[BreachExchange] Dark Web Roundup: February 2021

Destry Winant destry at riskbasedsecurity.com
Thu Mar 18 10:50:20 EDT 2021 

https://www.riskbasedsecurity.com/2021/03/18/dark-web-roundup-february-2021/

Month of February, 2021

Malicious threat actors never stop, but neither do we. Risk Based
Security’s Cyber Risk Analytics research team is dedicated to gathering the
latest in data breach intelligence. Here is our round up of February 2021.

Leaked Databases

FACEBOOK

A database allegedly stemming from Facebook was shared on a dark web
hacking forum in early February. The 47 gigabyte database contained 370
million records from 108 different countries and included personal details
such as usernames, phone numbers, full names, dates of birth, and email
addresses.

It is likely that the database is a scrape with well-indexed public
information and not a true breach of Facebook itself. However, it is
unclear how the database was obtained. The threat actor states the database
is from 2018, though no previous incident matches the given information.
The database has been categorized  by country and circulated in segments
across the dark web,  finding its way on other popular dark web hacking
forums.

BRIDGEMAN IMAGES

The British image library service was targeted by hackers and had multiple
SQL databases shared on a dark web hacking forum. According to the threat
actor, the databases were compromised on December 17th, 2020, and then
leaked on February 24th, 2021. It includes more than 46,000 user records
and company data, consisting of names, phone numbers, orders, invoices,
email addresses, and plaintext passwords. Organizations should employ some
form of encryption rather than store user passwords in plaintext, as they
can quickly and easily be abused by threat actors if compromised.

CRYPTOCURRENCY DATABASE COLLECTION

Cryptocurrency related organizations such as exchanges or forums continue
to be a significant target for hackers hoping for a payout. On February
15th, 2021 a threat actor on a popular English-speaking dark web hacking
forum shared a massive collection of cryptocurrency related leaked
databases. Collectively, they contain well over 60 million records and can
serve as a trove for cryptocurrency user account exploitation. The
collection includes previous hacks such as Gatehub, CoinMama.com,
Kraken.com, Paxful.com, and contain a mix of hashed and dehashed passwords.

PLAYBOOK SPORTS

A sports betting website had their database compromised and leaked on
February 24th, 2021 following an exposed database backup server. Nearly
150,000 users were exposed with names, addresses, phone numbers, and email
addresses included in the data breach. The majority of users appear to be
from the United States, and multiple versions of the database backups were
exposed.

Ransomware Updates

AMERICAN LOCAL GOVERNMENT TARGETED

Cities and regional counties in the United States continue to be frequently
targeted by ransomware operators. Morgan County in Missouri and Novato in
California were both compromised by DoppelPaymer ransomware operators in
February alone. The threat actors posted documents, images, and
spreadsheets to their ransomware website meant to expose victim data.
Chatham County in North Carolina and the city of Portland in Texas which
were also recently compromised by DoppelPaymer ransomware.

HADES DOWN, BABUK BACK UP

Ransomware variations evolve with time, sometimes becoming abruptly defunct
or springing into existence. Ransomware operators also appear and disappear
in a similar fashion, with hacking campaigns ending or starting frequently.
One common way to monitor the actions of ransomware operators, or their
campaigns is by tracking their dark web victim information websites. The
website for Hades ransomware, which began its campaign in December 2020 is
currently down at the time of writing, making it is unclear if their
ransomware campaign continues. Babuk ransomware, which also began its
operations this year, is back up after its website was briefly down.

CLOP EXPANDS

An already notorious ransomware group is gaining even more attention after
being linked to the Accellion breaches. After Maze, one of the most
infamous ransomware groups ceased operations last year, many were hopeful
it would lead to a drop in high profile ransomware cases. However, it
appears that Clop has continued to grow in reach and has added publicizing
data obtained from non-ransomware related attacks on their leak site,
including information pilfered from high profile targets like cybersecurity
company Qualys.

Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence
and risk ratings.
Learn More <https://www.cyberriskanalytics.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210318/5a01acca/attachment.html>

More information about the BreachExchange mailing list