Meet PassGAN, the supposedly “terrifying” AI password cracker that’s mostly hype

Meet PassGAN, the supposedly “terrifying” AI password cracker that’s mostly hype

Meet PassGAN, the supposedly “terrifying” AI password cracker that’s mostly hype
Aurich Lawson | Getty Images

By now, you’ve probably heard about a new AI-based password cracker that can compromise your password in seconds by using artificial intelligence instead of more traditional methods. Some outlets have called it “terrifying,” “worrying,” “alarming,” and “savvy.” Other publications have fallen over themselves to report that the tool can crack any password with up to seven characters—even if it has symbols and numbers—in under six minutes.

As with so many things involving AI, the claims are served with a generous portion of smoke and mirrors. PassGAN, as the tool is dubbed, performs no better than more conventional cracking methods. In short, anything PassGAN can do, these more tried and true tools do as well or better. And like so many of the non-AI password checkers Ars has criticized in the past—e.g., here, here, and here—the researchers behind PassGAN draw password advice from their experiment that undermines real security.

Teaching a machine to crack

PassGAN is a shortened combination of the words “Password” and “generative adversarial networks.” PassGAN is an approach that debuted in 2017. It uses machine learning algorithms running on a neural network in place of conventional methods devised by humans. These GANs generate password guesses after autonomously learning the distribution of passwords by processing the spoils of previous real-world breaches. These guesses are used in offline attacks made possible when a database of password hashes leaks as a result of a security breach.

An overview of a generative adversarial network.
An overview of a generative adversarial network.

Conventional password guessing uses lists of words numbering in the billions taken from previous breaches. Popular password-cracking applications like Hashcat and John the Ripper then apply “mangling rules” to these lists to enable variations on the fly.

When a word such as “password” appears in a word list, for instance, the mangling rules transform it into variations like “Password” or “[email protected]” even though they never appear directly in the word list. Examples of real-world passwords cracked using mangling include: “Coneyisland9/,” “momof3g8kids,” “Oscar+emmy2″ “k1araj0hns0n,” “Sh1a-labe0uf,” “Apr!l221973,” “Qbesancon321,” “DG091101%,” “@Yourmom69,” “ilovetofunot,” “windermere2313,” “tmdmmj17,” and “BandGeek2014.” While these passwords may appear to be sufficiently long and complex, mangling rules make them extremely easy to guess.

These rules and lists run on clusters that specialize in parallel computing, meaning they can perform repetitive tasks like cranking out large numbers of password guesses much faster than CPUs can. When poorly suited algorithms are used, these cracking rigs can transform a plaintext word such as “password” into a hash like “5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8” billions of times each second.

Another technique that makes word lists much more powerful is known as a combinator attack. As its name suggests, this attack combines two or more words in the list. In a 2013 exercise, password-cracking expert Jens Steube was able to recover the password “momof3g8kids” because he already had “momof3g” and “8kids” in his lists.

Password cracking also relies on a technique called brute force, which, despite its misuse as a generic term for cracking, is distinctly different from cracks that use words from a list. Rather, brute force cracking tries every possible combination for a password of a given length. For a password up to six characters, it starts by guessing “a” and runs through every possible string until it reaches “//////.”

The number of possible combinations for passwords of six or fewer characters is small enough to complete in seconds for the kinds of weaker hashing algorithms the Home Security Heroes seem to envision in its PassGAN writeup.

Users fume after My Cloud network breach locks them out of their data

Users fume after My Cloud network breach locks them out of their data

Users fume after My Cloud network breach locks them out of their data

Users of the Western Digital My Cloud service are fuming after a network breach has locked them out of their data for more than 24 hours and has put company-handled information into the hands of currently unknown hackers.

The inability to access data stored in My Cloud was reported on social media by multiple users, including this one, who indicated the outage started sometime on Saturday. Since then, the number of users (and their anxiety levels) have only ratcheted up.

Sounds like ransomware

By early morning California time on Monday, Western Digital issued a release saying that a week ago Sunday the company learned that an “unauthorized third party gained access to a number of the Company’s systems.” The release added: “​​Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”

The status page for My Cloud was updated on Sunday to show that services including My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, and SanDisk Ixpand Wireless Charger are completely down. The page provided no estimate on when service may be restored. The outage means that users cannot access any data they stored in My Cloud. The outage also extends to the ability to use proxy, web, authentication, email, and push notifications.

