear they may have been targeted can visit the website haveibeenpwned and insert their details to find out. 

The news comes amid a spike in cybersecurity and ransomware attacks affecting major American companies – one that crippled a key pipeline along the East Coast, affecting gasoline supplies and leading to shortages at filling stations. Another shut down beef plants of the world’s largest meat producer. 

As for NordLocker and the huge cache of stolen data it found, the company said: ‘We want to make it clear: we did not purchase this database nor would we condone other parties doing it. A hacker group revealed the database location accidentally.’

An unidentified, Trojan-type malware stole 1.2 terabytes of personal information from 3.25 million Windows-based computers, between 2018 and 2020

The mystery malware that stole information from from over three million PCs has not been identified and its reasons for existing are unknown. 

NordLocker found that the malware was transmitted through email and illegal software, including bootlegged versions of Adobe Photoshop 2018 and a number of computer games.

The stolen data includes 26 million sets of login credentials for common online services, including Amazon, Apple,

The database also contains 2 billion session cookies, or online footprints that hackers use to view their targets behaviors and habits on their computer.

Lastly, it contains 6.6 million desktop files, including 1 million images and 650,000 Word and .pdf files. 

Nordlocker explained that, after infecting its host computers, the malware took screenshots using their webcams and assigned unique IDs to each set of stolen data to sort it according to where it came from.

Security experts said people could check the ‘have i been pwned?’, which is play on words of ‘owned’ to see whether their data might have been compromised. The site compiles data breach information.

On Wednesday, the same day Nordlocker released its study, it was revealed that beef supplier JBS paid an $11 million ransom in Bitcoin to hackers who compromised its systems, forcing them to shut down multiple meat processing plants.  

Meanwhile, U.S. officials said this week the Department of Justice would now investigate cyberattacks on the same level as terrorism. 

JBS, which supplies 20 per cent of all beef and pork in the US, received a demand from ‘a criminal organization likely based in Russia’ following the attack that has affected its operations in Australia and North America, White House spokeswoman Karine Jean-Pierre said. 

Andre Nogueira, the CEO for the Brazilian company’s United States division, told The Wall Street Journal in an interview that the payment was made after most JBS plants were already up and running again as ‘insurance to protect our customers.’

Regarding the hack, JBS wrote: ‘The FBI stated this is one of the most specialized and sophisticated cybercriminal groups in the world.’

The meat supplier claimed that it was able ‘to quickly resolve the issues’ because of the company’s cybersecurity protocols, redundant systems and encrypted backup servers. JBS spends more than $200 million annually on information technology and employs more than 850 IT professionals globally, according to the release.

America’s largest beef supplier JBS recently paid an $11 million ransom in Bitcoin to the hackers who shut down its plants in the United States

Last month, the major gasoline transporter Colonial Pipeline also suffered a ransomware attack and paid about $4.4 million in bitcoin to the hacking group DarkSide. The Justice Department on Monday recovered some $2.3 million in cryptocurrency ransom paid by Colonial Pipeline, Reuters reported.

Colonial Pipeline was the target of a huge cyber attack early last month, which halted 2.5 million barrels per day of fuel shipments along the line running from Texas to New Jersey.

Officials labeled it the most disruptive cyberattack on US energy infrastructure in history.

DarkSide hackers were able to breach Colonial Pipeline’s computer system last month using a single compromised password, according to testimony from the company’s top executive and revelations from a cybersecurity expert.

Colonial Pipeline CEO Joseph Blount appeared before the Senate Homeland Security Committee on Tuesday to discuss the May 7 ransomware attack that caused widespread fuel shortages and panic buying.

He admitted the attack occurred using a legacy Virtual Private Network (VPN) system that did not have multifactor authentication in place, meaning it hinged on a single password.

Most major companies require two-factor across all internal applications. The use of a single factor login system, security experts say, is generally viewed as a sign of poor cybersecurity ‘hygiene.’

Colonial Pipeline was the target of a huge cyber attack early last month because its Virtual Private Network (VPN) system hinged on a single password used by all of its staff. 

But Colonial Pipeline wasn’t the only target. The DarkSide hackers that closed the Colonial Pipeline have bagged more than $90 million in Bitcoin ransom payments from 47 victims and have infected at least 99 companies in the last year.

Blockchain analytics firm Elliptic said DarkSide’s Bitcoin wallet received millions of dollars worth of ransom payments in the nine months between October last year and last week when the wallet shut down.

Roughly half of all organizations targeted by the cybercriminal gang paid ransom money with the average payment being around $1.9 million, Elliptic said.

Dark web intelligence firm DarkTracer has identified 99 organizations that were infected with Darkside including fashion label Guess and car firm Toshiba. It is not clear which companies paid the hackers ransom money. 

Malware are harmful computer programs that could be either attached to an email or installed through illegal software. Malware is an umbrella term that includes commonly-known computer viruses, ransomware used to extort its victims and backdoor malware that allows hackers access to a host computer at any time. 

Justice Department plans to investigate cyberattacks on same level as terrorism

 The U.S. Department of Justice is elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals, a senior department official told Reuters.

Internal guidance sent on Thursday to U.S. attorney’s offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.

The letter was sent to Deputy Attorney General Lisa Monaco and was titled ‘Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion,’ according to Cyber Scoop News which obtained a copy of the letter.

