Automatic Hacking Machine Uses Millions Of Stolen Passwords To Attack
getty
Don't say you weren't warned. The threat from infostealer malware has been made pretty clear as billions of passwords are reported compromised, 85 million of the newest being used in ongoing attacks, and even two-factor authentication in isolation might not be enough to save you as hackers use session cookies to bypass 2FA code protections. That threat has just been amplified by a report revealing how an automatic hacking machine called Atlantis AIO is using millions of stolen passwords to gain access to email, VPN, streaming services and even food delivery accounts.
Credential stuffing is not new; let's make that clear right from the start. However, it is a very dangerous attack methodology and is becoming increasingly so. Attackers are always looking to develop new tools that can help them carry out their attacks, as I reported March 15 after leaked Black Basta ransomware group internal chat logs revealed how it was using an automated brute-force attack framework. As both brute-force and credential stuffing terms suggest, these attacks essentially hammer an account with as many usernames and password combinations as possible in the hope that one will be correct and gain entry. OK, so that's the simplified explanation, but by using lists of stolen or compromised credentials readily available from dark web marketplaces and in various criminal forums, it's possible for hackers to access other accounts that share the same passwords.
A March 25 threat intelligence report from Abnormal Security has sounded the alarm about an automatic hacking machine, known as Atlantis AIO, that can take these millions of stolen passwords and use them in just such credential stuffing attacks.
'Atlantis AIO has emerged as a powerful weapon in the cybercriminal arsenal,' Abnormal Security analysts said, 'enabling attackers to test millions of stolen credentials in rapid succession.' Where Atlantis excels, however, is in providing pre-configured modules to automate the targeting of specific services, from email providers such as ing Hotmail, Yahoo, AOL, GMX, and Web.de, to streaming services, VPNs, financial institutions, and even food delivery services. In fact, the report revealed the Atlantis AIO hacking machine can be aimed at more than 140 different platforms.
'By offering pre-configured modules for targeting a range of platforms and cloud-based services,' the threat intel report warned, 'it allows cybercriminals to launch credential stuffing attacks at scale with minimal effort.' The secret to the success of this automatic hacking machine is its modular approach. This can be demonstrated across three areas.
The use of a password manager to ensure unique and strong passwords for every account, along with two-factor authentication for all your accounts, can help mitigate this kind of attack. Don't share your passwords between accounts is the most pertinent advice, follow it.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Newsweek
2 days ago
- Newsweek
Trump is Undoing Climate Action. Can Clean Energy Investments Survive?
Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources. Newsweek AI is in beta. Translations may contain inaccuracies—please refer to the original content. You've probably heard of the old curse that goes, "May you live in interesting times." These are certainly interesting times for those in the clean tech and climate solutions sectors. With the passage of his "big beautiful" bill this month, President Donald Trump has eliminated many of the federal government incentives that had triggered hundreds of billions of dollars of investments in clean energy, batteries, EVs and other climate solutions over the past three years. The Trump administration has pulled the U.S. out of international climate agreements and scrapped regulations on emissions from autos and the power sector in an attempt to steer the energy economy back to reliance on fossil fuels. But the whiplash-inducing U-turn on energy policy in the U.S. is starkly at odds with signals from the broader energy market. In the U.S., renewable energy now accounts for about 90 percent of the new electricity capacity being added to the grid as wind, solar and batteries have become the cheapest and fastest sources of new power. In the series "Climate Investing in a Volatile Climate" we'll hear from leading climate tech investors about how they are navigating the rapid shifts in U.S. policy and the energy markets. In the series "Climate Investing in a Volatile Climate" we'll hear from leading climate tech investors about how they are navigating the rapid shifts in U.S. policy and the energy markets. Photo-illustration by Newsweek/Getty/Canva Globally, the International Energy Agency reported that the capital flowing into low-carbon energy sources this year is roughly twice that going into fossil fuel development, raising the specter that the U.S. is turning its back on one of the world's fastest-growing new industries. Add to all that the impacts of tariffs and trade wars, and you have a period of unparalleled uncertainty for clean tech companies and the investors who back them. Interesting times indeed. Better Planet asked some leading clean tech and climate solutions investors how they are making sense of this shifting landscape and what they see ahead for a series we're calling "Climate Investing in a Volatile Climate." In this first installment, we'll hear from Johanna Wolfson, co-founder and general partner at Azolla Ventures, a climate-focused venture capital fund, and Peter Davidson, founder and CEO at Aligned Climate Capital, an asset management company focused on companies that reduce greenhouse gas emissions. Both Wolfson and Davidson told Newsweek that Trump's sudden policy shifts on energy will slow, but not stop investment, and both predicted that the strong economic arguments for clean tech will still attract capital. "We are seeing signs of a coming pull back from other venture capital firms in clean tech," Wolfson said. Climate investing won't dry up altogether, she said, but newer companies and emerging technologies with higher risk will likely find it harder to attract capital. Her advice to clean tech companies: "Hunker down, do the work, build the solutions, and be ready," she said. Davidson said that even before the Republican-led Congress voted to phase out clean energy tax credits, the atmosphere of uncertainty was already causing companies to cancel or scale back some announced projects. "You can get depressed about that or you can continue the fight," Davidson said. Despite political headwinds, he said, market forces are working in favor of clean energy. "It's gotten complicated because you have to avoid things that are reliant on federal tax policy," Davidson said. "But there are plenty of companies out there, many projects out there, that we think are still highly investable and can earn a very good return." 