jspenguin2017 / Snippets

Random code snippets
27 stars 3 forks source link

List of compromised websites and scope of damage, by Nano Adblocker and Defender #5

Closed wadawada closed 4 years ago

wadawada commented 4 years ago

Checklist for everyone affected

  • Login sessions between 10/15 and 10/16 are most likely to be affected
  • Check your Instagram for random likes, even if you didn't visit it for a long time, you might be still affected
  • Check other websites you visited in the past 10 days for a suspicious activity
  • Check your accounts for suspicious login attempts
  • If suspicious activity found, report below

Countermeasures

  • Your passwords are probably fine so far. This is actually confirmed by the reports of failed logins by some, as some websites are smart enough not to allow suspicious usage of stolen cookies, which is good. However, it can be compromised if you visited a website with poor security practices (which store passwords in cookies, for example).
  • DO NOT simply delete cookies from your browser. Cookies on the server-side need to be refreshed, which cannot be done by deleting cookies on the client-side
  • You need to logout ALL sessions of websites that you visited in the past 10 days. Find the option in settings to "Terminate all sessions", which will invalidate all previously issued cookies at all locations. If there is no option to terminate all sessions, you can contact support for assistance in terminating all of your sessions due to possible cookie theft.
  • Login again to refresh session cookies
  • As a last resort, changing password should (although it might not) invalidate all previous cookies. (https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-712724272)

Please READ the following web page for help and a detailed explanation of what happened https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-713028839 https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-712599645 https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/

other info: https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712448295 info in session cookies

If you want to rant, you can go to https://github.com/jspenguin2017/Snippets/issues/4 For other issues, you can also go to https://github.com/jspenguin2017/Snippets/issues/3 or https://github.com/jspenguin2017/Snippets/issues/2 You may have one or more or none accounts affected

If one or more of your accounts of some websites/apps has suspicious activities recently, you can use the following format to help report/confirm being compromised,

1 website: www.something.com
2 saved passwords on chrome? YES if password was saved/ NO if password was typed
3 suspicious activity on login session page (if provided): YES (eg failed logins) /NO 
4 unauthorized activity on website/app: describe what happened

Websites already confirmed to be compromised

Instagram You can check suspicious activities by On Instagram Mobile, Settings > Security > Login Activity On Instagram Website, Settings > Login Activity On Instagram Mobile, Settings > Account > Posts You've Liked to see if you have unauthorized likes Question: need a way to remove unauthorized likes A solution: https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-713626427

Websites that may be compromised, needs confirmation if it is related to this incident

Github: check the security log to see if there are failed attempts to login recently https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712522905 (2 confirmed suspicious activity with failed login) https://github.com/settings/security-log

Microsoft/Outlook account (2 confirmed suspicious activity with failed login) https://support.microsoft.com/en-us/account-billing/check-the-recent-sign-in-activity-for-your-microsoft-account-5b3cfb8e-70b3-2bd6-9a56-a50177863357

Twitch (Question: maybe no way to check login sessions?) https://help.twitch.tv/s/article/account-hacked?language=en_US

ninja542 commented 4 years ago

Some people are saying Twitch might be compromised, however seems like Twitch doesn't have a login activity feed.

Edit: Microsoft activity check website is not down

Aractus commented 4 years ago

I've got a good cryptographically secure password generator on my blog by the way if anyone needs a quick password generator. They are generated in-browser and not transmitted to the server (obviously) and anyone is welcome to audit the code. The code is much better than the one at passwordsgenerator.net which is not cryptographically secure ~(at least it wasn't at the time I made mine)~. I just had a quick look at the code in passwordsgenerator.net, it's still rubbish. It still doesn't pick characters with equal probability, their code for generating a character is: Math.random()*a.length

To show the difference, here is how I did it (r=255-256%charset.length):

 while(y){
    if(rndopt==1){window.crypto.getRandomValues(x);j=x[0];}
    else if(rndopt==2){window.msCrypto.getRandomValues(x);j=x[0];}
    else j=Math.floor(Math.random()*256);
    if(j<=r)y=false;
 }

No bias.

ninja542 commented 4 years ago

I am personally using Lastpass because it has autofill and sync-ed passwords, is that not good?

