Dark Web Roundup: April 2021
May 18, 2021 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of April 2021.
On April 15th, 2021 a compromised database stemming from Free.Navalny.com was leaked publicly online. The website was created by supporters of Alexie Navalny, a well-known and currently jailed political dissident in Russia. His supporters later confirmed the breach and validity of the data.
The original data leak consisted of 529,570 email addresses, however various alternate version of enriched databases have since been propagating on Russian speaking dark web hacking forums.
These alternative databases contained names, phone numbers, registration locations, and places of work with the email addresses. The source of this additional data is unknown.
The original database of email addresses was leaked online shortly after Navalny’s foundation announced a new investigation into the Russian president. This incident is a further demonstration of how cybersecurity and politics have become closely intertwined in the modern world.
On April 25th, 2021 a user database from BigBasket was leaked on a popular dark web hacking forum. BigBasket is one of India’s most popular online grocery stores and is backed by the Tata Group, one of India’s largest conglomerates. In total, 24,501,169 user records were compromised which included personal information like names, dates of birth, addresses, phone numbers as well as account access credentials with email addresses and hashed passwords. The data was leaked by ShinyHunters, one of the most prolific hackers of recent years. While the incident occurred and was reported towards the end of 2020, the database remained in private hands up until now.
When compromised user data reaches a larger audience, such as a dark web hacking forum, it increases the risk of affected users immensely. Users are at risk for spear phishing, account compromise, and fraud campaigns.
A database backup that was left exposed online was stolen by threat actors and subsequently shared on a popular dark web hacking forum. The data was attributed to ClearVoice Surveys, a Denver, CO company that pays consumers for their product opinions. A total of 15,075,786 user records were compromised and included:
- Dates of birth
- Phone numbers
- IP addresses
- Email addresses
- Plaintext passwords
- Health conditions
- Political affiliations
The database backup is from August 2015, though it was shared on April 21, 2021. While the data may be dated, it still holds value for threat actors due to its detailed personal and medical information useful for targeted phishing attacks, passwords stored in plaintext as opposed to encrypted, and a large number of email addresses associated with professional organizations. Risk Based Security researchers found dozens of email addresses linked to S&P 500 companies such as Accenture, Deloitte, Experian, AIG, Walmart, and more.
A number of databases were stolen from the EdTech organization Descomplica and shared on a dark web hacking forum on April 22, 2021. Descomplica is a rapidly growing Brazil-based education platform and was recently backed by big names such as SoftBank and Facebook’s founder Mark Zuckberg’s investment fund. Seven databases in total were compromised ranging from user accounts, marketing leads, and app store transactions. 4,845,378 users were impacted with names, social media profiles, phone numbers, email addresses, purchase histories, encrypted passwords, and partial credit card information ultimately exposed. The threat actor also claims to have had access to the company’s private Github repository.
According to Descomplica’s response, the incident occured on March 14th, 2021 and might have impacted the students’ ability to use the platform.
A new ransomware called Networm has entered the spotlight and is targeting Israeli companies exclusively. The first victims, H&M and Veritas Logistics, appear to have been compromised in late April or early May, with their data being shared on Networm’s dark web site on May 2, 2021. Researchers believe Networm is linked to or is a continuation of Pay2Key, which also targeted Israeli companies and was linked to Iranian threat actors.
A new dark web ransomware website was launched in April under the name Xing Team News. While the Chinese character for “Xing” is displayed on their site, there is no indication of which ransomware team is operating the site, or if it is a novel one potentially linked to Chinese threat actors. Two organizations and their leaked data were added to their website on April 29, 2021 and an additional five organizations were later added in May.
Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence and risk ratings.