Dark Web Roundup: February 2021
March 18, 2021 • RBS
Month of February, 2021
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round up of February 2021.
A database allegedly stemming from Facebook was shared on a dark web hacking forum in early February. The 47 gigabyte database contained 370 million records from 108 different countries and included personal details such as usernames, phone numbers, full names, dates of birth, and email addresses.
It is likely that the database is a scrape with well-indexed public information and not a true breach of Facebook itself. However, it is unclear how the database was obtained. The threat actor states the database is from 2018, though no previous incident matches the given information. The database has been categorized by country and circulated in segments across the dark web, finding its way on other popular dark web hacking forums.
The British image library service was targeted by hackers and had multiple SQL databases shared on a dark web hacking forum. According to the threat actor, the databases were compromised on December 17th, 2020, and then leaked on February 24th, 2021. It includes more than 46,000 user records and company data, consisting of names, phone numbers, orders, invoices, email addresses, and plaintext passwords. Organizations should employ some form of encryption rather than store user passwords in plaintext, as they can quickly and easily be abused by threat actors if compromised.
Cryptocurrency Database Collection
Cryptocurrency related organizations such as exchanges or forums continue to be a significant target for hackers hoping for a payout. On February 15th, 2021 a threat actor on a popular English-speaking dark web hacking forum shared a massive collection of cryptocurrency related leaked databases. Collectively, they contain well over 60 million records and can serve as a trove for cryptocurrency user account exploitation. The collection includes previous hacks such as Gatehub, CoinMama.com, Kraken.com, Paxful.com, and contain a mix of hashed and dehashed passwords.
A sports betting website had their database compromised and leaked on February 24th, 2021 following an exposed database backup server. Nearly 150,000 users were exposed with names, addresses, phone numbers, and email addresses included in the data breach. The majority of users appear to be from the United States, and multiple versions of the database backups were exposed.
American Local Government Targeted
Cities and regional counties in the United States continue to be frequently targeted by ransomware operators. Morgan County in Missouri and Novato in California were both compromised by DoppelPaymer ransomware operators in February alone. The threat actors posted documents, images, and spreadsheets to their ransomware website meant to expose victim data. Chatham County in North Carolina and the city of Portland in Texas which were also recently compromised by DoppelPaymer ransomware.
Hades Down, Babuk Back Up
Ransomware variations evolve with time, sometimes becoming abruptly defunct or springing into existence. Ransomware operators also appear and disappear in a similar fashion, with hacking campaigns ending or starting frequently. One common way to monitor the actions of ransomware operators, or their campaigns is by tracking their dark web victim information websites. The website for Hades ransomware, which began its campaign in December 2020 is currently down at the time of writing, making it is unclear if their ransomware campaign continues. Babuk ransomware, which also began its operations this year, is back up after its website was briefly down.
An already notorious ransomware group is gaining even more attention after being linked to the Accellion breaches. After Maze, one of the most infamous ransomware groups ceased operations last year, many were hopeful it would lead to a drop in high profile ransomware cases. However, it appears that Clop has continued to grow in reach and has added publicizing data obtained from non-ransomware related attacks on their leak site, including information pilfered from high profile targets like cybersecurity company Qualys.
Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence and risk ratings.