Russian Criminals Amass Massive Stolen Password Cache


A Russian cybercriminal gang has accumulated a massive password cache and is using it to support its spam distribution operation, according to Hold Security, a Milwaukee-based security firm that uncovered a similar database at the core of the Adobe Systems breach last year.

The enormous stockpile of data consisted of 4.5 billion records pilfered from long-standing automated attack campaigns against hundreds of thousands of websites, driven by botnet networks designed to identify vulnerable websites and file transfer protocol servers, said Alex Holden, founder and chief information security officer of Hold Security, in an announcement Tuesday on the company's website. The firm's analysis of the data cache uncovered 1.2 billion unique credentials belonging to more than 500 million email addresses.

"The sheer number of credentials can potentially open a door to many systems and accounts," Holden said in the announcement.

[Related: Top 10 Password Data Breaches Evoke Urgency For Stronger Credentials]

News of the stolen account credential cache, which was first reported by The New York Times on Tuesday afternoon, is being widely discussed among attendees at the 2014 Black Hat USA conference in Las Vegas this week. The conference has several sessions exploring authentication weaknesses and potential alternatives for the common username and password, including a Bluetooth-enabled smart bracelet for credential management.

Penetration testers and malware experts at the event are privately questioning the timing of the announcement and hesitate to call the find a serious concern, since the attackers appear to be using common methods and servers containing stolen data, including usernames and passwords that are frequently uncovered. Stolen credentials are used in more than 90 percent of data breaches and have significantly increased in value on the black market. They were used by attackers buying fraudulent tickets in the StubHub breach last month and stolen employee credentials led to the massive eBay breach impacting 145 million users in May.

Security researchers identify and monitor attack groups over extended periods of time to identify ongoing attack campaigns, document their methods and analyze the source of stolen information to warn victim organizations of a potential compromise, said Brett Stone-Gross, a security researcher at Dell SecureWorks' Counter Threat Unit. Stone-Gross, who worked with law enforcement in building a case to bring down the dangerous Gameover Zeus botnet, said valuable information is gleaned by monitoring the activity of cybercriminal groups, rather than shutting them down.

"An attack group doesn't have to be well-known or huge in scale to be a dangerous threat," he said. "When law enforcement steps in, there's been enough financial damage to build a case to take out a group and enough knowledge about the infrastructure to seriously damage the operation." 

Hold Security calls the group CyberVor (thief in Russian) and while the stolen information is only supporting their spam operation, security and risk management experts told CRN that the credentials potentially provide the means to gain a foothold in corporate networks and conduct more serious attacks.

A credentialed attack gives criminals easy access to a corporate laptop to set up a staging ground and then pivot to more sensitive systems, said Rick Darkin, co-founder and CEO of Coalfire Systems. Darkin said the stolen password cache highlights how the early stages of all attacks are conducted. If the cache contained administrative passwords, criminals would have an even easier way to gain access to a variety of sensitive systems, he said.

"Web vulnerabilities have been exposing more and more passwords and personal information that is consistently being used in both widescale, relatively unsophisticated, attacks and advanced, targeted campaigns," Darkin said. "This hasn't been glamorous to report on during breaches because it is the early phase of the kill chain."

The automated campaign took advantage of website SQL injection flaws, a common coding error that could be exploited to gain access to underlying servers containing account credentials. The list of websites includes those maintained by large businesses, as well as small and personal blogs, highlighting the long-standing problem of maintaining websites and patching common vulnerabilities.

PUBLISHED AUG. 6, 2014