ninja542
commented
3 years ago Some people are saying Twitch might be compromised, however seems like Twitch doesn't have a login activity feed.
Edit: Microsoft activity check website is not down
Closed wadawada closed 3 years ago
ninja542
commented
3 years ago Some people are saying Twitch might be compromised, however seems like Twitch doesn't have a login activity feed.
Edit: Microsoft activity check website is not down
Aractus
commented
3 years ago I've got a good cryptographically secure password generator on my blog by the way if anyone needs a quick password generator. They are generated in-browser and not transmitted to the server (obviously) and anyone is welcome to audit the code. The code is much better than the one at passwordsgenerator.net which is not cryptographically secure ~(at least it wasn't at the time I made mine)~. I just had a quick look at the code in passwordsgenerator.net, it's still rubbish. It still doesn't pick characters with equal probability, their code for generating a character is: Math.random()*a.length
To show the difference, here is how I did it (r=255-256%charset.length):
while(y){
if(rndopt==1){window.crypto.getRandomValues(x);j=x[0];}
else if(rndopt==2){window.msCrypto.getRandomValues(x);j=x[0];}
else j=Math.floor(Math.random()*256);
if(j<=r)y=false;
}No bias.
ninja542
commented
3 years ago I am personally using Lastpass because it has autofill and sync-ed passwords, is that not good?
I also changed some passwords, still need to change my Facebook and Google password
bakeray
commented
3 years ago Can confirm the instagram behavior above for me as well. Will update the thread with any other fishiness I see.
wadawada
commented
3 years ago Some people are saying Twitch might be compromised, however seems like Twitch doesn't have a login activity feed.
Edit: Microsoft activity check website is not down
so no failed login attempt on Microsoft? what about github?
Aractus
commented
3 years ago I am personally using Lastpass because it has autofill and sync-ed passwords, is that not good?
I also changed some passwords, still need to change my Facebook and Google password
Any decent password manager should come with a secure random generator. :) I'd expect Lastpass's to be fine, but with that said it is closed-source.
There is no way they compromised your Google or Facebook passwords, not from cookies anyway, as long as those passwords are not the same as used for something else.
ninja542
commented
3 years ago Some people are saying Twitch might be compromised, however seems like Twitch doesn't have a login activity feed. Edit: Microsoft activity check website is not down
so no failed login attempt on Microsoft? what about github?
Sorry for not being clear, I was trying to check login activity for Microsoft on my phone browser, and it wasn't working, so I thought the Microsoft website was down, but then I realized it might be my phone.
I logged out of Github, and my activity is not suspicious
wadawada
commented
3 years ago Sorry for not being clear, I was trying to check login activity for Microsoft on my phone browser, and it wasn't working, so I thought the Microsoft website was down, but then I realized it might be my phone.
I logged out of Github, and my activity is not suspicious
I see. I believe Microsoft account is up, but I don't have one so I can't confirm https://downforeveryoneorjustme.com/login.live.com
I checked my github and see suspicious activity
jspenguin2017
commented
3 years ago I'm not sure if it's a wise idea for me to post on GitHub right now, but I have some important updates:
o2cr
commented
3 years ago I don't see any suspicious activity on my other accounts, aside from Instagram, where there's about 40-50 ish images. As stated from many places already, log out from accounts and change passwords.
tweedge
commented
3 years ago Hi @jspenguin2017 - I have information on the evolution of this malware and have been tracking it for a couple weeks. Can we sync up about what other extensions you know of either here or via email? One you should be aware of them using prior is "User-Agent Switcher" which was acquired by eSolutions Nordic in a similar way before being infected with malware.
Edit: not able to check this as I'm kinda shoulders deep so if anyone has information or wants to connect about this please email tweedge-public@partridge.tech, certification that's me is on Keybase: https://keybase.io/tweedge
H0ss1
commented
3 years ago I've checked my MS account AND today i have almost 6 imap session Sync tries from many world Places..
scottyhwilson
commented
3 years ago Confirming microsoft account as well. I had 9 IMAP session attempts between 10/9 - 10/12, from places like India, Mexico, Thailand, Vietnam, etc. My twitch and Instagram accounts appear unaffected, however.
wadawada
commented
3 years ago I'm not sure if it's a wise idea for me to post on GitHub right now, but I have some important updates:
- I'm in contact with Dan Goodin, I'll help him in any way I can
- Google responded to my ticket, saying that the extension was already removed from WebStore
- The new developer(s) claimed that they acquired a total of 5 extensions, with one being "small", I think we found 3 so far
You are very welcomed on here to update the follow-up and what is comprised (and provide ways to remove/undo the aftermath of the comprised)
ghost
commented
3 years ago I've only received a Verification Code for my IG account yesterday (which is weird since I don't use social media on the computer). However, no weird likes happened or any suspicious activity on other accounts. I've changed all my recently used passwords. Although I found some old ones saved in my google chrome (really wasn't aware of that until now) should I change them too?
yenhanshih
commented
3 years ago I read some of the comments on the other thread, people really shouldn't be taking this lightly. This wasn't a company data breach where the attackers got access to the information you provided to the company. This is the attacker in your system, on your browser listening to your web traffic.