'It's a Big World' for Climate Investors Wolfson described Azolla Ventures as a "catalytic capital" firm that invests in early-stage climate technologies, using capital sourced mainly from tax-exempt foundations and donor-advised funds. This allows Azolla to prioritize positive climate impact when deciding what companies to back. "We're taking on outsized risk and maybe doing that at an earlier time or in a different way than even other climate-oriented venture funds might be willing," she said. "We're looking for giga-scale impact." One budding success story, she said, is the low-carbon cement company Sublime Systems. Azolla was an early backer, and Sublime recently signed a deal with Microsoft that is the largest procurement deal for clean cement to date. Azolla's approach also assumes a long lead time for nascent clean technologies to develop, she explained, a mindset that is less susceptible to shifting political winds. "When we're evaluating companies for investment, we're looking at market growth and emissions avoided out to 2050," Wolfson said. "That's a lot longer than a four-year administration." Wolfson said some clean energy sources are still well-positioned to benefit under Trump policy, such as new nuclear technology and geothermal energy, which she expects to grow rapidly as major tech companies race to procure steady power for AI data centers. However, she said that as U.S. leadership retreats from climate action, much of the rest of the world is moving ahead, and investment dollars are likely to follow. "It's a big world," Wolfson said. Some companies Azolla works with are now looking to pilot new projects outside of the U.S., and her firm is supporting them to integrate into other markets. "We should go to where the early adopters are, and if that continues to shift, then those companies should shift with it." Overall, Wolfson said, she is "deeply concerned" about the lack of global progress on climate goals. That makes Azolla more interested in early-stage support for "big swing" technologies that have potential for large-scale emissions cuts. "They're going to have to shoulder more of the emissions avoided since we're not keeping track with the desired reduction," she said. Azolla is also looking at more investment in adaptation and resilience solutions to help society better deal with climate change impacts that are happening now. "They're going to accelerate," she said of climate-driven extreme weather events. "We've essentially baked that in." An Energy Policy 'Reckoning is Coming' Before launching Aligned Climate Capital, Peter Davidson had worked on funding energy projects in the Department of Energy (DOE), where he directed the DOE's Loan Programs Office under President Barack Obama and Energy Secretary Ernest Moniz. That long history with the public and private sectors informs his view of what Trump 2.0 means for clean tech investment. "We've seen this movie before, because we were in this business during Trump One," Davidson said. "And during his entire first term, renewable deployment was never higher, EV deployment was never higher, corporate commitment to clean energy was never higher. So, we see the same things happening here." Aligned's most recent round of funding concluded in March with $85 million, double the previous round and higher than the company's target, Davidson said. The company's main focus is investing in proven technologies that can rapidly scale, and supporting construction of distributed power generation such as community and mid-sized solar projects—what Davidson called the "quiet workhorse" of the clean energy transition. Contractors install solar photovoltaic modules on top of a department store roof in Hamilton Township, New Jersey. Contractors install solar photovoltaic modules on top of a department store roof in Hamilton Township, New Jersey."They're big enough for meaningful impact, but you avoid the red tape of utility-scale development," he said. Recent data from the Federal Energy Regulatory Commission (FERC) shows that even amid the Trump administration's assault on climate action, solar (often paired with battery storage) remains the favored way to add power as electricity demand rises. In the first four months of this year, FERC data showed, solar accounted for 78 percent of new capacity. Looking ahead, FERC expects about 90 gigawatts of new solar to come online in the coming three years, compared to only 19 gigawatts of new gas-fired power. Coal-fired power is expected to drop further with the retirements of several older facilities. "The energy transition is underway and it's unstoppable," Davidson said. Even with the reduced tax credits, he argued, solar generation is still cheaper to build than natural gas, and supply chain backlogs for gas turbines mean many gas projects will likely be delayed. "So, anything that's going to be built in the United States over the next five years is what we're doing, mid-size, or the large, utility scale, wind and solar," Davidson said. However, renewable energy will not grow as fast as it would have with continued tax credits and other government support. The existing fleet of natural gas power plants will be taking up a lot of the coming demand for electricity at the same time that the Trump administration is promoting more exports of liquified natural gas. That points to a nearly inevitable rise in energy prices, Davidson said. Most independent analyses of the "big beautiful" budget bill Trump signed on July 4 show sharp increases in energy costs. Analysts at Rhodium Group estimate the law will increase national average household energy bills by at least $78 and as much as $192 while forcing total industrial energy expenditures up by at least $7 billion. (Industrial energy costs also tend to get passed along to consumers via higher prices for goods and services.) Davidson predicted that rising energy prices will bring a political backlash. "Eventually there'll be a correction at the polls," he said. "We believe a reckoning is coming, and when that happens, it will bring a little more sense and sensibility into our energy policy." We'll have more conversations with climate investors in the weeks leading up to Climate Week NYC in September, when Newsweek will host events on energy and the green transition. Mark your calendars for our events "Pillars of the Green Transition" on Wednesday, September 24, and "Powering Ahead" on Thursday, September 25.
