[BreachExchange] Dark Web Roundup: March 2021

[Destry Winant]

https://www.riskbasedsecurity.com/2021/04/29/dark-web-roundup-march-2021/

Malicious threat actors never stop, but neither do we. Risk Based
Security’s Cyber Risk Analytics research team is dedicated to gathering the
latest in data breach intelligence. Here is our round up of what we saw in
March 2021.

Leaked Databases

*LIKER.COM <http://LIKER.COM>*On March 10, 2021 a breached database from
the social media website Liker.com was shared on a popular dark web forum.
It contained 465,141 user records with a trove of data, including all this
and more:

- Dates of birth
- Names
- Phone numbers
- Usernames
- Email addresses
- Hashed passwords
- Private messages
- Security questions and answers
- Social media profiles

This event followed a similar incident that occurred on March 4th, 2021
where 116,222 user account details were scraped from the same website and
shared on the same hacking forum. The threat actors had targeted the
website after noticing a number of vulnerabilities on the Liker.com
platform and quickly compromised the administrator’s profile by using
passwords leaked in other, unrelated breaches.

While Liker attempted to patch security holes the threat actors succeeded
in defacing the website and user profiles. Attackers also made an effort to
exfiltrate the user database, and after nearly a week of trying were
ultimately successful. In an email sent to users, Liker attributed the
attack to political opponents. Their website has been down for maintenance
since the pilfered database was shared. Their email also stated that they
have hired a security firm in response, and expect to return in 4 – 8 weeks.


*GUNS.COM <http://GUNS.COM>*On March 9, 2021 a hacker leaked multiple
databases stolen from Guns.com, a Minnesota based firearm seller. This is
certainly a worst-case scenario for the business as the databases are
extremely detailed. Leaked files contained their source code, data backups,
administrative usernames and cleartext passwords, VPN and production
servers’ usernames and cleartext passwords, IP addresses, and access
instructions.

Moreover, user and customer records were also leaked with names, addresses,
phone numbers, bank account details, 382,547 email addresses and 148,000
bcrypt hashed passwords. The threat actor stated that the breach occurred
at the end of 2020 and subsequently sold in private channels, but had not
been shared in a broader manner until now.


*GAINFUL.COM <http://GAINFUL.COM>*The New York based supplement company was
subject to a data leak following an incident with an open and exposed
Amazon S3 bucket. On March 28, 2021 a threat actor shared the compromised
database after claiming that they alerted the company back on October 22,
2020. The company allegedly fixed the exposed server without alerting
customers, which triggered the threat actor to leak the database in
retaliation. It contained 300,000 individual orders with order numbers,
dates paid, type of credit card with last 4 digits, and 102,417 unique
email addresses.

Ransomware Updates
PYSA
The Pysa ransomware website, used by the ransomware gang to share data and
name victim organizations, went down in March and appears to be offline.
However, the FBI issued a warning that the ransomware group was ramping up
its targeting of educational institutions in the US. It is unknown whether
they plan to return to using their website in order to ramp up pressure on
the victim organizations.


*BABUK*The operators of Babuk ransomware created a new dark web website to
share victim data and updates. It currently features 17 organizations and
their data, including the recent Phone House breach which affected 13
million customers. Their website claims that they only target large
corporations and do not target non-profits, hospitals, small businesses,
and certain schools. That said, there is no clear trend of victim
organizations, by geographic location or sector.


*ASTRO LOCKER TEAM*A seemingly new group of ransomware operators launched a
dark web website intended to share victim data under the name Astro Locker
Team. Also known as the AstroLocker Team, there has been evidence that they
are closely linked to the Mount Locker ransomware group. For example, some
of the victim data shared on the Astro Locker Team’s website was identical
to that on the Mount Locker website. Ransomware groups are known to
continuously end operations, start new campaigns, or even rebrand if it
results in bigger payouts.


*CLOP*Quickly ascending to the most infamous and prolific ransomware group,
Clop continues to add high profile victims. They have recently added data
from Shell on their dark web website, and multiple noteworthy universities
such as Stanford, University of Miami, University of Colorado, and Southern
Illinois University.

Threat Actor Updates

*SHINYHUNTERS*ShinyHunters has grown to become one of the most notorious
threat actors of recent years, and is responsible for dozens of
high-profile hacks. They have traditionally profited from pilfered
databases through private sales, even occasionally sharing certain
databases publicly to undercut other data sellers on the dark web. However,
the threat actor has recently made a notable shift towards extortion
schemes.

On March 22, 2021 ShinyHunters leaked part of a compromised dataset with a
message to the affected organization, stating that the rest would be shared
unless they reached out and presumably made a payment. This happened again
a few weeks later, largely confirming the threat actor’s shift towards
extorting companies for their own databases. Moreover, it also seems that
ShinyHunters has only been targeting companies located in India.

Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence
and risk ratings.
Learn More <https://www.cyberriskanalytics.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210503/0cab9356/attachment.html>