‘Recent ransomware attacks – including the attack last month on Colonial Pipeline – underscore the growing threat that ransomware and digital extortion pose to the Nation, and the destructive and devastating consequences ransomware attacks can have on critical infrastructure,’ Monoco wrote in the letter.

John Carlin, acting deputy attorney general at the Justice Department, told Reuters that the guidelines are ‘a specialized process to ensure we track all ransomware cases’

Internal guidance sent on Thursday to U.S. attorney’s offices across the country said information about ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington

‘A central goal of the recently launched Ransomware and Digital Extortion Task Force is to ensure that we bring to bear the full authorities and resources of the Department in confronting the many dimensions and root causes of this threat.’

The guidance added: ‘To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking.’

John Carlin, acting deputy attorney general at the Justice Department, told Reuters that the guidelines are ‘a specialized process to ensure we track all ransomware cases regardless of where it may be referred in this country, so you can make the connections between actors and work your way up to disrupt the whole chain.’

Last month, a cyber criminal group that the U.S. authorities said operates from Russia, penetrated a pipeline operator on the U.S. East Coast, locking its systems and demanding a ransom. The hack caused a shutdown lasting several days, led to a spike in gas prices, panic buying and localized fuel shortages in the southeast.

Colonial Pipeline decided to pay the hackers who invaded their systems nearly $5 million to regain access, the company said.

The Justice Department’s decision to push ransomware into this special process illustrates how the issue is being prioritized, U.S. officials said.

‘We’ve used this model around terrorism before but never with ransomware,’ said Carlin. The process has typically been reserved for a short list of topics, including national security cases, legal experts said.

In practice, it means that investigators in U.S. attorney’s offices handling ransomware attacks will be expected to share both updated case details and active technical information with leaders in Washington.

Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted about the news on Thursday.

‘This is a positive indication that we’re getting serious about stopping ransomware. Much more needs to be done, but directional shifts are a good thing,’ he tweeted.

Krebs explained how the ransomware situation in the United States has worsened, calling the attacks ‘a profitable business model with low barriers to entry’ and noting that there have been ‘no meaningful consequences against the criminals or their hosts to date.’

He also asserted that the security posture of businesses makes it ‘too easy for the bad guys’ while speculating that the Russian government allows ransomware groups to flourish because it ‘builds a cyber workforce they can call on later’ and ‘creates well-paying jobs’ keeping the country’s residents ‘off the streets.’

Krebs noted that the ransomware attacks also ‘undermines confidence in western citizenry’ of their government’s ability to defend them.

The former federal official said he reviewed a letter from the Deputy National Security Advisor, in which Krebs said a number of things stood out – including that the government is considering ‘all companies are in play’ and could be ransomware targets.

Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted that the news shows officials are taking the threats seriously 

Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, tweeted that the news shows officials are taking the threats seriously

He tweeted that he ‘can’t recall a letter like this’ from a senior National Security official in the White House.

Krebs said that the government is considering ‘all companies are in play’ as ransomware is opportunistic and that it is a risk for business disruption, not just theft.

The cybersecurity expert called on government officials to ‘use various tools of national power to lay down consequences on criminals and the countries that enable them’ and to make it harder to use cryptocurrency for payments.

The White House warned corporate executives and business leaders on Thursday to step up security measures to protect against ransomware attacks after intrusions disrupted operations also disrupted operations at a major meatpacking company.

Anne Neuberger, cybersecurity adviser at the National Security Council, said in a letter that there has been a significant hike in the frequency and size of ransomware attacks.

‘The threats are serious and they are increasing. We urge you to take these critical steps to protect your organizations and the American public,’ she added.

The recent cyberattacks have forced companies to see ransomware as a threat to core business operations and not just data theft, as ransomware attacks have shifted from stealing to disrupting operations, she said.

Strengthening the country’s resilience to cyberattacks was one of President Joe Biden’s top priorities, the White House has said.

‘But we can’t do it alone,’ White House press secretary Jen Psaki said on Thursday. ‘Business leaders have a responsibility to strengthen their cyber defenses to protect the American public and our economy.’

No company, large or small, is safe from ransomware attacks, Neuberger told the business community.

The letter came after a major meatpacker resumed U.S. operations on Wednesday following a ransomware attack that disrupted meat production in North America and Australia.

A Russia-linked hacking group that goes by the name of REvil and Sodinokibi was behind the cyberattack against JBS SA, a source familiar with the matter told Reuters.

The cyberattack followed one last month by a group with ties to Russia on Colonial Pipeline, the largest fuel pipeline in the United States, which crippled fuel delivery for several days in the U.S. Southeast.

Biden believes Russian President Vladimir Putin has a role to play in preventing these attacks and planned to bring up the issue during their summit this month, Psaki said.

Neuberger’s letter outlined immediate steps companies can take to protect themselves from ransomware attacks, which can have ripple effects far beyond the company and its customers.

Those include best practices such as multifactor authentication, endpoint detection and response, encryption and a skilled security team. Companies should back up data and regularly test systems, as well as update and patch systems promptly.

Neuberger advised that companies test incident response plans and use a third party to test the security team’s work.

She said it was critical that corporate business functions and production operations be run on separate networks.

Source: Read Full Article