[BreachExchange] Dark Web Roundup: June 2021

[Sophia Kingsbury]

https://www.riskbasedsecurity.com/2021/07/08/dark-web-roundup-june-2021/?utm_content=172376593&utm_medium=social&utm_source=twitter&hss_channel=tw-273118634

Malicious threat actors never stop, but neither do we. Risk Based
Security’s Cyber Risk Analytics research team is dedicated to gathering the
latest in data breach intelligence. Here is our round-up of June 2021.

Leaked Databases

EPA.GOV

In early June 2021, a file allegedly originating from the Environmental
Protection Agency (EPA) circulated on a dark web hacking forum. The
document contained 3.7 million records including contact types, names,
titles, business email addresses, business addresses, and business
telephone and fax numbers. The threat actor that originally shared the
database commented that it was a contact file owned by EPA.gov, and that
they have an additional 6 million records without email addresses that they
are privately holding.

Research into the data shows the information collected is derived from
organizations with environmentally impactful operations, or individuals
that would fit the EPA’s interest. However, much of the data appears to be
public information. The file was last updated in 2016, and could
potentially stem from the EPA’s key contact form. It is unclear how the
leaked document was obtained or if it is indicative of further malicious
activity. It is also unclear if the contact sheet was directly owned by the
EPA.

DODO PIZZA

On June 6th 2021, a database related to Dodo Pizza was shared on a popular
Russian speaking hacking forum. The largest pizza chain in Russia, Dodo
Pizza is also one of Europe’s fast growing franchises and is quickly
expanding globally. Large corporations are often targeted by hackers, and
this incident appears to be a deliberate attack. A Russian threat actor
recorded themselves collecting information on various franchises and
organizing the database into 584 records with pizzeria addresses, phone
numbers, names of managers, and links to the cameras in the restaurant
kitchens. The addition of video camera links in the database is an unusual
data point. While unlikely to be directly abused or exploited by hackers,
it is certainly an invasion of privacy. The links are operational and do
appear to show the kitchens of various Dodo locations. Home video
monitoring technology has occasionally been usurped by hackers, and now
they can watch your pizza be prepared as well.

DAILYQUIZ

Gaming related data breaches have been known to be some of the largest
leaks of personal data in recent history. Many gaming platforms or
organizations quickly attain a large following and collect data useful to
malicious hackers, and they don’t always have the best security protocols.
While the incident occurred in January 2021, the breached database from
DailyQuiz.me started circulating privately in the spring and then in a more
public manner in June 2021. Formerly known as ThisCrush,the DailyQuiz leak
contained 8,032,404 user records with IP addresses, usernames, email
addresses and plaintext passwords.

Passwords are recommended to be stored in an encrypted manner through the
use of password hashing algorithms. Once plaintext passwords are
compromised they can easily be abused. It is highly recommended that
DailyQuiz users change their passwords and secure additional accounts that
use the same password, as hackers often check if passwords are reused on
more important places such as banks or insurance websites. As the leaked
database circulated more heavily in June, it has become easier to access,
which means that attacks against users are expected to increase.

ROCKYOU2021.TXT

A massive word list dubbed “the largest password compilation of all time”
was shared in dark web circles in June 2021. The file contains 8.4 billion
records, though it is compiled entirely of singular words. While it has
garnered a good amount of media attention and concern , the text file is
simply a compilation from a few different sources including default
credentials, common passwords, and words used on Wikipedia. Hackers can use
word lists in dictionary attacks, or in attempts to decrypt already
encrypted versions of passwords.

The name of the file is derived from RockYou.txt, which has long been a
popular password list among hackers. In 2009 a company named RockYou was
breached, and the plaintext passwords were turned into a list of real
passwords that has grown over the years. Common versions contain much more,
but a smaller version with 14 million comes pre-loaded on certain Linux
distributions that are popular with hackers.

While this new file does contain some passwords, it is largely a list of
words useful for dictionary attacks or password cracking. It’s apparent
size may seem frightening, but the efficiency of password cracking is
ultimately derived from the threat actor’s configuration, the hashing
algorithm, and the complexity of password.

US CUSTOMERS DATA COLLECTION

A massive file containing the personal data of many Americans circulated on
a Russian speaking dark web hacking in late May and June 2021. The file
contains 153,986,518 records and is titled “USA Customers April 2021”. It
contains names, dates of birth, ages, addresses, phone numbers, and email
addresses in a neatly organized database. While the true source remains
unknown, and may potentially be a simple collection of publicly available
information, the database can still be abused by malicious threat actors.

For example, the leaked database could be used in combination with breached
databases and password files such as RockYou.txt to gain access into more
valuable accounts. These types of collections are also popular with threat
actors that conduct spam and phishing campaigns.

Ransomware Updates

DARKSIDE

The Colonial Pipeline ransomware hack that shocked the United States and
shut down a key component of infrastructure, has had a unique twist of
events. The Justice Department recovered $2.3 million in bitcoin from the
hackers, which is believed to have been in transit to affiliates of the
ransomware operators. While this is only a portion of the $4.4 million
bitcoin ransom, it is a truly unique victory for law enforcement in a world
where ransomware payments are rarely seen again. Darkside, the Russian
speaking ransomware group responsible for the attack, announced they are
ceasing operations after their servers and assets were seized. However this
may be a cover up for the spooked criminals after witnessing the aftermath
of their devastating hack.

AVADDON

The Avaddon ransomware team suddenly ceased operations in June 2021
following a prolific streak of hacks. In a unique end to a rising threat,
decryption keys for 2,934 victims were anonymously sent to a journalist,
potentially directly from the threat actors. The number of decryption keys
were much higher than reported victims, likely signaling how many
organizations do not publicly disclose their breaches. Ransomware campaigns
begin and end quite often, though there is no clear reason that Avaddon
ended operations after a seemingly successful  year.

Threat Actor Updates

NOTORIOUS BULGARIAN HACKER

Discussed in the previous edition of the dark web roundup, the increasingly
infamous hacker “Emil Kyulev” has found a new target. On June 13th, 2021
the hacker shared a database from Daxy.com, a large corporate intelligence
provider. The incident occurred on May 10th, 2021, and included 137,053
records of usernames, names, email addresses and passwords. The leak
occurred following a failed ransom of about 20,000 BGN or $12,000 USD. The
threat actor also claims that the organization has violated GDPR
regulations by trying to keep the breach a secret. The threat actor has
consistently posted breached databases from organizations following failed
ransoms. It is unclear how many breached companies decided to pay the
ransom and keep quiet.

POLITICS AND HACKING

A threat actor appears to be purposely leaking information from large
Mexican companies in attempts to generate publicity. The first shared leak
stemmed from PEMEX, one of Mexico’s largest petroleum companies, and
included an explicit message against the Mexican government. The threat
actor continued to share leaks on a dark web hacking forum from other large
Mexican companies such as Grupo Nacional Provincial and Vitro, and has
recently begun sharing data from other Latin American countries such as
Columbia and Costa Rica. The data appears to be recycled from previous
incidents and contains no new information. This certainly demonstrates how
threat actors can use data breaches to further their politics or leverage
politics to gain media attention.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210708/d3451996/attachment.html>