THE TIBERIUM BLOG - recent events, threats, and all things cyber

Had a CIT0 Day?

This is a story that doesn’t appear to be going anywhere soon, is very intriguing and most importantly seems to be the work of cat stroking, possibly Eastern European or Russian master criminals (mwahahaha), so we thought we would try our best to explain it. Here goes…

First a bit of the history. Way back in the midsts of time, November the 4th 2020, Catalin Cimpanu announced that ’23,600 hacked databases have leaked from a defunct “data breach” index site in an article on ZDNet. The leak was an archaic of the cit0day.in site which was allegedly shut down by The Feds in September.

cit0day.in was essentially the same as LeakedSource and WeLeakInfo which were taken down earlier, collecting breach details from leaked databases, aggregating them and selling them as a service to parties third for further exploitation. Something we always advise is that it would be very foolish to underestimate the organisation, professionalism and determination of the cybercriminal community when you have a look ‘under the hood’ it really is something else.

It subsequently transpired that the takedown of cit0day.in was itself a fraud and the FBI/DoJ seizure notice it pointed to was added by the crooks themselves for reasons only known to them. Certainly, nobody was charged or arrested, which usually accompanies takedowns.

Eagle-eyed and cynical, well probably everyone reading this will no doubt be thinking: ‘aha, there may be a link between these breach sites, perhaps they are run by the same person, and something is going on in the background that we do not know about’. We think you may be right. The data may be on its last legs and what we are seeing is showing the authorities the two fingers.

This thinking is supported by non-other than Troy (may his name be praised) Hunt, who as we all know runs HaveIBeenPwned (HIBP), who in a blog on 19 November after the dataset was released on multiple platforms including MEGA (it has subsequently been re-released and is not going away, hence this piece), pondered what to do with the data: ‘The hard bit for me is figuring out whether it’s pwn-worthy enough to justify loading it into Have I Been Pwned (HIBP) or if it’s just more noise that ultimately doesn’t help people make informed decisions about their security posture’. It really comes to something when Thirteen Beeelion records (for that is how many there are) aren’t juicy enough to make it to the Sacred HIBP.

So Troy went to town on the data concluding that a lot of the data were not in his archive or others (41 Meelion new passwords), concluding that providers of password breach services should load them into their services. His, very interesting, walkthrough and analysis is here.

There are several ways that you can check if your User’s passwords are included in the breach. You could always download the dataset yourself, that may be risky in terms of your GDPR requirements of yo9ur customers and staff, or you could use a service such as HIBP to check.

We would advise that checks of these datasets for breached credentials of your users (and family and friends) are part of your security procedures. The checking sites have API access, so it is not that tricky to script it up.

As it happens, we at Tiberium have, err seen the data; and can discuss this as well as show how to check your users, customers, and potential customers, should you wish.

If you think you are having a Cit0 Day, spare a thought for the folks at Sophos who have disclosed that a system for holding the data of callers to its Tech Support desk have been breached. Being very much underplayed by Sophos, this has caused red faces all around, and no doubt heads have rolled or are about to. Proving that things could be worse; It could be raining

Share on: