Attackers Test Weak Passwords in Purple Fox Malware Attacks

3 weeks ago 44

Researchers stock a database of passwords that Purple Fox attackers commonly brute unit erstwhile targeting the SMB protocol.

Weak passwords utilized implicit the Windows Server Message Block (SMB) protocol are often portion of attacks that result in the dispersed of Purple Fox malware, Specops researchers report.

Purple Fox, archetypal detected successful 2018, is simply a malware run that targets Windows machines. Until recently, its operators utilized phishing emails and assorted privilege escalation exploits to people Internet Explorer and Windows devices. However, successful precocious 2020 and aboriginal 2021, a new corruption vector began to infect Internet-facing Windows devices done SMB password brute force.

While Purple Fox's functionality didn't alteration post-exploitation, its organisation method caught the oculus of Guardicore researchers. The squad observing Purple Fox describes a "hodge-podge" of susceptible and compromised machines hosting the archetypal payload, infected devices serving arsenic nodes of worm campaigns, and server infrastructure believed to beryllium related to different malware campaigns.

There are aggregate ways Purple Fox tin commencement spreading. In immoderate attacks, the worm payload is executed aft a people is compromised done an exposed service, specified arsenic an SMB; these services are targeted with anemic passwords and hashes. In different attacks, the worm is sent done a phishing email that exploits a browser vulnerability.

Researchers with Specops besides say these attacks created a planetary honeypot strategy to cod accusation connected what these SMB attacks look similar and the benignant of passwords attackers are using. The squad analyzed much than 250,000 attacks connected the SMB protocol implicit a play of 30 days. In that time, "password" was seen utilized successful attacks much than 640 times, they report.

"Password" was lone the 3rd most-common password utilized successful these attacks. Most fashionable was "123," followed by "Aa123456." They besides often tried "1qaz2wsx," "abc123," "password1," "welcome," "888888," and "112233."

Read the afloat list here.

Dark Reading's Quick Hits delivers a little synopsis and summary of the value of breaking quality events. For much accusation from the archetypal root of the quality item, delight travel the nexus provided successful this article. View Full Bio

Recommended Reading:

More Insights

Register for Dark Reading Newsletters

2021 Top Enterprise IT Trends

We've identified the cardinal trends that are poised to interaction the IT scenery successful 2021. Find retired wherefore they're important and however they volition impact you today!

Flash Poll

How Enterprises are Developing Secure Applications

How Enterprises are Developing Secure Applications

Recent breaches of third-party apps are driving galore organizations to deliberation harder astir the information of their off-the-shelf bundle arsenic they proceed to determination near successful unafraid bundle improvement practices.

Dark Reading - Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-29458
PUBLISHED: 2021-04-19

Exiv2 is simply a command-line inferior and C++ room for reading, writing, deleting, and modifying the metadata of representation files. An out-of-bounds work was recovered successful Exiv2 versions v0.27.3 and earlier. The out-of-bounds work is triggered erstwhile Exiv2 is utilized to constitute metadata into a crafted representation file. An att...

CVE-2021-31254
PUBLISHED: 2021-04-19

Buffer overflow successful the tenc_box_read relation successful MP4Box successful GPAC 1.0.1 allows attackers to origin a denial of work oregon execute arbitrary codification via a crafted file, related invalid IV sizes.

CVE-2021-31255
PUBLISHED: 2021-04-19

Buffer overflow successful the abst_box_read relation successful MP4Box successful GPAC 1.0.1 allows attackers to origin a denial of work oregon execute arbitrary codification via a crafted file.

CVE-2021-31256
PUBLISHED: 2021-04-19

Memory leak successful the stbl_GetSampleInfos relation successful MP4Box successful GPAC 1.0.1 allows attackers to work representation via a crafted file.

CVE-2021-31257
PUBLISHED: 2021-04-19

The HintFile relation successful GPAC 1.0.1 allows attackers to origin a denial of work (NULL pointer dereference) via a crafted record successful the MP4Box command.

Read Entire Article