I also changed some passwords, still need to change my Facebook and Google password

bakeray commented 4 years ago

Can confirm the instagram behavior above for me as well. Will update the thread with any other fishiness I see.

wadawada commented 4 years ago

Some people are saying Twitch might be compromised, however seems like Twitch doesn't have a login activity feed.

Edit: Microsoft activity check website is not down

so no failed login attempt on Microsoft? what about github?

Aractus commented 4 years ago

I am personally using Lastpass because it has autofill and sync-ed passwords, is that not good?

I also changed some passwords, still need to change my Facebook and Google password

Any decent password manager should come with a secure random generator. :) I'd expect Lastpass's to be fine, but with that said it is closed-source.

There is no way they compromised your Google or Facebook passwords, not from cookies anyway, as long as those passwords are not the same as used for something else.

ninja542 commented 4 years ago

Some people are saying Twitch might be compromised, however seems like Twitch doesn't have a login activity feed. Edit: Microsoft activity check website is not down

so no failed login attempt on Microsoft? what about github?

Sorry for not being clear, I was trying to check login activity for Microsoft on my phone browser, and it wasn't working, so I thought the Microsoft website was down, but then I realized it might be my phone.

I logged out of Github, and my activity is not suspicious

wadawada commented 4 years ago

Sorry for not being clear, I was trying to check login activity for Microsoft on my phone browser, and it wasn't working, so I thought the Microsoft website was down, but then I realized it might be my phone.

I logged out of Github, and my activity is not suspicious

I see. I believe Microsoft account is up, but I don't have one so I can't confirm https://downforeveryoneorjustme.com/login.live.com

I checked my github and see suspicious activity

jspenguin2017 commented 4 years ago

I'm not sure if it's a wise idea for me to post on GitHub right now, but I have some important updates:

o2cr commented 4 years ago

I don't see any suspicious activity on my other accounts, aside from Instagram, where there's about 40-50 ish images. As stated from many places already, log out from accounts and change passwords.

tweedge commented 4 years ago

Hi @jspenguin2017 - I have information on the evolution of this malware and have been tracking it for a couple weeks. Can we sync up about what other extensions you know of either here or via email? One you should be aware of them using prior is "User-Agent Switcher" which was acquired by eSolutions Nordic in a similar way before being infected with malware.

Edit: not able to check this as I'm kinda shoulders deep so if anyone has information or wants to connect about this please email tweedge-public@partridge.tech, certification that's me is on Keybase: https://keybase.io/tweedge

H0ss1 commented 4 years ago

I've checked my MS account AND today i have almost 6 imap session Sync tries from many world Places..

scottyhwilson commented 4 years ago

Confirming microsoft account as well. I had 9 IMAP session attempts between 10/9 - 10/12, from places like India, Mexico, Thailand, Vietnam, etc. My twitch and Instagram accounts appear unaffected, however.

wadawada commented 4 years ago

I'm not sure if it's a wise idea for me to post on GitHub right now, but I have some important updates:

  • I'm in contact with Dan Goodin, I'll help him in any way I can
  • Google responded to my ticket, saying that the extension was already removed from WebStore
  • The new developer(s) claimed that they acquired a total of 5 extensions, with one being "small", I think we found 3 so far

You are very welcomed on here to update the follow-up and what is comprised (and provide ways to remove/undo the aftermath of the comprised)

ghost commented 4 years ago

I've only received a Verification Code for my IG account yesterday (which is weird since I don't use social media on the computer). However, no weird likes happened or any suspicious activity on other accounts. I've changed all my recently used passwords. Although I found some old ones saved in my google chrome (really wasn't aware of that until now) should I change them too?

yenhanshih commented 4 years ago

I read some of the comments on the other thread, people really shouldn't be taking this lightly. This wasn't a company data breach where the attackers got access to the information you provided to the company. This is the attacker in your system, on your browser listening to your web traffic.

