117 Million LinkedIn Passwords For Sale

This week, we hear about LinkedIn data breach and the Furtim malware as well as this week's Top 20 malicious IP addresses.

Breach

117 Million LinkedIn Passwords for Sale

LinkedIn’s 2012 data breach—in which a Russian hacker posted the account login details of over 6 million users online—appears to have been much more widespread than originally reported. Four years later, a hacker nicknamed “Peace” is selling a database of 117 million emails and decrypted passwords on Dark Web marketplace “TheRealDeal” for 5 Bitcoins (approx. $2,200). Troy Hunt, an independent researcher who operates the “Have I Been Pwned” site, confirmed that the leaked credentials were legitimate after reaching out to some of the victims.

A LinkedIn spokesperson stated that the company is investigating the matter after this incident. In 2015, LinkedIn settled a class-action lawsuit regarding the 2012 breach, and paid $50 to each of the US victims for a total of $1.25 million, meaning they could potentially be required to pay millions of dollars more to the new list of victims.

References: Hacker Puts Up 167 Million LinkedIn Passwords for Sale | Millions of Hacked LinkedIn IDs Advertised "For Sale" | Another Day, Another Hack: 117 Million LinkedIn Emails and Passwords

Mitigation Strategies:

Malware

Paranoid Malware Furtim Carefully Selects Its Targets

A new malware being dubbed “the paranoid malware” was recently discovered by @hFireFox, after evading 56 anti-virus programs. The developers of Furtim—the name is Latin for “stealthy”—makes evading security detection their top priority. Before installing, Furtim checks the targeted machine for security products and virtualized or sandboxed environments, aborting installation if any are found. The list of security items tops 400, and the malware blocks 250 security-related websites as well.

Once Furtim determines that it can proceed with installation, the malware continues to earn its “paranoia” nickname. Yotam Gottesman, senior security researcher at enSilo, explained that Furtim collects unique information from its targeted machines, which is sent and stored on a specific server. This ensures that the payload is only sent once. This is, perhaps, according to Gottesman, a tactic to keep security researchers from collecting samples or analyzing the malware.

References: Analyzing Furtim: Malware That Avoids Mass-Infection

Mitigation Strategies:

Top 20 IP Addresses

188.118.2.26 81.183.56.217
118.170.130.207 46.109.168.179
87.222.67.194 183.60.48.25
114.44.192.128 93.174.93.94
221.229.162.7 106.184.2.29
91.239.142.15 58.218.199.96
222.186.34.175 222.186.34.224
203.156.205.106 91.236.75.4
112.90.235.28 185.92.72.90
89.248.172.140 58.218.211.17

*IP addresses provided by Recorded Future.