Dark Web Roundup: July 2021
August 5, 2021 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of July 2021.
A breached database from short-edition.com circulated on dark web hacking forums in late June and early July. The Paris-based literary website was breached on June 26th, 2021 according to the threat actor who claimed responsibility for the hack. With 513,327 users impacted, the database contains 72 data fields of personal information including phone numbers, names, dates of birth, addresses, email addresses, hashed passwords and more.
The threat actor who claimed responsibility and shared the compromised data operates on multiple dark web forums under the name Pompompurin. Risk Based Security initially announced their introduction in January’s Edition of Dark Web Roundup.
The plethora of user information makes social media platforms a consistent favorite for threat actors to breach or data scrape. If a victim organization can’t be breached, hackers can abuse their API to collect public and non-public information in a neatly harvested database.
On July 1st, which was Gettr.com’s first day of launch, this is precisely what occurred with the politically right-wing platform. Threat actors abused the API to collect usernames, pictures, descriptions, locations and user websites for roughly 24,000 users. A few days later on July 6th, more threat actors circumvented changes to the API adding email addresses and birth years to the previously scraped data fields for another 89,000 user records.
A non-American threat actor operating under the name Badhou3a shared responsibility for the scrape and was previously also responsible for the breach on politically left-wing Liker.com. This contradicts the popular theory that these incidents are solely politically motivated.
On July 12th, 2021 a known threat actor shared a compromised database on the dark web from XenArmor.com. The organization asserts they are a “leading provider of windows security & password software globally”. While no user credentials were leaked, the database contained 2,759 user records of:
- Email addresses
- License keys
- Order details
- Product data
It is quite uncommon for license keys to be leaked, and in combination with email addresses and product information this may expose users to spear phishing campaigns or account takeover attempts.
Rapidly growing in popularity, Clubhouse is an exclusive audio chat room application with growing international recognition. On July 13th, a database was shared on a dark web hacking forum that allegedly stemmed from Clubhouse. The data contains phone numbers for 2.2 million Japanese Clubhouse users and 81.3 million contacts for those users.
A larger database was later posted for sale by the same threat actor that allegedly contains 3.8 billion phone numbers of users and users’ contacts. It is difficult to verify the validity of the data as it contains only phone numbers and no other details. Clubhouse has not provided a statement regarding the incident at this time.
Online services providing temporary email addresses or phone numbers are popular among threat actors seeking to remain anonymous, and among users who may lack the necessary access. On July 16th, a database containing transaction logs from the popular SMS-Activate.ru was shared on a Russian-speaking dark web hacking forum. The logs contained 89 million lines, or 7,803,499 unique entries that contained email addresses, IP addresses, names, and transaction information. SMS-Activate shared a message confirming the hack and recommended all users change their passwords to avoid theft of funds. Evidently, even services used by hackers are not immune to hackers.
Parrot Software is a popular and rapidly growing point of sale software for restaurants in Mexico. In late July a massive database attributed to Parrot Software was shared on the dark web and carried tons of varied information. The 90 GB file contained roughly 250 SQL tables, some of which were more than 20 GB of data individually. The database also contains cleartext full and partial credit card numbers, addresses, names, email addresses, logistics, and transaction data – such as what items were purchased and for what price.
While it is unlikely that the source of the data is Parrot Software themselves, it does appear that the data comes from an organization that may use their software, and had the relevant data exfiltrated. The original organization and source of data is currently unknown, but this certainly serves as a caution against hosting large amounts of customer and business data in a seemingly singular location.
XING TEAM AND DOPPELPAYMER
The Xing Team ransomware group has shown signs of slowing down in their operations. Originally commencing operations in late April, Xing shared 12 instances of victim data in May, and three in June on their dark web site which exists to post victim information and compromised data. After vigorously beginning their campaign and grabbing attention, they have only shared one victim in July.
DoppelPaymer, one of the most notorious and prolific ransomware teams, has also not published victim data to their website since May and have not provided an update since June. It is unclear if either campaign has halted or is quietly continuing operations. With the recent attention and arrests against ransomware operations, it may mean that they are much more careful about publicizing their campaigns.
THE ONION ROUTER
The most popular “dark web” is The Onion Router, also commonly known as TOR. According to the TOR developer website, on October 15, 2021 they “will release new Tor client stable versions for all supported series that will disable v2”. Many ransomware websites used to share data and name victims are currently hosted on TOR v2, meaning that when TOR v3 is fully implemented those sites will cease to be operational. Some compromised data may be inaccessible after the migration unless reuploaded, which can certainly benefit the affected organizations.
AVOS, HARON, AND BLACKMATTER
As some infamous ransomware teams cease to exist, many are seemingly aiming to fill the space. Undeterred by recent arrests and headlines, three new ransomware groups have recently entered the scene. Avos is a new ransomware that originated in June, and in mid-July made a post on a popular Russian speaking hacking forum seeking affiliates and partners.
Haron ransomware also entered the ransomware world in July with a dark web site that appeared extremely similar to the currently defunct Avaddon ransomware. BlackMatter similarly commenced in July by seeking affiliates, and publicly professed to be a project that “has incorporated in itself the best features of DarkSide, REvil, and LockBit”.
Threat Actor Updates
REvil/SODINOKIBI RANSOMWARE OPERATORS
While most hackers strive for anonymity, some hackers revel in media coverage. A storied reputation can help intimidate victims into payment, or simply fuel an ego looking for credit. Regardless of the motivation, a surprisingly detailed interview was shared on a popular Russian speaking hacking forum showcasing the hackers behind the REvil/Sodinokibi ransomware operations. The interview discusses a wide variety of topics including thoughts on different cryptocurrencies, technical operation details, the future of ransomware, and confirming ransomware targets.
The hacker confirmed attribution to the September 2020 BancoEstado hack, where all bank branches were closed. They also took credit for the Grubman and Travelex hacks where they allegedly gained access to the entire network in three minutes due to a singular vulnerability related to Pulsar and Citrix. The threat actor also claimed they had enough money from their exploits and desired to personally stop conducting ransomware operations. However, there is supposedly always a supply of hackers or affiliates seeking to make a profit.
Interestly, the threat actor also claimed that about ⅓ of all compromised large companies pay a ransom in secrecy to ensure there is no media coverage. This claim may have some credence as the number of publicly reported breaches fell drastically in 2020 despite ransomware attacks increasing by 100% compared to 2019. To learn more about the latest data breach trends, check out our latest 2021 Mid Year Data Breach QuickView Report.
2021 Mid Year Data Breach QuickView Report
Powered by our product, Cyber Risk Analytics, our QuickView Report provides deeper visibility into the data breach landscape, giving key insights for specific industries.