Android Authority
3 days ago
- Android Authority
This is the best cross-platform 2FA app I've used — and you should try it too
Karandeep Singh / Android Authority When a sizeable chunk of online attacks involves weak passwords and unauthorized account access, second-factor authentication (2FA) is one of those magic bullets that can save your digital life from getting compromised. But they're only usable if they don't become an inconvenience themselves. Inconvenient — that's exactly what a lot of 2FA apps have been for me. Some wanted to lock me down to their app, some had themselves been compromised, while others weren't available on all the platforms I use. So, I was just jumping from one app to another whenever one started to trouble me enough. My hunt has finally come to a rest, thanks to this 2FA app, Ente Auth, which I think is (almost) perfect. One that my inner tech support guy is going to recommend to my family without thinking twice. And I figured I'd bring it up with you guys too — not to sound cheesy, but you're family too. Which authenticator app do you use for 2FA? 0 votes Google Authenticator NaN % Authy NaN % Your password manager NaN % Something else (comment below) NaN % Google Authenticator to Aegis to Ente Auth Joe Hindy / Android Authority I've never been a fan of the one-time password (TOTP) feature being built into password managers (like 1Password or Apple Passwords). That defeats the very purpose of 'second' factor authentication by putting everything in the same app for the sake of convenience. While the password managers I've used — Enpass and Bitwarden — do have the option to link TOTPs to each of my saved credentials, I consciously decided to use a separate 2FA app. Like every single person who's felt the need for extra digital protection, I started off with Google Authenticator. As with several things Google, Authenticator is basic but still a solid place to start. It's better than not using two-factor authentication at all. However, back in the day, it worked offline, so moving between devices became particularly difficult, especially for someone like me who needs to do that often. And it felt deprived of features compared to what the competition offered. I went on a spree to de-Google my everyday apps a few years ago, and that's when I found Aegis — a solid, open-source alternative to Google Authenticator. It had a clean interface and gave me the peace of mind of being completely local. But it still felt cumbersome when it came to cross-platform use. I had to manually move backups, and when I tried to switch to the iPhone 16 Pro Max last year, I learned that Aegis doesn't offer an iOS app. Joe Hindy / Android Authority It was time to find another app. My search ended with Ente Auth — the 2FA app from the same folks behind Ente Photos, a privacy-first Google Photos alternative without the big tech tracking that my colleague Rob loved. When I came across it, I immediately started looking for a catch, because how can an app be such an all-rounder and still fly under the radar? And I instantly regretted not discovering it earlier. Ente is the best of both worlds It's only now that I realize how actively involved I was in making Aegis work, especially with the lack of a proper sync feature. Meanwhile, Authy was out of the question due to its data breach last year, and Google Authenticator is, well, still Google Authenticator. Ente Auth truly offered me the best of both worlds. It was super easy to import my codes from Aegis — I was actually worried about needing to manually set up 2FA on all my hundred accounts if the transfer didn't work as expected. But thankfully, the process couldn't have been smoother. I got started within minutes! But more importantly, Ente Auth is a breeze to use. I don't have to worry about taking a backup every few weeks and manually uploading the latest to the cloud just so that everything stays up to date. The app takes care of it with real-time sync — something that works as smoothly as Google Drive syncing your files everywhere. And if you're wondering, these backups are entirely end-to-end encrypted. More importantly, Ente Auth is open source, with independent audits proving its security — a critical brownie point for an app handling such critical data. Ente backups are entirely end-to-end encrypted. Furthermore, Ente Auth is open source with independent audits proving its security. What I still haven't gotten used to is that I can access my codes anywhere. With 2FA apps, I'm conditioned to picking up my phone to copy the code or manually type it on my desktop. But every time I'm on my Mac and need to open Ente, I'm reminded that I can use the desktop app too. It's that much easier when you need to punch in those ephemeral codes 10 times a day. The anti-Ente argument Karandeep Singh / Android Authority Ente Auth is overall a well-regarded app, and I can vouch for that general sentiment with my own experience. However, it still frustrates me at times. For instance, despite using it for close to a year now, I have no clue what the quick gesture to directly copy the TOTP is. Is it a single tap, a double tap like Aegis, or a long press? I know all of these do something, but I don't know what does what. So, on most days, I end up trying all three and hoping it's picked up the code. While that's on me (only partially, okay?), I feel Ente needs to up its own security — especially since it relies on an email-password combo to sync your data. A solid way to do that would be letting users secure their account with a physical YubiKey for an ironclad vault. But maybe that's something for another day. It's still worth your attention Megan Ellis / Android Authority If you want to start using two-factor authentication (yay, welcome to the safer side of the internet!) or are looking for an alternative to your current setup, Ente Auth would be my top recommendation. It doesn't have any more of a learning curve than Google Authenticator and syncs your codes in perhaps the most secure way known to the internet, at least on the consumer side. For a solid strategy to keep your accounts safe from prying eyes, just use a reliable password manager to generate strong and lengthy passwords, pair it with Ente Auth (or whatever 2FA strikes your fancy), and you'll be good to go. That's pretty much all most of us need — because digital safety shouldn't feel like a chore.