Granted, we see some code that was exposed and think that it is only listening on session tokens, until someone analyzes and dumps the entire source code, it is better to be safe than sorry and change all your passwords.

ghost commented 4 years ago

I read some of the comments on the other thread, people really shouldn't be taking this lightly. This wasn't a company data breach where the attackers got access to the information you provided to the company. This is the attacker in your system, on your browser listening to your web traffic.

Granted, we see some code that was exposed and think that it is only listening on session tokens, until someone analyzes and dumps the entire source code, it is better to be safe than sorry and change all your passwords.

I completely agree with that, I'll change everything that I can remember and wait for updates regarding what has been found about the code or the perpetrators. It's going to be one hell of a good night but in the end better safe than sorry.

tweedge commented 4 years ago

Granted, we see some code that was exposed and think that it is only listening on session tokens, until someone analyzes and dumps the entire source code, it is better to be safe than sorry and change all your passwords.

I did this for a previous extension released by what appears to be the same developer - you should be most worried about your session tokens. Also, most of the control is handled by commands from the server, so there's no way for us to determine via source code analysis what sites may be impacted. The author could have at any time sent your browser to any site (Facebook, PayPal, Robinhood, whatever) and stolen that session token. Deauth all sessions and change password for anything you're concerned about NOW though, great time to move to a password manager and uninstall extra extensions.

That's not to incite panic though. From my experience, they're most interested in selling social media and social media adjacent stuff - likes, follows, etc. Easier than money laundering. But, best to be safe.

TL;DR working on it. Dumps are here: https://github.com/partridge-tech/chris-blog/tree/uas/_content/2020/extensions-the-next-generation-of-malware/no-publish

yenhanshih commented 4 years ago

Dumps are here: https://github.com/partridge-tech/chris-blog/tree/uas/_content/2020/extensions-the-next-generation-of-malware/no-publish

This is great! Appreciate you for sharing this. At least now the code is in public scrutiny. I'm going to diff this.

pascil commented 4 years ago

So is it confirmed from this comment that changing passwords and deleting cookies is enough or are there site that don't refresh cookies after password change?

Aractus commented 4 years ago

Deauth all sessions and change password for anything you're concerned about NOW though, great time to move to a password manager and uninstall extra extensions.

That's not to incite panic though. From my experience, they're most interested in selling social media and social media adjacent stuff - likes, follows, etc. Easier than money laundering. But, best to be safe.

Yep I can't agree more, especially re- password manager. Also a good time to move to Firefox ;) less users makes it a smaller target for hackers.

jamesy0ung commented 4 years ago

Nothing for me on Microsoft and GitHub I removed it on Saturday 17th of October 2020 11AM AEDT

davidohne commented 4 years ago

I went through EVERY instagram post they liked and posted a comment that the post was promoted by stolen and bought likes and accounts. Took me n hour. I think it was worth it...

@jspenguin2017 congratulations for your good sale! You were talking about donating (absolutely all) the money they payed to steal our data. So where does it go? Would be nice to get more transparency on how you made the decision and what they payed..

Oscar5055 commented 4 years ago

I've checked my MS account AND today i have almost 6 imap session Sync tries from many world Places..

Same + someone from turkey failed to login into my account. Got few random likes on my instagram account. I havent found any more activity

PF4Public commented 4 years ago

@wadawada please write in the top of your post something like this:

Checklist for everyone affected

supra107 commented 4 years ago

I have checked my Google, Microsoft, Facebook and Github account, and none of them have suspicious activity. I cannot find a "liked posts" section on Instagram on desktop, but then again I barely ever used it. I can't verify any specific websites due to my browser configuration where I don't keep my history for more than a day. I also had only two passwords saved in the browser, one for a driver license tests that has no value and for browser synchronization, the second I have now changed, as well as a few other critical passwords. What else should I verify to make sure nothing has been breached?

pascil commented 4 years ago

I have checked my Google, Microsoft, Facebook and Github account, and none of them have suspicious activity. I cannot find a "liked posts" section on Instagram on desktop, but then again I barely ever used it. I can't verify any specific websites due to my browser configuration where I don't keep my history for more than a day. I also had only two passwords saved in the browser, one for a driver license tests that has no value and for browser synchronization, the second I have now changed, as well as a few other critical passwords. What else should I verify to make sure nothing has been breached?

