Dark Web Roundup: November 2020
December 7, 2020 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round up of November 2020.
Month of November, 2020
A database belonging to Home Chef consisting of 8,717,762 customers’ personal and financial details, as well as encrypted passwords, was leaked on a prominent dark web hacking forum on November 10th, 2020. The data was offered for sale in July as part of a long list of stolen databases compromised by the threat actor ShinyHunters.
The decision by ShinyHunters to share the data inherently increases its availability to other threat actors looking to abuse or profit off the stolen data. While a majority of the customer accounts are linked to personal email addresses, with 4.2 million and 1.6 million Gmail and Yahoo accounts affected respectively, RBS researchers have also found 148,800 edu related domains, 6,410 government and 6,120 military affiliated email addresses.
This underscores the widespread threat a data breach can have, even from a seemingly innocuous source.
A collection of over 20,000 hacked databases was shared in October and continued to be highly circulated in November on several prominent Russian and English speaking dark web hacking forums. The data collection stems from a defunct leaked database service that provided customers with compromised information.
While not as sizable as the well-known Collections 1 – 5, this collection still holds value by organizing a large number of leaked credentials in an easy to use resource for hackers. Cit0Day was designed by a Russian speaking threat actor, who RBS researchers observed was banned from a prominent Russians speaking forum not long before the data collection was leaked by a different individual.
The healthcare industry and related services continue to be prime targets for hackers, and not only for ransomware operations. The nature of the data that health organizations amass can be highly valuable for threat actors seeking to sell data. For example, a database belonging to a large healthcare related app appeared for sale on November 16th, 2020.
This allegedly includes 247,000 user accounts including email addresses and encrypted passwords as well as 245,000 healthcare professional records with names, addresses, birth dates, and more. RBS researchers have obtained a sample of the database and have reason to believe the data is valid.
The threat actors behind Maze ransomware, arguably the most notorious ransomware of recent times, have announced they are ceasing operations. A “press release” was posted on November 1st, 2020 to the Maze website which was used to share compromised databases, provide updates, or pressure organizations into making payments.
It is unclear why the threat actors decided to end their campaign, however they vowed to return and their website continues to be operational, signaling a potential comeback.
“We will be back to you when the world will be transformed. We will return to show you again the errors and mistakes and to get you out of the Maze.”Maze Ransomware Website
Ranzy ransomware, formerly known as ThunderX ransomware, returned last month with a new website dedicated to sharing compromised data. Since resurfacing, only one organization’s data has been leaked, with two other organizations marked as having private data coming soon.
However, despite the limited data published so far they should be considered an active threat given the addition of a data leak site to their operation. Also of note, it appears Ranzy ransomware operators are targeting organizations outside of the U.S.
A new ransomware labeled “Pay2Key” has recently emerged in what appears to be a never before seen variant. A new website dedicated to sharing compromised information was launched by the ransomware threat actors and populated with databases beginning November 8th, 2020. Three organizations are currently listed on the website with their respective data, all of which are based in Israel.
Threat Actor Updates
A Recurring Threat
ShinyHunters, the infamous threat actor behind several of 2019’s biggest hacks, has resurfaced on a prominent dark web hacking forum. The threat actor has been sharing valuable databases, including Minted with 4.4 million records, Animal Jam with 45 million accounts, and the offer to sell additional databases to serious buyers.
Given ShinyHunters willingness to share sizable databases at no cost, it does raise the question – what other significant databases does ShinyHunters possess given their willingness to freely share valuable data in the past?
This latest installment of leaks can be considered ShinyHunters “Wave 3” of data breaches, after this summer’s wave 2 shocked many cybersecurity researchers with its breadth and value. ShinyHunters has not been actively sharing or selling data breaches since the summer.
Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence and risk ratings.