[BreachExchange] Dark Web Roundup: July 2021

Thu Aug 5 11:26:29 EDT 2021

https://www.riskbasedsecurity.com/2021/08/05/dark-web-roundup-july-2021/

Malicious threat actors never stop, but neither do we. Risk Based
Security’s Cyber Risk Analytics research team is dedicated to gathering the
latest in data breach intelligence. Here is our round-up of July 2021.

Leaked Databases

SHORT ÉDITION
A breached database from short-edition.com circulated on dark web hacking
forums in late June and early July. The Paris-based literary website was
breached on June 26th, 2021 according to the threat actor who claimed
responsibility for the hack. With 513,327 users impacted, the database
contains 72 data fields of personal information including phone numbers,
names, dates of birth, addresses, email addresses, hashed passwords and
more.

The threat actor who claimed responsibility and shared the compromised data
operates on multiple dark web forums under the name Pompompurin. Risk Based
Security initially announced their introduction in January’s Edition of
Dark Web Roundup.

GETTR.COM
The plethora of user information makes social media platforms a consistent
favorite for threat actors to breach or data scrape. If a victim
organization can’t be breached, hackers can abuse their API to collect
public and non-public information in a neatly harvested database.

On July 1st, which was Gettr.com’s first day of launch, this is precisely
what occurred with the politically right-wing platform. Threat actors
abused the API to collect usernames, pictures, descriptions, locations and
user websites for roughly 24,000 users. A few days later on July 6th, more
threat actors circumvented changes to the API adding email addresses and
birth years to the previously scraped data fields for another 89,000 user
records.

A non-American threat actor operating under the name Badhou3a shared
responsibility for the scrape and was previously also responsible for the
breach on politically left-wing Liker.com. This contradicts the popular
theory that these incidents are solely politically motivated.

XENARMOR
On July 12th, 2021 a known threat actor shared a compromised database on
the dark web from XenArmor.com. The organization asserts they are a
“leading provider of windows security & password software globally”. While
no user credentials were leaked, the database contained 2,759 user records
of:

   - Names
   - Email addresses
   - License keys
   - Order details
   - Product data

It is quite uncommon for license keys to be leaked, and in combination with
email addresses and product information this may expose users to spear
phishing campaigns or account takeover attempts.

CLUBHOUSE
Rapidly growing in popularity, Clubhouse is an exclusive audio chat room
application with growing international recognition. On July 13th, a
database was shared on a dark web hacking forum that allegedly stemmed from
Clubhouse. The data contains phone numbers for 2.2 million Japanese
Clubhouse users and 81.3 million contacts for those users.

A larger database was later posted for sale by the same threat actor that
allegedly contains 3.8 billion phone numbers of users and users’ contacts.
It is difficult to verify the validity of the data as it contains only
phone numbers and no other details. Clubhouse has not provided a statement
regarding the incident at this time.

SMS-ACTIVATE
Online services providing temporary email addresses or phone numbers are
popular among threat actors seeking to remain anonymous, and among users
who may lack the necessary access. On July 16th, a database containing
transaction logs from the popular SMS-Activate.ru was shared on a
Russian-speaking dark web hacking forum. The logs contained 89 million
lines, or 7,803,499 unique entries that contained email addresses, IP
addresses, names, and transaction information. SMS-Activate shared a
message confirming the hack and recommended all users change their
passwords to avoid theft of funds. Evidently, even services used by hackers
are not immune to hackers.

PARROT SOFTWARE
Parrot Software is a popular and rapidly growing point of sale software for
restaurants in Mexico. In late July a massive database attributed to Parrot
Software was shared on the dark web and carried tons of varied information.
The 90 GB file contained roughly 250 SQL tables, some of which were more
than 20 GB of data individually. The database also contains cleartext full
and partial credit card numbers, addresses, names, email addresses,
logistics, and transaction data – such as what items were purchased and for
what price.

While it is unlikely that the source of the data is Parrot Software
themselves, it does appear that the data comes from an organization that
may use their software, and had the relevant data exfiltrated. The original
organization and source of data is currently unknown, but this certainly
serves as a caution against hosting large amounts of customer and business
data in a seemingly singular location.

Ransomware Updates

XING TEAM AND DOPPELPAYMER
The Xing Team ransomware group has shown signs of slowing down in their
operations. Originally commencing operations in late April, Xing shared 12
instances of victim data in May, and three in June on their dark web site
which exists to post victim information and compromised data. After
vigorously beginning their campaign and grabbing attention, they have only
shared one victim in July.

DoppelPaymer, one of the most notorious and prolific ransomware teams, has
also not published victim data to their website since May and have not
provided an update since June. It is unclear if either campaign has halted
or is quietly continuing operations. With the recent attention and arrests
against ransomware operations, it may mean that they are much more careful
about publicizing their campaigns.

THE ONION ROUTER
The most popular “dark web” is The Onion Router, also commonly known as
TOR. According to the TOR developer website, on October 15, 2021 they “will
release new Tor client stable versions for all supported series that will
disable v2”. Many ransomware websites used to share data and name victims
are currently hosted on TOR v2, meaning that when TOR v3 is fully
implemented those sites will cease to be operational. Some compromised data
may be inaccessible after the migration unless reuploaded, which can
certainly benefit the affected organizations.

AVOS, HARON, AND BLACKMATTER
As some infamous ransomware teams cease to exist, many are seemingly aiming
to fill the space. Undeterred by recent arrests and headlines, three new
ransomware groups have recently entered the scene. Avos is a new ransomware
that originated in June, and in mid-July made a post on a popular Russian
speaking hacking forum seeking affiliates and partners.

Haron ransomware also entered the ransomware world in July with a dark web
site that appeared extremely similar to the currently defunct Avaddon
ransomware. BlackMatter similarly commenced in July by seeking affiliates,
and publicly professed to be a project that “has incorporated in itself the
best features of DarkSide, REvil, and LockBit”.

Threat Actor Updates

REVIL/SODINOKIBI RANSOMWARE OPERATORS
While most hackers strive for anonymity, some hackers revel in media
coverage. A storied reputation can help intimidate victims into payment, or
simply fuel an ego looking for credit. Regardless of the motivation, a
surprisingly detailed interview was shared on a popular Russian speaking
hacking forum showcasing the hackers behind the REvil/Sodinokibi ransomware
operations. The interview discusses a wide variety of topics including
thoughts on different cryptocurrencies, technical operation details, the
future of ransomware, and confirming ransomware targets.

The hacker confirmed attribution to the September 2020 BancoEstado hack,
where all bank branches were closed. They also took credit for the Grubman
and Travelex hacks where they allegedly gained access to the entire network
in three minutes due to a singular vulnerability related to Pulsar and
Citrix. The threat actor also claimed they had enough money from their
exploits and desired to personally stop conducting ransomware operations.
However, there is supposedly always a supply of hackers or affiliates
seeking to make a profit.

Interestly, the threat actor also claimed that about ⅓ of all compromised
large companies pay a ransom in secrecy to ensure there is no media
coverage. This claim may have some credence as the number of publicly
reported breaches fell drastically in 2020 despite ransomware attacks
increasing by 100% compared to 2019. To learn more about the latest data
breach trends, check out our latest 2021 Mid Year Data Breach QuickView
Report.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210805/9782179d/attachment.html>