Western Digital

There are currently no details available about the unauthorized access of Western Digital’s network and the theft of its data. Brett Callow, a ransomware expert at security firm Emsisoft, said: “It’s impossible to say for sure, but it sounds like Western Digital may have a #ransomware incident.” That raises the possibility that data stored in My Cloud or code needed for customers to access it has fallen into the hands of criminal hackers.

Locked out

Many users took to social media to report that the outage locked them out of data they needed to perform work tasks. “The login service for WD My Cloud Home is unavailable,” one user wrote on Sunday. “Thank you @westerndigital for not letting me access my data that I have in the living room.” On Monday morning, another user wrote: “@westerndigital When are you gonna fix the 503 error? I need to access the information 🥲 Since Saturday i cannot enter in the cloud.”

While Western Digital provides customers with a storage device that stores data locally, the accompanying My Cloud service allows them to back it up to an off-premises server and to access the contents remotely over the Internet. According to posts like this one on Western Digital’s customer support pages, users by default must authenticate themselves on to enable local network access to My Cloud data. With delivering a 503 error, many users are effectively locked out.

Western Digital representatives didn’t respond to an email asking what the current status of the outage is and what, if any, steps users can take to regain access to their data while it continues.

Western Digital is warning that the incident “has caused and may continue to cause disruption to parts of the Company’s business operations.” The company also said it is “implementing proactive measures” and is working to restore affected infrastructure and services. The company added that it retained an unnamed security firm to investigate and is also coordinating with law enforcement.

Android app from China executed 0-day exploit on millions of devices

Android app from China executed 0-day exploit on millions of devices

Android app from China executed 0-day exploit on millions of devices
Getty Images

Android apps digitally signed by China’s third-biggest e-commerce company exploited a zero-day vulnerability that allowed them to surreptitiously take control of millions of end-user devices to steal personal data and install malicious apps, researchers from security firm Lookout have confirmed.

The malicious versions of the Pinduoduo app were available in third-party markets, which users in China and elsewhere rely on because the official Google Play market is off-limits or not easy to access. No malicious versions were found in Play or Apple’s App Store. Last Monday, TechCrunch reported that Pinduoduo was pulled from Play after Google discovered a malicious version of the app available elsewhere. TechCrunch reported the malicious apps available in third-party markets exploited several zero-days, vulnerabilities that are known or exploited before a vendor has a patch available.

Sophisticated attack

A preliminary analysis by Lookout found that at least two off-Play versions of Pinduoduo for Android exploited CVE-2023-20963, the tracking number for an Android vulnerability Google patched in updates that became available to end users two weeks ago. This privilege-escalation flaw, which was exploited prior to Google’s disclosure, allowed the app to perform operations with elevated privileges. The app used these privileges to download code from a developer-designated site and run it within a privileged environment.

The malicious apps represent “a very sophisticated attack for an app-based malware,” Christoph Hebeisen, one of three Lookout researchers who analyzed the file, wrote in an email. “In recent years, exploits have not usually been seen in the context of mass-distributed apps. Given the extremely intrusive nature of such sophisticated app-based malware, this is an important threat mobile users need to protect against.”

Hebeisen was assisted by Lookout researchers Eugene Kolodenker and Paul Shunk. The researcher added that Lookout’s analysis was expedited and that a more thorough review will likely find more exploits in the app.

Pinduoduo is an e-commerce app for connecting buyers and sellers. It recently was reported to have 751.3 million average monthly active users. While still smaller than its Chinese rivals Alibaba and, PDD Holdings, Pinduoduo’s publicly traded parent company, has become the fastest-growing e-commerce firm in that country.

After Google removed Pinduoduo from Play, PDD Holdings representatives denied the claims any of its app versions were malicious.

“We strongly reject the speculation and accusation that the Pinduoduo app is malicious from an anonymous researcher,” they wrote in an email. “Google Play informed us on March 21 morning that Pinduoduo APP, among several other apps, was temporarily suspended as the current version is not compliant with Google’s Policy, but has not shared more details. We are communicating with Google for more information.”

The company representatives didn’t respond to emails that asked follow-up questions and disclosed the results of Lookout’s forensic analysis.

Suspicions about the Pinduoduo app first surfaced last month in a post (English translation here) from a research service calling itself Dark Navy.

