Close

Dark Web Roundup: July 2021

Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of July 2021.

Leaked Databases

SHORT ÉDITION

A breached database from short-edition.com circulated on dark web hacking forums in late June and early July. The Paris-based literary website was breached on June 26th, 2021 according to the threat actor who claimed responsibility for the hack. With 513,327 users impacted, the database contains 72 data fields of personal information including phone numbers, names, dates of birth, addresses, email addresses, hashed passwords and more.

The threat actor who claimed responsibility and shared the compromised data operates on multiple dark web forums under the name Pompompurin. Risk Based Security initially announced their introduction in January’s Edition of Dark Web Roundup.

GETTR.COM

The plethora of user information makes social media platforms a consistent favorite for threat actors to breach or data scrape. If a victim organization can’t be breached, hackers can abuse their API to collect public and non-public information in a neatly harvested database.

On July 1st, which was Gettr.com’s first day of launch, this is precisely what occurred with the politically right-wing platform. Threat actors abused the API to collect usernames, pictures, descriptions, locations and user websites for roughly 24,000 users. A few days later on July 6th, more threat actors circumvented changes to the API adding email addresses and birth years to the previously scraped data fields for another 89,000 user records.

A non-American threat actor operating under the name Badhou3a shared responsibility for the scrape and was previously also responsible for the breach on politically left-wing Liker.com. This contradicts the popular theory that these incidents are solely politically motivated.

XENARMOR

On July 12th, 2021 a known threat actor shared a compromised database on the dark web from XenArmor.com. The organization asserts they are a “leading provider of windows security & password software globally”. While no user credentials were leaked, the database contained 2,759 user records of:

  • Names
  • Email addresses
  • License keys
  • Order details
  • Product data

It is quite uncommon for license keys to be leaked, and in combination with email addresses and product information this may expose users to spear phishing campaigns or account takeover attempts.

CLUBHOUSE

Rapidly growing in popularity, Clubhouse is an exclusive audio chat room application with growing international recognition. On July 13th, a database was shared on a dark web hacking forum that allegedly stemmed from Clubhouse. The data contains phone numbers for 2.2 million Japanese Clubhouse users and 81.3 million contacts for those users.

A larger database was later posted for sale by the same threat actor that allegedly contains 3.8 billion phone numbers of users and users’ contacts. It is difficult to verify the validity of the data as it contains only phone numbers and no other details. Clubhouse has not provided a statement regarding the incident at this time.

SMS-ACTIVATE

Online services providing temporary email addresses or phone numbers are popular among threat actors seeking to remain anonymous, and among users who may lack the necessary access. On July 16th, a database containing transaction logs from the popular SMS-Activate.ru was shared on a Russian-speaking dark web hacking forum. The logs contained 89 million lines, or 7,803,499 unique entries that contained email addresses, IP addresses, names, and transaction information. SMS-Activate shared a message confirming the hack and recommended all users change their passwords to avoid theft of funds. Evidently, even services used by hackers are not immune to hackers.

PARROT SOFTWARE

Parrot Software is a popular and rapidly growing point of sale software for restaurants in Mexico. In late July a massive database attributed to Parrot Software was shared on the dark web and carried tons of varied information. The 90 GB file contained roughly 250 SQL tables, some of which were more than 20 GB of data individually. The database also contains cleartext full and partial credit card numbers, addresses, names, email addresses, logistics, and transaction data – such as what items were purchased and for what price.

While it is unlikely that the source of the data is Parrot Software themselves, it does appear that the data comes from an organization that may use their software, and had the relevant data exfiltrated. The original organization and source of data is currently unknown, but this certainly serves as a caution against hosting large amounts of customer and business data in a seemingly singular location.

Ransomware Updates

XING TEAM AND DOPPELPAYMER

The Xing Team ransomware group has shown signs of slowing down in their operations. Originally commencing operations in late April, Xing shared 12 instances of victim data in May, and three in June on their dark web site which exists to post victim information and compromised data. After vigorously beginning their campaign and grabbing attention, they have only shared one victim in July.

DoppelPaymer, one of the most notorious and prolific ransomware teams, has also not published victim data to their website since May and have not provided an update since June. It is unclear if either campaign has halted or is quietly continuing operations. With the recent attention and arrests against ransomware operations, it may mean that they are much more careful about publicizing their campaigns.

THE ONION ROUTER

The most popular “dark web” is The Onion Router, also commonly known as TOR. According to the TOR developer website, on October 15, 2021 they “will release new Tor client stable versions for all supported series that will disable v2”. Many ransomware websites used to share data and name victims are currently hosted on TOR v2, meaning that when TOR v3 is fully implemented those sites will cease to be operational. Some compromised data may be inaccessible after the migration unless reuploaded, which can certainly benefit the affected organizations.

AVOS, HARON, AND BLACKMATTER

As some infamous ransomware teams cease to exist, many are seemingly aiming to fill the space. Undeterred by recent arrests and headlines, three new ransomware groups have recently entered the scene. Avos is a new ransomware that originated in June, and in mid-July made a post on a popular Russian speaking hacking forum seeking affiliates and partners.

Haron ransomware also entered the ransomware world in July with a dark web site that appeared extremely similar to the currently defunct Avaddon ransomware. BlackMatter similarly commenced in July by seeking affiliates, and publicly professed to be a project that “has incorporated in itself the best features of DarkSide, REvil, and LockBit”.

Threat Actor Updates

REvil/SODINOKIBI RANSOMWARE OPERATORS

While most hackers strive for anonymity, some hackers revel in media coverage. A storied reputation can help intimidate victims into payment, or simply fuel an ego looking for credit. Regardless of the motivation, a surprisingly detailed interview was shared on a popular Russian speaking hacking forum showcasing the hackers behind the REvil/Sodinokibi ransomware operations. The interview discusses a wide variety of topics including thoughts on different cryptocurrencies, technical operation details, the future of ransomware, and confirming ransomware targets.

The hacker confirmed attribution to the September 2020 BancoEstado hack, where all bank branches were closed. They also took credit for the Grubman and Travelex hacks where they allegedly gained access to the entire network in three minutes due to a singular vulnerability related to Pulsar and Citrix. The threat actor also claimed they had enough money from their exploits and desired to personally stop conducting ransomware operations. However, there is supposedly always a supply of hackers or affiliates seeking to make a profit.

Interestly, the threat actor also claimed that about ⅓ of all compromised large companies pay a ransom in secrecy to ensure there is no media coverage. This claim may have some credence as the number of publicly reported breaches fell drastically in 2020 despite ransomware attacks increasing by 100% compared to 2019. To learn more about the latest data breach trends, check out our latest 2021 Mid Year Data Breach QuickView Report.

2021 Mid Year Data Breach QuickView Report

Powered by our product, Cyber Risk Analytics, our QuickView Report provides deeper visibility into the data breach landscape, giving key insights for specific industries.

Read More Dark Web Roundup
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020

New Research: 2021 Vulnerability Disclosures Seeing Growth

Our newly released 2021 Mid Year Vulnerability QuickView Report revealed that vulnerability trends have rebounded, with vulnerability disclosures once again showing growth.

Our VulnDB® team aggregated 12,723 vulnerabilities disclosed during the first half of 2021. The vulnerability disclosure landscape saw a growth of 2.8% compared to the same period in 2020, despite ongoing business disruptions.

“As 2020 unfolded we saw many factors contributing to heavy disruption to industries and organizations around the world. Those factors include the Coronavirus pandemic, of course, but also the many secondary effects on supply chains, press coverage, investment decisions and more.

Since then, the vulnerability landscape has somewhat stabilized as organizations return to normal operations.”

Brian Martin, Vulnerability Historian, RBS

The report further highlights that on average, there were 80 new vulnerabilities disclosed each day. Our VulnDB teams also updated an average of 200 existing vulnerability entries per day as new solution information, references, and additional metadata became available. This is an incredible workload that vulnerability management teams face daily.

“Important information missed during the pandemic is resurfacing. Even if organizations may be comfortable returning to their previous processes, the fundamental problem still remains – there are too many vulnerabilities for many organizations to realistically handle unless they adopt a truly risk-based approach to patching.”

Brian Martin, Vulnerability Historian, RBS

The 2021 Mid Year Vulnerability QuickView Report covers vulnerabilities disclosed between January 1, 2021, and June 30, 2021.

About the QuickView Report and VulnDB

The quarterly Vulnerability QuickView report is a service of VulnDB, which is the world’s most comprehensive, detailed and timely source of vulnerability intelligence and third-party library monitoring.

It provides actionable intelligence about the latest in security vulnerabilities through an easy-to-use SaaS portal, RESTful APIs, and e-mail alerting. Leveraging VulnDB is simpler than ever with our connectors to Splunk, RSA Archer, ServiceNow, GitHub, Polarity, Brinqa, Device42, Recorded Future, and more.

New Research: Data Breach Landscape Shifts Significantly

Today we released our 2021 Mid Year Data Breach QuickView Report, revealing significant shifts in the data breach landscape despite 2021 breaches declining by 24%.

There were 1,767 publicly reported breaches in the first six months of 2021 which exposed a total of 18.8 billion records. However, the decline of reported breaches does not mean security has improved over the pandemic.

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services. The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances.”

Inga Goddijn, Executive Vice President, RBS

The report also revisits the trends observed during the pandemic, highlighting what were temporary and which represented more permanent change.

“Analyzing breach activity has become especially interesting and important over the past two years. While some trends remain largely untouched, new trends are emerging. The method of how attackers monetize their efforts has diversified and at the same time, preventable errors are outpacing hackers when it comes to the amount of data exposed. The amount of data compromised remains stubbornly high.”

The 2021 Mid Year Data Breach QuickView Report covers data breaches publicly disclosed between January 1, 2021, and June 30, 2021.

About the QuickView Report and Cyber Risk Analytics

The quarterly Data Breach QuickView report is a service of Cyber Risk Analytics (CRA), which provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base.

In addition, our PreBreach vendor risk ratings, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach.

The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand their risk posture, and to act quickly and appropriately to proactively protect their most critical information assets.