Social media, bank, email and anything other with (critical) personal information.

davidohne commented 4 years ago

I think everything where you can browse and get into the account without entering a password could be affected. If your bank allows that you should (change the bank...) and log out there and change passwords.. Paypal could be a problem as well. I would use the time to activate 2FA with paypal.

arg274 commented 4 years ago

Just to be safe, password managers like Bitwarden/Lastpass should be unaffected, right? After all, stolen session cookies should not probably usable on sites that have strict expirations. I'm still trying to speedrun through changing the passwords on the sites I frequent, but the thought of a breach through a centralised hive of passwords is quite harrowing.

supra107 commented 4 years ago

I've been entering all my passwords from KeePass by either using the Auto-Type function or just copy-pasting them, so I think the only way those passwords would be breached is if the Nano Stealer would snatch the strings from the input fields right before they get sent to the server.

CDAGaming commented 4 years ago

Just found out about this half an hour ago.

Most of the services I use do employ 2fa (I normally enable it whenever possible, due to past breaches with an older password), though at least for me neither my Instagram or the sites I've used in the last few days (Mostly GitHub, GitLab, YouTube/Google, Blizzard/BattleNet, Reddit, CurseForge, and Amazon) have seemingly not been touched, though I am taking diligence to watch out for anything suspicious. Will let you all know if something happens...

ameyvaidya commented 4 years ago

Confirming microsoft account as well. I had 9 IMAP session attempts between 10/9 - 10/12, from places like India, Mexico, Thailand, Vietnam, etc. My twitch and Instagram accounts appear unaffected, however.

How do I find this information? I want to check if my Outlook has been compromised? I checked recent activity but it doesn't show information more than a day??

wickles commented 4 years ago

I cannot find a "liked posts" section on Instagram on desktop

I could not find it on desktop either. On mobile it's in Settings > Account > Posts I've Liked, or something like that.

Confirming microsoft account as well. I had 9 IMAP session attempts between 10/9 - 10/12,

May be coincidental since I believe the infection occurred on Oct 15?

How do I find this information? I want to check if my Outlook has been compromised? I checked recent activity but it doesn't show information more than a day??

Go down to the very bottom and click "View more account activity", it will load more results. You can repeat this process to show more, just keep checking the very bottom of the page.

supra107 commented 4 years ago

I could not find it on desktop either. On mobile it's in Settings > Account > Posts I've Liked, or something like that.

Yeah it is available only on mobile, but thankfully it's all empty for me. I've changed the password and logged in and out just to be sure.

DADESUPER commented 4 years ago

I'm not sure if it's a wise idea for me to post on GitHub right now, but I have some important updates:

  • I'm in contact with Dan Goodin, I'll help him in any way I can
  • Google responded to my ticket, saying that the extension was already removed from WebStore
  • The new developer(s) claimed that they acquired a total of 5 extensions, with one being "small", I think we found 3 so far

"I'm not sure it's the right idea for me to talk here so instead i'll talk to a middleman that could, whether intentionally or accidentally, misrepresent the known facts leading to further confusion in the community"

If you really want to talk to a middleman report the info you have on these "developers" to your country's police branch that investigates internet crimes.

I mean the fact that you won't even name who these developers are doesn't make sense to me. If you knew nothing about them you made the most foolish deal in history. If you know the names but won't reveal in my eyes that makes you complicit.

What do you think is gonna happen if you tell us their name and contact info? A group of black hat hackers isn't gonna sue you, that would just lead to them getting countersued and brought to justice.

Not giving us a direct way to complain to them makes you the target as the "next best thing". The best solution isn't another middleman. It's direct access to them

pascil commented 4 years ago

Bad news... All cookies copied..

