Dark Web Roundup: September 2021
October 11, 2021 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of September 2021.
Fortinet VPN Credentials Leaked
Capturing headlines across the globe, a threat actor leaked approximately 500,000 credentials to Fortinet VPN accounts in early September. In response to the leak, Fortinet reported that access information to 87,000 FortiGate SSL-VPN devices was exposed due to 2+ year old vulnerability FG-IR-18-384 (VulnDB ID: 201631 / CVE-2018-13379). Systems that were subsequently patched are still at risk if passwords have not been reset.
The leak was organized in numerous files and folders by country. Individual files contain country acronym, IP addresses, multiple or individual usernames, and cleartext passwords with most files containing between 1 to 5 credential sets. While it is difficult to ascertain the relevant organizations, there appears to be a mix of personal and professional use judging by usernames and passwords. However, some credentials do provide hints as to who they belong to, such as business names in email address domains or passwords. These credentials appear to have been collected as recently as August 2021, and span 74 countries with approximately 10% of them from the United States.
This incident exposes thousands of organizations for further exploitation and has been attributed to a known threat actor that split from the Babuk ransomware team, a well-known Russian speaking group. The hacker has started their own syndicate named Groove ransomware, which has begun to share victim information on its newly formed website, and has similarly started a new dark web hacking forum named Ramp. As expected, the Fortinet leak has given their nascent platforms a high volume of attention.
Epik Suffers Massive Severe Breach
In another headline-grabbing incident, Epik suffered a massive data leak in mid-September following a severe breach. Epik is an American web hosting and domain registrar company noted for hosting controversial websites and services such as Gab, Parler and 8chan/8kun. In response, the well-known hacking collective “Anonymous”, or individuals borrowing the infamous name, breached Epik and leaked significant volumes of data accompanied by a strongly worded message. The threat actors mocked Epik for not encrypting credentials and employing the easily cracked method of unsalted MD5 hashes, which made their passwords easy to abuse.
The 180GB trove of data contains:
- More than 15,003,961 customer names, email addresses, phone numbers, addresses, IP addresses, payment histories, credit card numbers, usernames, plaintext and some unsalted MD5 hashed passwords
- Scraped non-customer WHOIS data
- SSH keys
- Domain information
- WordPress and GoDaddy credentials
- VAT numbers
- Company email inbox contents
- System /home and /root/ directories
- Git repositories containing source code for internal applications
- DNS change logs
- 500,000 private keys
Epik’s lack of proper security has been rumored to potentially trigger Federal Trade Commision attention or an investigation, as has previously occurred with significant breaches such as Ashley Madison in 2015. Real-world consequences of the hack are also vividly apparent, particularly considering the type and depth of controversial information hosted by the company. After having his online activity exposed by the breach, a Florida real estate agent was fired for being affiliated with several racist, extremist websites.
Chilean Voter Data Exposed
A database from an unknown source, containing personal information of 15 million Chileans, circulated hacking forums in late August and early September. The database exposed names, Chilean RUT numbers (Rol Único Nacional, a unique ID number), genders, addresses, and regional locations in cleartext. The database appears to stem from voter records or a voting related source with a data origin of 2020. While this information may be publicly available, threat actors are always eager to collect and abuse personal data in any method available. As Risk Based Security researchers noted in 2020, databases that contained publicly available information on American voters were surging in popularity on hacker forums leading up to the 2020 presidential election. With the Chilean general elections slated for November 21st, the database may be geared for abuse by threat actors. Even publicly available voter records, organized neatly and dispersed widely among the malicious, can be used to target individuals.
Pyrus.com Loses Database of Loan Applications
On September 20th, 2021 a database was shared on a popular hacking forum supposedly stemming from Pyrus.com. Pyrus is a cloud-based workflow automation and document management system, a business tool made available via the extremely popular method of software-as-a-service. The attributed Pyrus database contains 150,000 records of loan applications from Russian bank customers in 2019 and 2020. This data naturally includes a breadth of detailed personal information, including:
- Loan details
- Phone numbers
- Dates and place of birth
- Marital and spousal information
- Passport details
- Employment and Pyrus IDs
While the origin of the data is unknown, it appears likely that a bank or financial institution in Russia used Pyrus to host the database which was subsequently exposed in some manner. As is so often the case, the strength of a company’s security is also measured by the security of its vendors.
Auto Ria Database Shared
A database from a Ukrainian company was leaked and shared on a popular Russian speaking hacking forum on September 24th, 2021. The database was stolen from Auto Ria, which describes itself as the largest online automobile marketplace in Ukraine. According to the threat actor, the incident occurred on September 17th, 2021 and the database contains 91,159 user records of names, locations, phone numbers, and car details.
Leaked information on homes, cars, or similar assets are popular among threat actors who can attempt insurance scams, fraud, spearphishing, or account takeovers. Asset details can also be combined with information from previous leaks to create individual dossiers. The more detailed the composition of the dossier is, the more likely it is to sell for higher amounts on dark web platforms as a set, or individually. While car details may not seem like a threatening data leak, coupled with other information it can lead to substantial risk.
Russian Utility Springs a Leak
A unique database was shared on a popular Russian speak forum on September 23rd, which appeared to contain records from a utility company in Moscow, Russia. The database hosted a collection of 126,323 names, addresses, phone numbers, and a data field for “source”, which based on data contained in the field, implies it came from the inspection of water meters. While water meter checks are a common procedure for utility companies, the data doesn’t often appear shared online in an unencrypted spreadsheet. It is unclear exactly where or when the data was derived from, but it is certainly a reminder that almost any data can be found on the dark web or abused by hackers.
Howard University Shut Down by Crippling Ransomware Attack
Educational institutions have long been a common target for ransomware operators and hackers. Hosting a trove of personal information, and often lacking robust cybersecurity, the recent shift to online classes during the pandemic has also left many universities increasingly vulnerable to and targeted by ransomware schemes. In early September, Howard University experienced a crippling ransomware attack that partially shut down operations. Online and hybrid classes were canceled at the university while an alternative network was established. A password reset and security measurements were initiated by Howard, and an investigation is currently pending. At this time, no personal information has been reported to be stolen and no ransomware operators have claimed responsibility for the hack.
One of the most notorious ransomware groups quietly surfaced back online following its disappearance this summer. REvil, also known as Sodinokibi, was responsible for some of the largest and most attention-grabbing ransomware hacks to date. The group managed to breach Kaseya and subsequently encrypted the business data of 1,500 customers, which triggered immense political pressure from the United States to rein in the hacking group. After mysteriously disappearing and providing the decryption key, the group’s infrastructure recently came back online. The dark web payment and data leak sites were operational again in early September, though at first no data had been added since their disappearance in July 2021. Yet, very recently REvil has added their newest victim to the data sharing dark web site, Canadian company Ronmor Holdings, likely signifying a return to their ransomware operation.
Groove Adds Additional Ransomware Victims
Groove ransomware started with a highly publicized entrance into the threat actor space by launching a dark web victim information site in August 2021, and then sharing thousands of Fortinet VPN credentials in September. The ransomware operation is supposedly run by a former Babuk member, who split from the Russian ransomware team to start Groove and Ramp, a dark web hacking forum. While seemingly starting with a bang, Groove has only added two additional victims in September. The first is LRZ.de, which coincides with their first victim that was also German, and robinwoodortho.com. The group does appear to still be operational and attempting to breach organizations, though currently they are not as prolific as some of their counterparts.
|Read More Dark Web Roundup|
Cyber Risk Analytics:
The standard for comprehensive and actionable data breach intelligence and risk ratings.