Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Anonymous web browser. Show all posts

Redline Malware Stealing Web Browser Stored Credentials

 

The RedLine malware steals information from popular internet browsers such as Chrome, Edge, and Opera, highlighting why saving passwords in browsers is a terrible idea. 

This malware is a commodity information-stealer that can be obtained on cyber-crime websites for around $200 and deployed with very little understanding or effort. 

A new analysis by AhnLab ASEC, on the other hand, cautions that the ease of using the auto-login function on web browsers has become a significant security problem, impacting both enterprises and individuals. 

In one case given by the analysts, a distant employee handed over VPN account credentials to RedLine Stealer actors, who utilized the information three months later to attack the company's network. 

Whilst an anti-malware program was installed on the affected computer, it was unable to identify and eradicate RedLine Stealer. The malware attacks the 'Login Data' file, which is found on all Chromium-based web browsers and contains an SQLite database containing usernames and passwords. 

While browser password stores, that are also used by Chromium-based browsers, are secured, information-stealing malware can programmatically decode the store as long as they are logged in as the same user. Because RedLine operates as an infected user, it can collect passwords from their browser profile. 

"Google Chrome encrypts the password with the help of CryptProtectData function, built into Windows. Now while this can be a very secure function using a triple-DES algorithm and creating user-specific keys to encrypt the data, it can still be decrypted as long as you are logged into the same account as the user who encrypted it," explains the author of the 'chrome_password_grabber' project. 

"The CryptProtectData function has a twin, who does the opposite to it; CryptUnprotectData, which... well you guessed it, decrypts the data. And obviously, this is going to be very useful in trying to decrypt the stored passwords." 

Even if users decline to save their credentials in the browser, the password management system will nonetheless add an entry indicating that the specific site is "blacklisted." 

While the malicious actors may not have had the credentials for this "blacklisted" account, it does inform them of its existence, allowing them to undertake credential stuffing or social engineering/phishing attacks. 

Threat actors either utilize the obtained credentials in subsequent assaults or attempt to monetize them by selling them on darknet marketplaces. 

The emergence of the '2easy' dark web marketplace, where 50% of all traded data was taken via this software, is an illustration of how popular RedLine has become among hackers.

Russian Intelligence Attempts to Crack Tor Anonymous Web Browser



On being breached by cybercriminals, a Russian intelligence contractor has been found to be attempting to crack an anonymous web browser, 'Tor', which is employed by the people who wish to bypass government surveillance and acquire access to the dark web. However, it is unclear how effective the attempt to crack the web browser was because the modus operandi relied largely on the luck factor to match Tor users to their activity.

According to the findings of the BBC, the intelligence contractor which is widely known in Russia is also working on various secret projects.

SyTech, a contractor for Russia's Federal Security Service FSB, fell prey to a massive data breach wherein hackers gained illicit access to around 7.5 terabytes of data and included details regarding its projects.

The internet homepage of the company was replaced by a smug smiley face by the hackers from a group namely 0v1ru$ who acquired illegal access to the company on 13th July.

In order to crack Tor, SyTech resorted to Nautilus-S which required them to become an active member of the browser's network.

Whenever a user gets connected to Tor, the usage of the web browser is visible to the internet service providers who later can provide this data to the FSB or any other state authority, on being asked.

Commenting on the viability of SyTech's attempt to crack Tor, a spokesperson for the Tor project said, "Although malicious exit nodes would see a fraction of the traffic exiting the network, by design, this would not be enough to deanonymize Tor users,"

"Large-scale effective traffic correlation would take a much larger view of the network, and we don't see that happening here," he added.