Dark Web Roundup: March 2021
April 29, 2021 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round up of what we saw in March 2021.
On March 10, 2021 a breached database from the social media website Liker.com was shared on a popular dark web forum. It contained 465,141 user records with a trove of data, including all this and more:
- Dates of birth
- Phone numbers
- Email addresses
- Hashed passwords
- Private messages
- Security questions and answers
- Social media profiles
This event followed a similar incident that occurred on March 4th, 2021 where 116,222 user account details were scraped from the same website and shared on the same hacking forum. The threat actors had targeted the website after noticing a number of vulnerabilities on the Liker.com platform and quickly compromised the administrator’s profile by using passwords leaked in other, unrelated breaches.
While Liker attempted to patch security holes the threat actors succeeded in defacing the website and user profiles. Attackers also made an effort to exfiltrate the user database, and after nearly a week of trying were ultimately successful. In an email sent to users, Liker attributed the attack to political opponents. Their website has been down for maintenance since the pilfered database was shared. Their email also stated that they have hired a security firm in response, and expect to return in 4 – 8 weeks.
On March 9, 2021 a hacker leaked multiple databases stolen from Guns.com, a Minnesota based firearm seller. This is certainly a worst-case scenario for the business as the databases are extremely detailed. Leaked files contained their source code, data backups, administrative usernames and cleartext passwords, VPN and production servers’ usernames and cleartext passwords, IP addresses, and access instructions.
Moreover, user and customer records were also leaked with names, addresses, phone numbers, bank account details, 382,547 email addresses and 148,000 bcrypt hashed passwords. The threat actor stated that the breach occurred at the end of 2020 and subsequently sold in private channels, but had not been shared in a broader manner until now.
The New York based supplement company was subject to a data leak following an incident with an open and exposed Amazon S3 bucket. On March 28, 2021 a threat actor shared the compromised database after claiming that they alerted the company back on October 22, 2020. The company allegedly fixed the exposed server without alerting customers, which triggered the threat actor to leak the database in retaliation. It contained 300,000 individual orders with order numbers, dates paid, type of credit card with last 4 digits, and 102,417 unique email addresses.
The Pysa ransomware website, used by the ransomware gang to share data and name victim organizations, went down in March and appears to be offline. However, the FBI issued a warning that the ransomware group was ramping up its targeting of educational institutions in the US. It is unknown whether they plan to return to using their website in order to ramp up pressure on the victim organizations.
The operators of Babuk ransomware created a new dark web website to share victim data and updates. It currently features 17 organizations and their data, including the recent Phone House breach which affected 13 million customers. Their website claims that they only target large corporations and do not target non-profits, hospitals, small businesses, and certain schools. That said, there is no clear trend of victim organizations, by geographic location or sector.
Astro Locker Team
A seemingly new group of ransomware operators launched a dark web website intended to share victim data under the name Astro Locker Team. Also known as the AstroLocker Team, there has been evidence that they are closely linked to the Mount Locker ransomware group. For example, some of the victim data shared on the Astro Locker Team’s website was identical to that on the Mount Locker website. Ransomware groups are known to continuously end operations, start new campaigns, or even rebrand if it results in bigger payouts.
Quickly ascending to the most infamous and prolific ransomware group, Clop continues to add high profile victims. They have recently added data from Shell on their dark web website, and multiple noteworthy universities such as Stanford, University of Miami, University of Colorado, and Southern Illinois University.
Threat Actor Updates
ShinyHunters has grown to become one of the most notorious threat actors of recent years, and is responsible for dozens of high-profile hacks. They have traditionally profited from pilfered databases through private sales, even occasionally sharing certain databases publicly to undercut other data sellers on the dark web. However, the threat actor has recently made a notable shift towards extortion schemes.
On March 22, 2021 ShinyHunters leaked part of a compromised dataset with a message to the affected organization, stating that the rest would be shared unless they reached out and presumably made a payment. This happened again a few weeks later, largely confirming the threat actor’s shift towards extorting companies for their own databases. Moreover, it also seems that ShinyHunters has only been targeting companies located in India.
Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence and risk ratings.