Granted, we see some code that was exposed and think that it is only listening on session tokens, until someone analyzes and dumps the entire source code, it is better to be safe than sorry and change all your passwords.
ghost
commented
3 years ago I read some of the comments on the other thread, people really shouldn't be taking this lightly. This wasn't a company data breach where the attackers got access to the information you provided to the company. This is the attacker in your system, on your browser listening to your web traffic.
Granted, we see some code that was exposed and think that it is only listening on session tokens, until someone analyzes and dumps the entire source code, it is better to be safe than sorry and change all your passwords.
I completely agree with that, I'll change everything that I can remember and wait for updates regarding what has been found about the code or the perpetrators. It's going to be one hell of a good night but in the end better safe than sorry.
tweedge
commented
3 years ago Granted, we see some code that was exposed and think that it is only listening on session tokens, until someone analyzes and dumps the entire source code, it is better to be safe than sorry and change all your passwords.
I did this for a previous extension released by what appears to be the same developer - you should be most worried about your session tokens. Also, most of the control is handled by commands from the server, so there's no way for us to determine via source code analysis what sites may be impacted. The author could have at any time sent your browser to any site (Facebook, PayPal, Robinhood, whatever) and stolen that session token. Deauth all sessions and change password for anything you're concerned about NOW though, great time to move to a password manager and uninstall extra extensions.
That's not to incite panic though. From my experience, they're most interested in selling social media and social media adjacent stuff - likes, follows, etc. Easier than money laundering. But, best to be safe.
TL;DR working on it. Dumps are here: https://github.com/partridge-tech/chris-blog/tree/uas/_content/2020/extensions-the-next-generation-of-malware/no-publish
yenhanshih
commented
3 years ago Dumps are here: https://github.com/partridge-tech/chris-blog/tree/uas/_content/2020/extensions-the-next-generation-of-malware/no-publish
This is great! Appreciate you for sharing this. At least now the code is in public scrutiny. I'm going to diff this.
pascil
commented
3 years ago So is it confirmed from this comment that changing passwords and deleting cookies is enough or are there site that don't refresh cookies after password change?
Aractus
commented
3 years ago Deauth all sessions and change password for anything you're concerned about NOW though, great time to move to a password manager and uninstall extra extensions.
That's not to incite panic though. From my experience, they're most interested in selling social media and social media adjacent stuff - likes, follows, etc. Easier than money laundering. But, best to be safe.
Yep I can't agree more, especially re- password manager. Also a good time to move to Firefox ;) less users makes it a smaller target for hackers.
jamesy0ung
commented
3 years ago Nothing for me on Microsoft and GitHub I removed it on Saturday 17th of October 2020 11AM AEDT
davidohne
commented
3 years ago I went through EVERY instagram post they liked and posted a comment that the post was promoted by stolen and bought likes and accounts. Took me n hour. I think it was worth it...
@jspenguin2017 congratulations for your good sale! You were talking about donating (absolutely all) the money they payed to steal our data. So where does it go? Would be nice to get more transparency on how you made the decision and what they payed..
Oscar5055
commented
3 years ago I've checked my MS account AND today i have almost 6 imap session Sync tries from many world Places..
Same + someone from turkey failed to login into my account. Got few random likes on my instagram account. I havent found any more activity
PF4Public
commented
3 years ago @wadawada please write in the top of your post something like this:
supra107
commented
3 years ago I have checked my Google, Microsoft, Facebook and Github account, and none of them have suspicious activity. I cannot find a "liked posts" section on Instagram on desktop, but then again I barely ever used it. I can't verify any specific websites due to my browser configuration where I don't keep my history for more than a day. I also had only two passwords saved in the browser, one for a driver license tests that has no value and for browser synchronization, the second I have now changed, as well as a few other critical passwords. What else should I verify to make sure nothing has been breached?
pascil
commented
3 years ago I have checked my Google, Microsoft, Facebook and Github account, and none of them have suspicious activity. I cannot find a "liked posts" section on Instagram on desktop, but then again I barely ever used it. I can't verify any specific websites due to my browser configuration where I don't keep my history for more than a day. I also had only two passwords saved in the browser, one for a driver license tests that has no value and for browser synchronization, the second I have now changed, as well as a few other critical passwords. What else should I verify to make sure nothing has been breached?
