Dark Web Roundup: May 2021
June 14, 2021 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of May 2021.
In early May a stolen database from ParkMobile started making rounds in hacker circles. The popular parking application’s data was posted on a notorious dark web hacking forum after threat actors attempted to sell the compromised information.
The leaked database contained 21,000,000 customer names, email addresses, phone numbers, license plate numbers, and bcrypt hashed passwords. The incident allegedly occurred in March 2021 with ParkMobile announcing the breach on March 26th, claiming it was “linked to a vulnerability in a third-party software that we use.” Coming off the heels of the Accellion and SolarWinds breaches, this serves as yet another example of the importance of implementing robust supplier risk management processes when using third-party applications.
Wed Me Good
On May 4th, 2021 a compromised database from a popular Indian wedding platform was posted to a dark web hacking forum. It was shared and seemingly compromised by ShinyHunters, a prolific hacker that Risk Based Security has covered extensively. The 44.6 GB database was a trove of leaked data and was shared in an entirely unrestricted manner. It contained 1,341,011 unique email addresses with hashed passwords and salts. In addition, it also contained a varying amount of users’ names, genders, phone numbers, usernames, city locations, Facebook IDs, vacation descriptions, and booking leads.
In the beginning of May, another database stolen from an Indian company was shared repeatedly on the dark web. The database belonged to the finance related website MoneyControl.com and contained detailed user information. This included 773,811 user records containing:
- Pin codes
- Phone numbers
- Dates of birth
- Email addresses
- Plaintext passwords
The mix of user credentials, personally identifiable information, and pin codes leaves exposed users at a very high risk. Threat actors may attempt financial fraud, spear phishing, spam, or extortion campaigns with the detailed data. Making matters worse is that recommended best practices for storing passwords were not implemented. Passwords were stored in plaintext and not in an encrypted method.
An unusual database was shared May 13th, 2021 on a hacker forum that originated from Ducks.org. While most hackers target lucrative businesses or critical services, this not-for-profit organization focuses solely on the conservation of ducks. The threat actor shared the database in an attempt to undercut another database reseller attempting to profit off of the database on the dark web, and claimed they privately held the data for a few months. The data was supposedly exposed through an open, unsecured data backup accessible from the internet.
The database contained information on 2,000,000 members, as well as 474,000 website users with names, addresses, phone numbers, dates of birth, partial credit card information, email addresses and 267,000 passwords. The passwords were stored as MD5 hashes, an encryption method that is regarded as outdated and easy to “crack” by hackers.
On May 25th, 2021 a large 14.1 GB database containing 141,639,666 names, phone numbers, email addresses, usernames, and hashed passwords was shared online. The data originated from JD.com, China’s second largest website for shopping. This massive database was supposedly part of a social engineering database mega pack popular in Chinese hacking communities. The entire collection totaled over 1.32 billion records and contained data from Shunfeng Express, Weibo.com, Dungeon Fighter Online, and other Chinese organizations.
While the data may have been popular with Chinese hackers, it appears users of JD.com extend beyond China’s shores. Risk Based Security found dozens of email addresses in the JD.com database belonging to companies such as Microsoft, Adobe, AIG, Target, Accenture, and more.
Ransomware Website Aggregator
Dark web ransomware websites are often used by ransomware groups to name victim organizations, bring public pressure, and share pilfered data. In an attempt to keep up with and track these websites, site aggregators frequently appear online as a tool to assist threat actors. As ransomware operators end campaigns, change their names, or are shut down by authorities, new iterations of victim-naming websites appear. This aggregator below, which started to circulate in May, makes it easier for other hackers to know which ransomware websites are operational and where to find them.
Threat Actor Updates
The notorious threat actor who specializes in stealing valuable databases recently displayed a shift in strategies over profiting off of their operations. While they have historically attempted to sell compromised data the threat actor recently showed signs of an evolving extortion campaign. However, rumors have now circulated that they have grown frustrated with the lack of results over the campaign which has focused exclusively on Indian companies.
ShinyHunters first began by posting samples of data and ominous warnings on dark web hacking forums to victim organizations in March and early April, such as Medlife.com and Upstox, which seemed to work as the data was subsequently removed. But two more Indian companies, WedMeGood and BigBasket, were later shared freely with no explanation in late April and May, potentially signaling an end to an unsuccessful extortion campaign.
Notorious Bulgarian Hacker
A threat actor exclusively targeting Bulgarian companies has continued to share compromised data on the dark web. Taking on the name “Emil Kyulev”, a Bulgarian banker who passed away in 2005, the hacker claimed responsibility and shared stolen data from VIPoferta.bg on May 4th, 2021. The compromised database contained 349,142 user records with IP addresses, names, phone numbers, usernames, email addresses and hashed passwords. This was shared after a demanded ransom of 30,000 BGN ($18,000) was not met. “Emil Kyulev” also has taken credit for breaching other Bulgarian companies in the past such as Generali, iCard, and GeneralBroker.
Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence and risk ratings.