Attackers' Server Leaked Millions of Stolen Authentication Cookies and Passwords

Attackers’ Server Leaked Millions of Stolen Authentication Cookies and Passwords

After infecting victims with malware and stealing their passwords and personal data, the malware operators failed to secure their servers. As a result, the servers have been exposing sensitive information of hundreds of thousands of victims for over a month, including passwords and millions of authentication cookies.

Security researchers have been trying to convince a cloud provider to take down the hackers’ leaking server, though the company wasn’t listening.

It was Bob Diachenko, Cyber Threat Intelligence Director at security firm Security Discovery, who discovered the leaky Elasitcsearch server that exposed data typically collected by a type of malware known as an infostealer. This malware infects victims’ devices, collects user information, and later uploads it to attackers’ command and control (C&C) servers to be aggregated in a data lake for further analysis.

The server detected by Diachenko is believed to be the attackers’ data lake.

According to Vitali Kremez of Advanced Intelligence and James Maude of the security firm BeyondTrust, judging by the format of the “bot_ID” field assigned to each infected host, the users had been infected with the RaccoonStealer malware.

And according to researchers, the Elasticsearch server does not only store personal victim data like emails, usernames, and device details but also cleartext passwords and authentication cookies.

While The Record found “credentials and cookies for email accounts, social media profiles, work applications, and even government portals.”

The security company claims to have seen authentication cookies “collected in the millions,” and passwords “which were only hundreds of thousands.” While Diachenko said most of the data belonged to users in the United Arab Emirates and other Middle East countries.

The big number of authentication cookies is explained by the fact that they allow easier access to an account compared to credentials since they grant access to accounts without the need for authentification.

Despite this, researchers like Diachenko have been fighting for weeks with little success to get the server taken down.

Only today, in a surprise twist to the story, the server mysteriously disappeared.

It is unclear if it was the cloud provider or the malware gang who removed the server.

Diachenko says he plans to provide a portion of exposed data to Have I Been Pwn’ed data breach notification service.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.