Social media, bank, email and anything other with (critical) personal information.
davidohne
commented
3 years ago I think everything where you can browse and get into the account without entering a password could be affected. If your bank allows that you should (change the bank...) and log out there and change passwords.. Paypal could be a problem as well. I would use the time to activate 2FA with paypal.
arg274
commented
3 years ago Just to be safe, password managers like Bitwarden/Lastpass should be unaffected, right? After all, stolen session cookies should not probably usable on sites that have strict expirations. I'm still trying to speedrun through changing the passwords on the sites I frequent, but the thought of a breach through a centralised hive of passwords is quite harrowing.
supra107
commented
3 years ago I've been entering all my passwords from KeePass by either using the Auto-Type function or just copy-pasting them, so I think the only way those passwords would be breached is if the Nano Stealer would snatch the strings from the input fields right before they get sent to the server.
CDAGaming
commented
3 years ago Just found out about this half an hour ago.
Most of the services I use do employ 2fa (I normally enable it whenever possible, due to past breaches with an older password), though at least for me neither my Instagram or the sites I've used in the last few days (Mostly GitHub, GitLab, YouTube/Google, Blizzard/BattleNet, Reddit, CurseForge, and Amazon) have seemingly not been touched, though I am taking diligence to watch out for anything suspicious. Will let you all know if something happens...
ameyvaidya
commented
3 years ago Confirming microsoft account as well. I had 9 IMAP session attempts between 10/9 - 10/12, from places like India, Mexico, Thailand, Vietnam, etc. My twitch and Instagram accounts appear unaffected, however.
How do I find this information? I want to check if my Outlook has been compromised? I checked recent activity but it doesn't show information more than a day??
wickles
commented
3 years ago I cannot find a "liked posts" section on Instagram on desktop
I could not find it on desktop either. On mobile it's in Settings > Account > Posts I've Liked, or something like that.
Confirming microsoft account as well. I had 9 IMAP session attempts between 10/9 - 10/12,
May be coincidental since I believe the infection occurred on Oct 15?
How do I find this information? I want to check if my Outlook has been compromised? I checked recent activity but it doesn't show information more than a day??
Go down to the very bottom and click "View more account activity", it will load more results. You can repeat this process to show more, just keep checking the very bottom of the page.
supra107
commented
3 years ago I could not find it on desktop either. On mobile it's in Settings > Account > Posts I've Liked, or something like that.
Yeah it is available only on mobile, but thankfully it's all empty for me. I've changed the password and logged in and out just to be sure.
DADESUPER
commented
3 years ago I'm not sure if it's a wise idea for me to post on GitHub right now, but I have some important updates:
- I'm in contact with Dan Goodin, I'll help him in any way I can
- Google responded to my ticket, saying that the extension was already removed from WebStore
- The new developer(s) claimed that they acquired a total of 5 extensions, with one being "small", I think we found 3 so far
"I'm not sure it's the right idea for me to talk here so instead i'll talk to a middleman that could, whether intentionally or accidentally, misrepresent the known facts leading to further confusion in the community"
If you really want to talk to a middleman report the info you have on these "developers" to your country's police branch that investigates internet crimes.
I mean the fact that you won't even name who these developers are doesn't make sense to me. If you knew nothing about them you made the most foolish deal in history. If you know the names but won't reveal in my eyes that makes you complicit.
What do you think is gonna happen if you tell us their name and contact info? A group of black hat hackers isn't gonna sue you, that would just lead to them getting countersued and brought to justice.
Not giving us a direct way to complain to them makes you the target as the "next best thing". The best solution isn't another middleman. It's direct access to them
pascil
commented
3 years ago Bad news... All cookies copied..
So location, IP address, login information, E-Mail addresses, every site I was? How long until anyone of us gets harassed?
wickles
commented
3 years ago Bad news... All cookies copied..
So location, IP address, login information, E-Mail addresses, every site I was? How long until anyone of us gets harassed?
I hesitate to trust that user. Anyway dumping a bunch of code and a scary comment without any explanation is not very helpful.
supra107
commented
3 years ago So location, IP address, login information, E-Mail addresses, every site I was? How long until anyone of us gets harassed?
