Dark Web Roundup: August 2021
September 13, 2021 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of August 2021.
A massive trove of sensitive customer data including passport and identity card scans was stolen from the international cosmetics company Oriflame and leaked online. On August 5th, 2021, a threat actor on a popular hacking forum claimed to have compromised 4 TB of data with more than 13 million files, 4 million identity verification documents and credit card information. As proof 25,000 identity verification documents from the country of Georgia and 773,504 files from Kazakhstan were shared. On August 6th, Oriflame shared a press release announcing a data breach, though details were limited. A follow-up report published at a later time did not confirm the true extent or origin of the incident, though the details and targeted regions provided did validate the original threat actor’s claims.
Throughout the month of August more segments were leaked including 426,074 files from China, 3.2 million files from India, and more than 1.5 million files from Russia. Although originally posted for sale, in early September the full 4 TB database was leaked in its entirety on a different hacking forum. For a full write-up and timeline on the situation, Risk Based Security researchers have developed a full report.
Making headlines worldwide, 70,000,000 customers were affected in an alleged AT&T data breach. On August 19th, 2021 the notorious threat actor ShinyHunters posted the compromised database for sale which includes customer names, addresses, email addresses, phone numbers, dates of birth, and Social Security numbers. A sample provided confirmed the data fields contained in the data set.
AT&T has denied that the data has come from within their systems, and ShinyHunters hit back by doubling down on the claim. The hacker has expressed willingness to work with AT&T, and an extortion attempt would be consistent with their recent tactics. The pilfered data was also set for auction with a $200,000 initial bid or $1,000,000 automatic buy, and the auction reached as high as $230,000 before being suspended. However, the auction will most likely resume shortly as the sale is being moved to an alternative dark web marketplace.
Preceding AT&T by a few days, T-Mobile, one of the largest telecommunications carriers in the United States, announced that they were breached. T-Mobile confirmed on August 17th, 2021 that a threat actor gained access to their systems on or before July 19, 2021. More than 50 million customers were affected, and the data stolen by the hacker included:
- Dates of Birth
- Social Security Numbers
- Phone Numbers
- IMEI and IMSI Numbers
- Driver’s License Numbers
- Account PINs
Throughout the month the incident has gone from bad to worse, as T-Mobile slowly revealed the true extent of the tremendous customer data breach. A 21-year old American has claimed responsibility, and stated they used an unprotected router to gain access and ultimately steal the data. T-Mobile now faces multiple class-action lawsuits due to the hack, and parts of the data have now been leaked on popular hacking forums.
Ecuador National Corporation of Telecommunications
Ecuador’s state run Corporación Nacional de Telecomunicación (CNT) was hit with a ransomware attack in late July that led to compromised data being leaked on hacking forums in August. The CNT displayed a message on their website that certain features were not available following a cyber attack, and declared that a complaint was filed with the State Attorney General’s Office so that an investigation can begin. A cybersecurity researcher attributed the attack to the RansomEXX ransomware team, as the group’s dark web site quietly claimed responsibility for stealing 190 GB of information. The compromised data contains contact lists, contracts, and support logs but no customer data. This incident certainly adds to the shocking list of telecommunication data leaks that piled up in August.
On August 15th, 2021, 100 GB of stolen data impacting multiple financial institutions was shared on the dark web. The leaked data originated from Pine Labs, a technology company from India that focuses on financing and e-commerce platforms. After falling victim to BlackMatter ransomware, the dataset was shared on the group’s dark web site used to name victims and host compromised data. BlackMatter has made headlines by launching recently and carrying similarities to REvil and Darkside, marking it a novel rebranding or threat actor affiliates attempting to fill the void with similar techniques and technology. While the ransomware group might be new, the threat and risk is certainly still the same. The leaked data contains private agreements with multiple Indian banks, financial reports, phone number, names, and email addresses. While only one organization was hacked, multiple financial institutions may carry the risk of private data leaks.
In August, one of the world’s largest consulting companies confirmed that they suffered a successful ransomware attack. Lockbit 2.0, the ransomware group behind the attack, first provided evidence for the breach and attempted to negotiate a large ransom with the organization. While an internal memo within Accenture confirmed a security incident on July 30th, the news only broke mid-August as the company attempted to deal with the aftermath. Accenture announced there “was no impact on Accenture’s operations or on our clients’ systems”. However, 2,500 employee computers were reportedly compromised with client information and work materials stolen. While Accenture has not shared how the incident unfolded, the threat actors have claimed it to be an inside job.
Certainly after the Accenture incident, Lockbit 2.0 has been rising in notoriety the past couple months and has recently revamped, taking a new strategy. Over the summer the ransomware group launched a newly designed dark web site for victim data, as well as marketed the growingly popular operation of “ransomware as a service”. With new technology features, the group has also attempted to publicly entice employees to turn against their companies. A dispersed message from the group read the following:
“Would you like to earn millions of dollars? Our company acquire[s] access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company.“
It is unclear at the moment how successful they have been in this effort. It is also unclear if Accenture fell victim to this campaign, or if Lockbit attempted to entice future prospects by blaming an insider for the attack. However, it is clearly an intimidating tactic by an already powerful ransomware group.
Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence and risk ratings.