The English translation said that “well-known Internet manufacturers will continue to dig out new Android OEM-related vulnerabilities and implement vulnerability attacks on mainstream mobile phone systems in the current market in their publicly released apps.” The post didn’t name the company or the app, but it did say the app used a “bundle feng shui-Android parcel serialization and deserialization [exploit] that seems unknown in recent years.” The post included several code snippets found in the allegedly malicious app. One of those strings is “LuciferStrategy.”

Hackers drain bitcoin ATMs of $1.5 million by exploiting 0-day bug

Hackers drain bitcoin ATMs of $1.5 million by exploiting 0-day bug

A BATM sold by General Bytes.
Enlarge / A BATM sold by General Bytes.
General Bytes

Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can’t be reversed, the kiosk manufacturer has revealed.

The heist targeted ATMs sold by General Bytes, a company with multiple locations throughout the world. These BATMs, short for bitcoin ATMs, can be set up in convenience stores and other businesses to allow people to exchange bitcoin for other currencies and vice versa. Customers connect the BATMs to a crypto application server (CAS) that they can manage or, until now, that General Bytes could manage for them. For reasons that aren’t entirely clear, the BATMs offer an option that allows customers to upload videos from the terminal to the CAS using a mechanism known as the master server interface.

Going, going, gone

Over the weekend, General Bytes revealed that more than $1.5 million worth of bitcoin had been drained from CASes operated by the company and by customers. To pull off the heist, an unknown threat actor exploited a previously unknown vulnerability that allowed it to use this interface to upload and execute a malicious Java application. The actor then drained various hot wallets of about 56 BTC, worth roughly $1.5 million. General Bytes patched the vulnerability 15 hours after learning of it, but due to the way cryptocurrencies work, the losses were unrecoverable.

General Bytes officials wrote:

The night of 17-18 March was the most challenging time for us and some of our clients. The entire team has been working around the clock to collect all data regarding the security breach and is continuously working to resolve all cases to help clients back online and continue to operate their ATMs as soon as possible. We apologize for what happened and will review all our security procedures and are currently doing everything we can to keep our affected customers afloat.

The post said the flow of the attack was:

1. The attacker identified a security vulnerability in the master service interface the BATMs use to upload videos to the CAS.

2. The attacker scanned the IP address space managed by cloud host DigitalOcean Ocean to identify running CAS services on ports 7741, including the General Bytes Cloud service and other BATM operators running their servers on Digital Ocean.

3. Exploiting the vulnerability, the attacker uploaded the Java application directly to the application server used by the admin interface. The application server was, by default, configured to start applications in its deployment folder.

Once the malicious application executed on a server, the threat actor was able to (1) access the database, (2) read and decrypt encoded API keys needed to access funds in hot wallets and exchanges, (3) transfer funds from hot wallets to a wallet controlled by the threat actor, (4) download user names and password hashes and turn off 2FA, and (5) access terminal event logs and scan for instances where customers scanned private keys at the ATM. The sensitive data in step 5 had been logged by older versions of ATM software.

BATM customers on their own now

Going forward, this weekend’s post said, General Bytes will no longer manage CASes on behalf of customers. That means terminal holders will have to manage the servers themselves. The company is also in the process of collecting data from customers to validate all losses related to the hack, performing an internal investigation, and cooperating with authorities in an attempt to identify the threat actor.

General Bytes said the company has received “multiple security audits since 2021,” and that none of them detected the vulnerability exploited. The company is now in the process of seeking further help in securing its BATMs.

The incident underscores the risk of storing cryptocurrencies in Internet-accessible wallets, commonly called hot wallets. Over the years, hot wallets have been illegally drained of untold amounts of digital coin by attackers who exploit various vulnerabilities in cryptocurrency infrastructures or by tricking wallet holders into providing the encryption keys required to make withdrawals.

Security practitioners have long advised people to store funds in cold wallets, meaning they’re not directly accessible to the Internet. Unfortunately, BATMs and other types of cryptocurrency ATMs generally can’t follow this best practice because the terminals must be connected to hot wallets so that they can make transactions in real time. That means BATMs are likely to remain a prime target for hackers.

~11,000 sites have been infected with malware that’s good at avoiding detection

~11,000 sites have been infected with malware that’s good at avoiding detection

Gloved hands manipulate a laptop with a skull and crossbones on the display.