Forbes
5 days ago
- Forbes
Agentic AI: Driving Autonomy In Asset-Intensive Industries
Vivek Ahuja, VP-IT at rSTAR , spearheading business and IT transformation with a focus on manufacturing, energy/utilities and construction. getty I've previously discussed the new frontier in AI: agentic AI. It's the next evolution in the AI timeline. However, is it hype, or will it be a game changer—especially for asset-intensive industries? If agentic AI is a game changer, how can companies get started using it? Agentic AI continues the progression of AI. What began as rudimentary chatbots programmed to respond to queries based on keywords eventually evolved into GenAI. Using large language models and machine learning, GenAI platforms moved beyond the responses of chatbots to evolve and grow ("learn") from their interactions with people. Agentic AI takes GenAI another step further by adding an autonomous dimension to the agentic agent. Depending on how the agentic AI agent is programmed, it can act autonomously within specific parameters or guardrails. In other words, it can take action on its own. For example, it can interact with multiple systems, such as email and instant messaging platforms, and send customers messages based on a predetermined schedule. When integrated into your company's enterprise resource planning (ERP), customer relationship management (CRM) and other systems, agentic AI can assist with workflows, communications and tasks. Agentic AI Use Cases For Asset-Intensive Industries Asset-intensive industries often have many complex workflows. A utility, for example, has many workflows related to field service, asset management, outage resolution and so on. In manufacturing, complex workflows include case management, support services, efficiency and compliance. In a utility environment, outage resolution is one of the more complex workflows. It touches everything from SCADA systems and customer complaints to field dispatch, asset lookup and compliance. Today, much of this is still manual, disconnected and dependent on individual know-how. Agentic AI acts like an intelligent coordinator, detecting issues early, planning and dispatching the right crews based on real-time availability, pulling up asset history from different systems and even guiding field techs through mobile assistants. It also keeps customers updated automatically and ensures compliance checks are in place. The real value is in how it brings everything together, reduces response time and creates a smoother, more efficient experience for the utility and the customer. Before you rush to add agentic AI to your technology stack, consider your company's overall technical maturity. The launch of successful agents depends heavily on system integration. Agentic AI can provide insights, but it cannot take meaningful workflow actions until it integrates with core systems. As with all AI projects, ensuring the system has plentiful, clean data is necessary. Governance and standards must be in place to ensure boundaries around AI use. Steps To Get Started If you are interested in exploring agentic AI, here are some best practices to get started. 1. Choose a small pilot project to get started. Focus on projects with clear, tangible metrics and ROI to assess the benefits. 2. Focus on a narrow use case to reduce the risk of scope creep. It helps focus the project on specific, measurable uses. 3. Ensure systems are integrated before adopting agentic AI. 4. Follow a replicable pattern for the project, beginning with a clear, written proof of concept, a pilot project and then the production of the agentic AI. Include measurable results to assess project success. 5. Build governance into the project. Don't tack it on as an afterthought. Too many companies build AI models and try to apply governance later, which runs the risk of project delays and problems. Agentic AI: Your Personal Assistant Agentic AI won't replace workers. Instead, it extends their abilities through autonomous, guided actions. It offers efficiency in many industries but can be especially advantageous for asset-intensive industries such as energy and utilities and manufacturing. To achieve AI project goals, companies must ensure they have the right building blocks in place: clean data, an identifiable and narrow use case, system integration and governance built into the project from its inception. With the right items in place, agentic AI can be a powerful force for change. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
