[BreachExchange] Dark Web Roundup: November 2020

[Destry Winant]

https://www.riskbasedsecurity.com/2020/12/07/dark-web-roundup-november-2020/

Malicious threat actors never stop, but neither do we. Risk Based
Security’s Cyber Risk Analytics research team is dedicated to
gathering the latest in data breach intelligence. Here is our round up
of November 2020.

Month of November, 2020

Leaked Databases

HOMECHEF

A database belonging to Home Chef consisting of 8,717,762 customers’
personal and financial details, as well as encrypted passwords, was
leaked on a prominent dark web hacking forum on November 10th, 2020.
The data was offered for sale in July as part of a long list of stolen
databases compromised by the threat actor ShinyHunters.

The decision by ShinyHunters to share the data inherently increases
its availability to other threat actors looking to abuse or profit off
the stolen data. While a majority of the customer accounts are linked
to personal email addresses, with 4.2 million and 1.6 million Gmail
and Yahoo accounts affected respectively, RBS researchers have also
found 148,800 edu related domains, 6,410 government and 6,120 military
affiliated email addresses.

This underscores the widespread threat a data breach can have, even
from a seemingly innocuous source.

CIT0DAY

A collection of over 20,000 hacked databases was shared in October and
continued to be highly circulated in November on several prominent
Russian and English speaking dark web hacking forums. The data
collection stems from a defunct leaked database service that provided
customers with compromised information.

While not as sizable as the well-known Collections 1 – 5, this
collection still holds value by organizing a large number of leaked
credentials in an easy to use resource for hackers. Cit0Day was
designed by a Russian speaking threat actor, who RBS researchers
observed was banned from a prominent Russians speaking forum not long
before the data collection was leaked by a different individual.

SECTOR SPOTLIGHT

The healthcare industry and related services continue to be prime
targets for hackers, and not only for ransomware operations. The
nature of the data that health organizations amass can be highly
valuable for threat actors seeking to sell data. For example, a
database belonging to a large healthcare related app appeared for sale
on November 16th, 2020.

This allegedly includes 247,000 user accounts including email
addresses and encrypted passwords as well as 245,000 healthcare
professional records with names, addresses, birth dates, and more. RBS
researchers have obtained a sample of the database and have reason to
believe the data is valid.

Ransomware Updates

MAZE CONCLUDES

The threat actors behind Maze ransomware, arguably the most notorious
ransomware of recent times, have announced they are ceasing
operations. A “press release” was posted on November 1st, 2020 to the
Maze website which was used to share compromised databases, provide
updates, or pressure organizations into making payments.

It is unclear why the threat actors decided to end their campaign,
however they vowed to return and their website continues to be
operational, signaling a potential comeback.

“We will be back to you when the world will be transformed. We will
return to show you again the errors and mistakes and to get you out of
the Maze.”

Maze Ransomware Website

RANZY RETURNS

Ranzy ransomware, formerly known as ThunderX ransomware, returned last
month with a new website dedicated to sharing compromised data. Since
resurfacing, only one organization’s data has been leaked, with two
other organizations marked as having private data coming soon.

However, despite the limited data published so far they should be
considered an active threat given the addition of a data leak site to
their operation. Also of note, it appears Ranzy ransomware operators
are targeting organizations outside of the U.S.

PAY2KEY

A new ransomware labeled “Pay2Key” has recently emerged in what
appears to be a never before seen variant. A new website dedicated to
sharing compromised information was launched by the ransomware threat
actors and populated with databases beginning November 8th, 2020.
Three organizations are currently listed on the website with their
respective data, all of which are based in Israel.

Threat Actor Updates

A RECURRING THREAT

ShinyHunters, the infamous threat actor behind several of 2019’s
biggest hacks, has resurfaced on a prominent dark web hacking forum.
The threat actor has been sharing valuable databases, including Minted
with 4.4 million records, Animal Jam with 45 million accounts, and the
offer to sell additional databases to serious buyers.

Given ShinyHunters willingness to share sizable databases at no cost,
it does raise the question – what other significant databases does
ShinyHunters possess given their willingness to freely share valuable
data in the past?

This latest installment of leaks can be considered ShinyHunters “Wave
3” of data breaches, after this summer’s wave 2 shocked many
cybersecurity researchers with its breadth and value. ShinyHunters has
not been actively sharing or selling data breaches since the summer.