Nearly 11,000 websites in recent months have been infected with a backdoor that redirects visitors to sites that rack up fraudulent views of ads provided by Google Adsense, researchers said.

All 10,890 infected sites, found by security firm Sucuri, run the WordPress content management system and have an obfuscated PHP script that has been injected into legitimate files powering the websites. Such files include “index.php,” “wp-signup.php,” “wp-activate.php,” “wp-cron.php,” and many more. Some infected sites also inject obfuscated code into wp-blog-header.php and other files. The additional injected code works as a backdoor that’s designed to ensure the malware will survive disinfection attempts by loading itself in files that run whenever the targeted server is restarted.

“These backdoors download additional shells and a Leaf PHP mailer script from a remote domain filestack[.]live and place them in files with random names in wp-includes, wp-admin and wp-content directories,” Sucuri researcher Ben Martin wrote. “Since the additional malware injection is lodged within the wp-blog-header.php file it will execute whenever the website is loaded and reinfect the website. This ensures that the environment remains infected until all traces of the malware are dealt with.”

Sneaky and determined

The malware takes pains to hide its presence from operators. When a visitor is logged in as an administrator or has visited an infected site within the past two or six hours, the redirections are suspended. As noted earlier, the malicious code is also obfuscated, using Base64 encoding.

Once the code is converted to plaintext, it appears this way:

The same code when decoded.
Enlarge / The same code when decoded.

Similarly, the backdoor code that backdoors the site by ensuring it is reinfected looks like this when obfuscated:

Backdoor PHP code when encoded with base64.
Enlarge / Backdoor PHP code when encoded with base64.

When decoded, it looks like this:

The PHP backdoor when decoded.
Enlarge / The PHP backdoor when decoded.

The mass website infection has been ongoing since at least September. In a post published in November that first alerted people to the campaign, Martin warned:

“At this point, we haven’t noticed malicious behavior on these landing pages. However, at any given time site operators may arbitrarily add malware or start redirecting traffic to other third-party websites.”

For now, the entire objective of the campaign appears to be generating organic-looking traffic to websites that contain Google Adsense ads. Adsense accounts engaging in the scam include:

en[.]rawafedpor[.]com ca-pub-8594790428066018
plus[.]cr-halal[.]com ca-pub-3135644639015474
eq[.]yomeat[.]com ca-pub-4083281510971702
news[.]istisharaat[.]com ca-pub-6439952037681188
en[.]firstgooal[.]com ca-pub-5119020707824427
ust[.]aly2um[.]com ca-pub-8128055623790566
btc[.]latest-articles[.]com ca-pub-4205231472305856
ask[.]elbwaba[.]com ca-pub-1124263613222640

To make the visits evade detection from network security tools and to appear to be organic—meaning coming from real people voluntarily viewing the pages—the redirections occur through Google and Bing searches:

Page source showing the redirection is occurring through Google search.
Enlarge / Page source showing the redirection is occurring through Google search.

The final destinations are mostly Q&A sites that discuss Bitcoin or other cryptocurrencies. Once a redirected browser visits one of the sites, the crooks have succeeded. Martin explained:

Essentially, website owners place Google-sanctioned advertisements on their websites and get paid for the number of views and clicks that they get. It doesn’t matter where those views or clicks come from, just so long as it gives the impression to those that are paying to have their ads seen that they are, in fact, being seen.

Of course, the low-quality nature of the websites associated with this infection would generate basically zero organic traffic, so the only way that they are able to pump traffic is through malicious means.

In other words: Unwanted redirects via fake short URL to fake Q&A sites result in inflated ad views/clicks and therefore inflated revenue for whomever is behind this campaign. It is one very large and ongoing campaign of organized advertising revenue fraud.

According to Google AdSense documentation, this behavior is not acceptable and publishers must not place Google-served ads on pages that violate the Spam policies for Google web search.

Google representatives didn’t respond to an email asking if the company has plans to remove the Adsense accounts Martin identified or find other means to crack down on the scam.

It’s not clear how sites are becoming infected in the first place. In general, the most common method for infecting WordPress sites is exploiting vulnerable plugins running on a site. Martin said Sucuri hasn’t identified any buggy plugins running on the infected sites but also noted that exploit kits exist that streamline the ability to find various vulnerabilities that may exist on a site.

The Sucuri posts provide steps website admins can follow to detect and remove infections. End users who find themselves redirected to one of these scam sites should close the tab and not click on any of the content.