So location, IP address, login information, E-Mail addresses, every site I was? How long until anyone of us gets harassed?

wickles commented 4 years ago

Bad news... All cookies copied..

So location, IP address, login information, E-Mail addresses, every site I was? How long until anyone of us gets harassed?

I hesitate to trust that user. Anyway dumping a bunch of code and a scary comment without any explanation is not very helpful.

supra107 commented 4 years ago

So location, IP address, login information, E-Mail addresses, every site I was? How long until anyone of us gets harassed?

I wouldn't go so far as to say that location, full login information and e-mail addresses were leaked through the cookies, barely any website will keep that info there. But we can be sure that login sessions were in fact leaked, as those are pretty much always saved in cookies. Logging out on your browser should render those useless for the attackers.

tweedge commented 4 years ago

@lilcsz @pascil @wickles I don't actually believe all cookies were copied. All cookies could be copied, but that doesn't mean they were. Previous versions of the malware used by this author set specific domains to steal headers for via the getNewListData function (equivalent) on the websocket. That could copy the cookies for arbitrary sites that way by sending an event, but they weren't observed to do so - previously, they only sent that event type for www.instagram.com. That's not to say that they didn't send more events this time - they absolutely could have - but they had to send a specific event before stealing a given session cookie.

nanoDevAB.on("getNewListData", function (a) {
    getNewListData = a;
})

Here's the part of my writeup relevant to that: https://github.com/partridge-tech/chris-blog/blob/uas/_content/2020/extensions-the-next-generation-of-malware/user-agent-switcher.md#functionality

jinxx0 commented 4 years ago

@tweedge Thanks for information. Also browser traffic logged?

Optoz commented 4 years ago

If I am using lastpass to autofill my passwords, is my lastpass account comprimised?, I have already changed the master password and changed the password for instagram, but what other precautions should be taken into account?

tweedge commented 4 years ago

@tweedge Thanks for information. Also browser traffic logged?

Still looking into that for this extension but previously the authors focused more on the "forced browsing" aspect - it sends destinations that it wants the user's browser to go to, then forwards the response body for that specific request up to the malware author. Like a forced MITM. I haven't observed them stealing other traffic, but I haven't had time to look at this extension to know for sure they didn't add that capability.

jinxx0 commented 4 years ago

connection.zip Can you look this file? I don't know so much about JS

jinxx0 commented 4 years ago

@tweedge

tweedge commented 4 years ago

I will look this evening (if I had to guess, Socket.IO client). Right now I'm preparing a statement for impacted users explaining what happened and how to protect themselves, then I gotta dip to work.

jinxx0 commented 4 years ago

I will look this evening (if I had to guess, Socket.IO client). Right now I'm preparing a statement for impacted users explaining what happened and how to protect themselves, then I gotta dip to work.

Thank you

Optoz commented 4 years ago

I will look this evening (if I had to guess, Socket.IO client). Right now I'm preparing a statement for impacted users explaining what happened and how to protect themselves, then I gotta dip to work.

Thanks!

ameyvaidya commented 4 years ago

Scary part is that this seems like planned activity, they seems to be prepared with what to do with data. How on earth just after these guys were ready with new updates to be deployed/pushed all users. Damn it!

supra107 commented 4 years ago

Scary part is that this seems like planned activity, they seems to be prepared with what to do with data. How on earth just after these guys were ready with new updates to be deployed/pushed all users. Damn it!

The fact that @jspenguin2017 is being really vague about everything and avoiding to contact or even expose the two "Turkish devs" makes it even shadier. But let's not get our torches and pitchforks out yet, that comes later. Right now we gotta analyze the scope of damages done by this fiasco.

pascil commented 4 years ago

Scary part is that this seems like planned activity, they seems to be prepared with what to do with data. How on earth just after these guys were ready with new updates to be deployed/pushed all users. Damn it!

They probably have practice. If I read correct they are probably also involved into the User-Agent-Switcher malware. Hopefully I had the one by Google installed. I didn't get a malware warning for that so I am fine I guess.

And yes I am scared af. That never happened to me before and I used computers since the day I can think.