Weak Windows passwords blamed for recent rise in Purple Fox attacks

Purple Fox is malware that was first discovered in 2018 but has seen a recent rise in proliferation as hackers take advantage of a new attack method: weak passwords used over the SMB protocol.

SMB (Server Message Block) is a protocol (mainly) used by Windows computers to communicate with other network devices like printers and file servers. Active Directory users on Windows computers utilize the SMB protocol with their Active Directory password.

Purple Fox first appeared in 2018 using phishing and exploit attack methods – both methods that required some sort of user interaction to initiate. The new SMB attack method is of concern to security professionals because it means that Purple Fox no longer requires user interaction to propagate.  

Source: https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/

The Specops research team has been collecting data on what the SMB attacks look like using a global honeypot system, including what passwords these attackers are using.

Top 20 Passwords in SMB Attacks

  1. 123
  2. Aa123456
  3. password
  4. 1qaz2wsx
  5. 12345678
  6. a123456
  7. password1
  8. abc123
  9. 111111111
  10. welcome
  11. 1234567890
  12. 111111
  13. 654321
  14. 123456789a
  15. princess
  16. 1q2w3e4r
  17. 888888
  18. dragon
  19. 112233
  20. iloveyou

The Specops team analyzed over 250,000 attacks on the SMB protocol over a period of 30 days. “Password” was found used in attacks over 640 times in that period.

“The data tells us that these passwords are weak and again the password is the weakest link in IT security,” said Thorbjörn Sjövold, Head of Research at Specops Software. “Your organization’s weak passwords are a payday waiting to happen for SMB password brute force attackers.”

IT departments can protect against this new attack method by securing their Active Directory passwords with a solution like Specops Password Policy. Specops Password Policy makes it easy for IT admins to enforce stronger passwords that match any complexity requirements, reward users for longer passwords with length-based password aging and prevent the use of known breached passwords with Breached Password Protection.

Find out how many of your organization’s passwords are weak and/or leaked with a free read-only scan by Specops Password Auditor.

(Last updated on September 15, 2023)

Back to Blog