[BreachExchange] Dark Web Roundup: May 2021

[Sophia Kingsbury]

https://www.riskbasedsecurity.com/2021/06/14/dark-web-roundup-may-2021/

Malicious threat actors never stop, but neither do we. Risk Based
Security’s Cyber Risk Analytics research team is dedicated to gathering the
latest in data breach intelligence. Here is our round-up of May 2021.

Leaked Databases

PARKMOBILE

In early May a stolen database from ParkMobile started making rounds in
hacker circles. The popular parking application’s data was posted on a
notorious dark web hacking forum after threat actors attempted to sell the
compromised information.

The leaked database contained 21,000,000 customer names, email addresses,
phone numbers, license plate numbers, and bcrypt hashed passwords. The
incident allegedly occurred in March 2021 with ParkMobile announcing the
breach on March 26th, claiming it was “linked to a vulnerability in a
third-party software that we use.” Coming off the heels of the Accellion
and SolarWinds breaches, this serves as yet another example of the
importance of implementing robust supplier risk management processes when
using third-party applications.

WED ME GOOD

On May 4th, 2021 a compromised database from a popular Indian wedding
platform was posted to a dark web hacking forum. It was shared and
seemingly compromised by ShinyHunters, a prolific hacker that Risk Based
Security has covered extensively. The 44.6 GB database was a trove of
leaked data and was shared in an entirely unrestricted manner. It contained
1,341,011 unique email addresses with hashed passwords and salts. In
addition, it also contained a varying amount of users’ names, genders,
phone numbers, usernames, city locations, Facebook IDs, vacation
descriptions, and booking leads.

MONEYCONTROL

In the beginning of May, another database stolen from an Indian company was
shared repeatedly on the dark web. The database belonged to the finance
related website MoneyControl.com and contained detailed user information.
This included 773,811 user records containing:


   - Pin codes
   - Phone numbers
   - Dates of birth
   - Addresses
   - Genders
   - Email addresses
   - Plaintext passwords


The mix of user credentials, personally identifiable information, and pin
codes leaves exposed users at a very high risk. Threat actors may attempt
financial fraud, spear phishing, spam, or extortion campaigns with the
detailed data. Making matters worse is that recommended best practices for
storing passwords were not implemented. Passwords were stored in plaintext
and not in an encrypted method.

DUCKS UNLIMITED

An unusual database was shared May 13th, 2021 on a hacker forum that
originated from Ducks.org. While most hackers target lucrative businesses
or critical services, this not-for-profit organization focuses solely on
the conservation of ducks. The threat actor shared the database in an
attempt to undercut another database reseller attempting to profit off of
the database on the dark web, and claimed they privately held the data for
a few months. The data was supposedly exposed through an open, unsecured
data backup accessible from the internet.

The database contained information on 2,000,000 members, as well as 474,000
website users with names, addresses, phone numbers, dates of birth, partial
credit card information, email addresses and 267,000 passwords. The
passwords were stored as MD5 hashes, an encryption method that is regarded
as outdated and easy to “crack” by hackers.

JD.COM

On May 25th, 2021 a large 14.1 GB database containing 141,639,666 names,
phone numbers, email addresses, usernames, and hashed passwords was shared
online. The data originated from JD.com, China’s second largest website for
shopping. This massive database was supposedly part of a social engineering
database mega pack popular in Chinese hacking communities. The entire
collection totaled over 1.32 billion records and contained data from
Shunfeng Express, Weibo.com, Dungeon Fighter Online, and other Chinese
organizations.

While the data may have been popular with Chinese hackers, it appears users
of JD.com extend beyond China’s shores. Risk Based Security found dozens of
email addresses in the JD.com database belonging to companies such as
Microsoft, Adobe, AIG, Target, Accenture, and more.

Ransomware Updates

RANSOMWARE WEBSITE AGGREGATOR

Dark web ransomware websites are often used by ransomware groups to name
victim organizations, bring public pressure, and share pilfered data. In an
attempt to keep up with and track these websites, site aggregators
frequently appear online as a tool to assist threat actors. As ransomware
operators end campaigns, change their names, or are shut down by
authorities, new iterations of victim-naming websites appear. This
aggregator below, which started to circulate in May, makes it easier for
other hackers to know which ransomware websites are operational and where
to find them.

Threat Actor Updates

SHINYHUNTERS

The notorious threat actor who specializes in stealing valuable databases
recently displayed a shift in strategies over profiting off of their
operations. While they have historically attempted to sell compromised data
the threat actor recently showed signs of an evolving extortion campaign.
However, rumors have now circulated that they have grown frustrated with
the lack of results over the campaign which has focused exclusively on
Indian companies.

ShinyHunters first began by posting samples of data and ominous warnings on
dark web hacking forums to victim organizations in March and early April,
such as Medlife.com and Upstox, which seemed to work as the data was
subsequently removed. But two more Indian companies, WedMeGood and
BigBasket, were later shared freely with no explanation in late April and
May, potentially signaling an end to an unsuccessful extortion campaign.

NOTORIOUS BULGARIAN HACKER

A threat actor exclusively targeting Bulgarian companies has continued to
share compromised data on the dark web. Taking on the name “Emil Kyulev”, a
Bulgarian banker who passed away in 2005, the hacker claimed responsibility
and shared stolen data from VIPoferta.bg on May 4th, 2021. The compromised
database contained 349,142 user records with IP addresses, names, phone
numbers, usernames, email addresses and hashed passwords. This was shared
after a demanded ransom of 30,000 BGN ($18,000) was not met. “Emil Kyulev”
also has taken credit for breaching other Bulgarian companies in the past
such as Generali, iCard, and GeneralBroker.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210615/5d8a2ea9/attachment.html>