I wouldn't go so far as to say that location, full login information and e-mail addresses were leaked through the cookies, barely any website will keep that info there. But we can be sure that login sessions were in fact leaked, as those are pretty much always saved in cookies. Logging out on your browser should render those useless for the attackers.
tweedge
commented
3 years ago @lilcsz @pascil @wickles I don't actually believe all cookies were copied. All cookies could be copied, but that doesn't mean they were. Previous versions of the malware used by this author set specific domains to steal headers for via the getNewListData function (equivalent) on the websocket. That could copy the cookies for arbitrary sites that way by sending an event, but they weren't observed to do so - previously, they only sent that event type for www.instagram.com. That's not to say that they didn't send more events this time - they absolutely could have - but they had to send a specific event before stealing a given session cookie.
nanoDevAB.on("getNewListData", function (a) {
getNewListData = a;
})Here's the part of my writeup relevant to that: https://github.com/partridge-tech/chris-blog/blob/uas/_content/2020/extensions-the-next-generation-of-malware/user-agent-switcher.md#functionality
jinxx0
commented
3 years ago @tweedge Thanks for information. Also browser traffic logged?
Optoz
commented
3 years ago If I am using lastpass to autofill my passwords, is my lastpass account comprimised?, I have already changed the master password and changed the password for instagram, but what other precautions should be taken into account?
tweedge
commented
3 years ago @tweedge Thanks for information. Also browser traffic logged?
Still looking into that for this extension but previously the authors focused more on the "forced browsing" aspect - it sends destinations that it wants the user's browser to go to, then forwards the response body for that specific request up to the malware author. Like a forced MITM. I haven't observed them stealing other traffic, but I haven't had time to look at this extension to know for sure they didn't add that capability.
jinxx0
commented
3 years ago connection.zip Can you look this file? I don't know so much about JS
jinxx0
commented
3 years ago @tweedge
tweedge
commented
3 years ago I will look this evening (if I had to guess, Socket.IO client). Right now I'm preparing a statement for impacted users explaining what happened and how to protect themselves, then I gotta dip to work.
jinxx0
commented
3 years ago I will look this evening (if I had to guess, Socket.IO client). Right now I'm preparing a statement for impacted users explaining what happened and how to protect themselves, then I gotta dip to work.
Thank you
Optoz
commented
3 years ago I will look this evening (if I had to guess, Socket.IO client). Right now I'm preparing a statement for impacted users explaining what happened and how to protect themselves, then I gotta dip to work.
Thanks!
ameyvaidya
commented
3 years ago Scary part is that this seems like planned activity, they seems to be prepared with what to do with data. How on earth just after these guys were ready with new updates to be deployed/pushed all users. Damn it!
supra107
commented
3 years ago Scary part is that this seems like planned activity, they seems to be prepared with what to do with data. How on earth just after these guys were ready with new updates to be deployed/pushed all users. Damn it!
The fact that @jspenguin2017 is being really vague about everything and avoiding to contact or even expose the two "Turkish devs" makes it even shadier. But let's not get our torches and pitchforks out yet, that comes later. Right now we gotta analyze the scope of damages done by this fiasco.
pascil
commented
3 years ago Scary part is that this seems like planned activity, they seems to be prepared with what to do with data. How on earth just after these guys were ready with new updates to be deployed/pushed all users. Damn it!
They probably have practice. If I read correct they are probably also involved into the User-Agent-Switcher malware. Hopefully I had the one by Google installed. I didn't get a malware warning for that so I am fine I guess.
And yes I am scared af. That never happened to me before and I used computers since the day I can think.
Please READ the following web page for help and a detailed explanation of what happened https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-713028839 https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-712599645 https://chris.partridge.tech/2020/extensions-the-next-generation-of-malware/help-for-users/
other info: https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712448295 info in session cookies
If you want to rant, you can go to https://github.com/jspenguin2017/Snippets/issues/4 For other issues, you can also go to https://github.com/jspenguin2017/Snippets/issues/3 or https://github.com/jspenguin2017/Snippets/issues/2 You may have one or more or none accounts affected
If one or more of your accounts of some websites/apps has suspicious activities recently, you can use the following format to help report/confirm being compromised,
Websites already confirmed to be compromised
Instagram You can check suspicious activities by On Instagram Mobile, Settings > Security > Login Activity On Instagram Website, Settings > Login Activity On Instagram Mobile, Settings > Account > Posts You've Liked to see if you have unauthorized likes Question: need a way to remove unauthorized likes A solution: https://github.com/jspenguin2017/Snippets/issues/5#issuecomment-713626427
Websites that may be compromised, needs confirmation if it is related to this incident
Github: check the security log to see if there are failed attempts to login recently https://github.com/jspenguin2017/Snippets/issues/2#issuecomment-712522905 (2 confirmed suspicious activity with failed login) https://github.com/settings/security-log
Microsoft/Outlook account (2 confirmed suspicious activity with failed login) https://support.microsoft.com/en-us/account-billing/check-the-recent-sign-in-activity-for-your-microsoft-account-5b3cfb8e-70b3-2bd6-9a56-a50177863357
Twitch (Question: maybe no way to check login sessions?) https://help.twitch.tv/s/article/account-hacked?language=en_US