3.25 million Windows computers were targeted by hackers using an unknown trojanized malware, and stole 1.2 TB of data including credentials, documents, images, and cookies. The infiltration remained undetected until now.
Billions of cookies, tens of millions of credentials, and millions of files are what an unknown malware managed to scrape off of millions of systems in a few years. The malware, a trojan to be exact, was discovered only recently by researchers at NordLocker, a Panama-based vendor of cloud-based file encryption software.
NordLocker researchers in collaboration with unnamed third-party data breach experts were able to find the data when the hackers accidentally revealed the location of the database. So if they hadn’t bungled the whereabouts of the database, there’s a high chance this breach, which possibly impacts tens of millions of people throughout the world, would’ve remained in the dark.
If you’re concerned (as you should be) whether you are one of the victims of this breach that has exposed credentials, user files, online activity, head over to Have I Been Pwned (HIBP) to check if your email and password(s) for any online account are compromised. NordLocker has already provided HIBP over 1.1 million email addresses collected by the nameless malware. Click here to see if an email was compromisedOpens a new window and here for passwordsOpens a new window .
What Was Stolen by the Nameless Trojan?
The most worrying fact about the breach is that 1.1 million unique emails on HIBP are just the tip of the iceberg. Besides these emails, NordLocker also found the following in the database:
- 26 million login credentials
- Over 2 billion cookies from web browsers
- 6.6 million files (text, images, doc, pdf)Â
This data was stolen from approximately 3.25 million computers running on Windows 10 infected with the unknown malware.
The trove of data, amounting to a total of 1.2 terabytes, includes over 1 million images (696,000 .png and 224,000 .jpg files), a lot of which are screenshots of the infected computer, and illicitly captured images from the webcam of the computer. The database also contains over 650,000 Word and .pdf files, as well as 3 million Notepad (text) files having passwords of victims. Overall, files with more than 1,000 different formats were stolen.
See Also: IoT Giant Ubiquiti Covered Up Data Breach Impact, Whistleblower Alleges
Total Impact
Oftentimes, the technicalities of a data breach may cloak the impact area from it. So if n- number of files are compromised in a data breach, it is essential to determine the contents of those files, determine the relevance, estimate the impact, and instigate mitigation measures.
Cookies
Of the 2 billion cookies, 400 million were valid at the time NordLocker discovered the database, meaning they hadn’t expired. Cookies for YouTube (17,134,343), Facebook (8,082,876)), LinkedIn (5,200,639), Twitter (5,166,885), AliExpress (4,816,698) were among the highest stolen by hackers.
Cookies are those small, hashed text files used for storing login information, credit card information. They are also used by advertisers to display relevant ads according to user preferences.
While cookies are hashed and protect divulging information, accessible only to the web browser through a decryption algorithm. However, they can, if installed on the hacker’s browser, reveal those encrypted passwords. It is unclear whether the hackers have extracted any sensitive information from these stolen cookies.
Credentials
What’s definite, however, is that 26 million user credentials for multiple websites were compromised. This includes:
- Social media sites (Facebook – 1,471,416, Twitter – 261,773, Instagram – 153,754, LinkedIn – 113,013, etc)
- eCommerce sites (Amazon – 209,534, eBay – 132,935, AliExpress – 87,624, etc)
- Consumer electronics vendors (Apple – 127,793, Sony – 67,976, Samsung – 41,854, etc)
- Content streaming services (Netflix – 170,067, Twitch – 106,690, Spotify – 61,349, etc)
- Email services (Google – 1,540,650, Outlook – 403,580, Yahoo – 224,961, etc)
- Online gaming platforms (Roblox – 197,166, Steam – 189,740, Epic Games – 91,271, Minecraft – 70,789, etc)
- Recruitment sites (Indeed – 19,190, Upwork – 13,781, JobStreet – 13,005, etc)
- FIle storage and sharing platforms (Mega – 123,416, Dropbox – 87,282, 4shared – 59,804, etc)
- Productivity tools (Udemy – 12,388, Grammarly – 12,113, Canva – 9,271, etc)
- Financial services (PayPal – 145,436, Qiwi – 21,146, Blockchain – 19,736)
In total, credentials for one million websites were stolen.
Software Data
The hackers primarily targeted browsers since they are used by users and are rich in sensitive information, hackers also stole data from messaging, email, games, and file-sharing applications. However, the top five apps targeted were browsers – Google Chrome, Mozilla Firefox, Opera, Internet Explorer/Microsoft Edge, and Chromium). Other apps targeted are Outlook, Thunderbird, FileZilla, Amigo, Vivaldi, etc).
For the full list, visit NordLocker’s disclosure hereOpens a new window .
The Nameless Malware
The obscure trojanized malware remained undetected for nearly three years between 2018 and 2020, which is typically the case if new definitions of the malicious nuisance aren’t updated within the threat libraries of Windows Defender, the anti-malware component on multiple versions of Microsoft’s Windows operating systems, or any third-party antivirus software.
The malware’s obscurity allows it to stealthily spread over email, pirated/illegal Adobe Photoshop 2018, a Windows cracking tool, and several cracked games, which is how it managed to expand to over three million victims.
This particular malware is probably an infostealer, which are trojans designed specifically to gather information from a target system. According to cybersecurity company CyberArkOpens a new window , infostealers aren’t very sophisticated and are generally available for sale on online hacking forums for anywhere between a few dollars to a couple hundred.
“Anyone can get their hands on custom malware. It’s cheap, customizable, and can be found all over the web,†explainedOpens a new window NordLocker researchers.
They add, “Dark web ads for these viruses uncover even more truth about this market. For instance, anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom does mean custom – advertisers promise that they can build a virus to attack virtually any app the buyer needs.â€
Some of the well-known infostealer trojans are Emotet, LokiBot, Trickbot, and the more recent Raccoon.
See Also: 5 Tips To Safeguard Customer Data and Avoid a BreachOpens a new window
NordLocker’s Suggestions to Alleviate the Threat from Malware
- Download software from trusted sources. Naturally, refrain from using pirated ones
- Block third-party cookies, periodically delete regular ones
- Maintain a proper cyber hygiene
- Use data encryption
- Leverage multi-factor authentication
- Use password managers
- Use antivirus software and perform regular updates
All said and done, it is impossible to catch an unknown malware if the antivirus doesn’t know about it. Essentially, no antivirus software can be 100% foolproof. So the reliance on antivirus software should not be absolute, and instead should be a part of the overall security strategy based on above stated suggestions.
Closing Thoughts
Data breaches aren’t a recent phenomenon, but they certainly have picked up steam in recent months. Most breaches such as the exposure of 533 million Facebook users, 2.28 million users of MeetMindful, 200K users of T-Mobile, and others, involved exploitation of vulnerabilities in computer systems, servers, and networks of corporate targets.
This one, however, targeted anyone that did not have the safeguards in place. And even if they did, it wouldn’t have mattered since the malware definition was unknown. Trojanized malware will continue to shatter the vulnerable security shields in the devices of users, especially newbies making their mark on the internet unless they refrain from engaging in the use of illegal online software or virtual baits.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!