Dark Web Roundup: June 2021
July 8, 2021 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of June 2021.
In early June 2021, a file allegedly originating from the Environmental Protection Agency (EPA) circulated on a dark web hacking forum. The document contained 3.7 million records including contact types, names, titles, business email addresses, business addresses, and business telephone and fax numbers. The threat actor that originally shared the database commented that it was a contact file owned by EPA.gov, and that they have an additional 6 million records without email addresses that they are privately holding.
Research into the data shows the information collected is derived from organizations with environmentally impactful operations, or individuals that would fit the EPA’s interest. However, much of the data appears to be public information. The file was last updated in 2016, and could potentially stem from the EPA’s key contact form. It is unclear how the leaked document was obtained or if it is indicative of further malicious activity. It is also unclear if the contact sheet was directly owned by the EPA.
On June 6th 2021, a database related to Dodo Pizza was shared on a popular Russian speaking hacking forum. The largest pizza chain in Russia, Dodo Pizza is also one of Europe’s fast growing franchises and is quickly expanding globally. Large corporations are often targeted by hackers, and this incident appears to be a deliberate attack. A Russian threat actor recorded themselves collecting information on various franchises and organizing the database into 584 records with pizzeria addresses, phone numbers, names of managers, and links to the cameras in the restaurant kitchens. The addition of video camera links in the database is an unusual data point. While unlikely to be directly abused or exploited by hackers, it is certainly an invasion of privacy. The links are operational and do appear to show the kitchens of various Dodo locations. Home video monitoring technology has occasionally been usurped by hackers, and now they can watch your pizza be prepared as well.
Gaming related data breaches have been known to be some of the largest leaks of personal data in recent history. Many gaming platforms or organizations quickly attain a large following and collect data useful to malicious hackers, and they don’t always have the best security protocols. While the incident occurred in January 2021, the breached database from DailyQuiz.me started circulating privately in the spring and then in a more public manner in June 2021. Formerly known as ThisCrush,the DailyQuiz leak contained 8,032,404 user records with IP addresses, usernames, email addresses and plaintext passwords.
Passwords are recommended to be stored in an encrypted manner through the use of password hashing algorithms. Once plaintext passwords are compromised they can easily be abused. It is highly recommended that DailyQuiz users change their passwords and secure additional accounts that use the same password, as hackers often check if passwords are reused on more important places such as banks or insurance websites. As the leaked database circulated more heavily in June, it has become easier to access, which means that attacks against users are expected to increase.
A massive word list dubbed “the largest password compilation of all time” was shared in dark web circles in June 2021. The file contains 8.4 billion records, though it is compiled entirely of singular words. While it has garnered a good amount of media attention and concern , the text file is simply a compilation from a few different sources including default credentials, common passwords, and words used on Wikipedia. Hackers can use word lists in dictionary attacks, or in attempts to decrypt already encrypted versions of passwords.
The name of the file is derived from RockYou.txt, which has long been a popular password list among hackers. In 2009 a company named RockYou was breached, and the plaintext passwords were turned into a list of real passwords that has grown over the years. Common versions contain much more, but a smaller version with 14 million comes pre-loaded on certain Linux distributions that are popular with hackers.
While this new file does contain some passwords, it is largely a list of words useful for dictionary attacks or password cracking. It’s apparent size may seem frightening, but the efficiency of password cracking is ultimately derived from the threat actor’s configuration, the hashing algorithm, and the complexity of password.
US Customers Data Collection
A massive file containing the personal data of many Americans circulated on a Russian speaking dark web hacking in late May and June 2021. The file contains 153,986,518 records and is titled “USA Customers April 2021”. It contains names, dates of birth, ages, addresses, phone numbers, and email addresses in a neatly organized database. While the true source remains unknown, and may potentially be a simple collection of publicly available information, the database can still be abused by malicious threat actors.
For example, the leaked database could be used in combination with breached databases and password files such as RockYou.txt to gain access into more valuable accounts. These types of collections are also popular with threat actors that conduct spam and phishing campaigns.
The Colonial Pipeline ransomware hack that shocked the United States and shut down a key component of infrastructure, has had a unique twist of events. The Justice Department recovered $2.3 million in bitcoin from the hackers, which is believed to have been in transit to affiliates of the ransomware operators. While this is only a portion of the $4.4 million bitcoin ransom, it is a truly unique victory for law enforcement in a world where ransomware payments are rarely seen again. Darkside, the Russian speaking ransomware group responsible for the attack, announced they are ceasing operations after their servers and assets were seized. However this may be a cover up for the spooked criminals after witnessing the aftermath of their devastating hack.
The Avaddon ransomware team suddenly ceased operations in June 2021 following a prolific streak of hacks. In a unique end to a rising threat, decryption keys for 2,934 victims were anonymously sent to a journalist, potentially directly from the threat actors. The number of decryption keys were much higher than reported victims, likely signaling how many organizations do not publicly disclose their breaches. Ransomware campaigns begin and end quite often, though there is no clear reason that Avaddon ended operations after a seemingly successful year.
Threat Actor Updates
Notorious Bulgarian Hacker
Discussed in the previous edition of the dark web roundup, the increasingly infamous hacker “Emil Kyulev” has found a new target. On June 13th, 2021 the hacker shared a database from Daxy.com, a large corporate intelligence provider. The incident occurred on May 10th, 2021, and included 137,053 records of usernames, names, email addresses and passwords. The leak occurred following a failed ransom of about 20,000 BGN or $12,000 USD. The threat actor also claims that the organization has violated GDPR regulations by trying to keep the breach a secret. The threat actor has consistently posted breached databases from organizations following failed ransoms. It is unclear how many breached companies decided to pay the ransom and keep quiet.
Politics and Hacking
A threat actor appears to be purposely leaking information from large Mexican companies in attempts to generate publicity. The first shared leak stemmed from PEMEX, one of Mexico’s largest petroleum companies, and included an explicit message against the Mexican government. The threat actor continued to share leaks on a dark web hacking forum from other large Mexican companies such as Grupo Nacional Provincial and Vitro, and has recently begun sharing data from other Latin American countries such as Columbia and Costa Rica. The data appears to be recycled from previous incidents and contains no new information. This certainly demonstrates how threat actors can use data breaches to further their politics or leverage politics to gain media attention.
Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence and risk ratings.