Dark Web Roundup: October 2021
November 9, 2021 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of October 2021.
Schlumberger Data Exposed
In early October, various threat actors on different hacking forums circulated user data from Schlumberger, a large multinational oil company headquartered in Houston, TX. The relevant file was a 266.3MB CSV titled “SLB_USERDATA”, and hosted information pilfered in May 2021. While the data was originally posted for sale on May 15th, 2021 for 2 BTC, likely not long after the time of the incident, it wasn’t publicly leaked until October. The file contains highly sensitive user data such as 836,845 records with a number of data fields including:
Later on October 9th, 2021, another threat actor shared a text file sourced from the original file containing 211,616 records with two data fields: email addresses and decrypted passwords. When user credentials are encrypted via various algorithmic hashing, threat actors typically attempt to crack or “decrypt” the passwords into plaintext to share and easily abuse.
Interestingly, some of the records in the original leaked file have Schlumberger listed under “Company”, implying some internal users have been affected as well. While the true source of the data is ultimately unknown, the registration source data field is listed as either Careers, LegacyCareers, SLBcom, or Connect signifying a number of various types of users. Lastly, the data ranges from 2009 to 2021, and the affected users originate from numerous countries including the United States.
When Risk Based Security researchers notified Schlumberger of the exposed data, the Schlumberger Cyber Security Team responded quickly, stating the “information involved appears related to an issue we addressed earlier this year.” A full statement regarding the incident was also provided:
“In May of 2021 Schlumberger learned that some registration details for the premium content and mailing list portion of its public website had been subjected to unauthorized use.
Schlumberger notified users of potentially affected accounts and provided suggested actions to secure their accounts. In addition, Schlumberger has implemented additional measures to further secure our systems and databases.”
Twitch Source Code Leaked
On October 6, 2021, one of the world’s largest live streaming services was found to be breached in a significant hack. Twitch, a platform revolving around video games and owned by Amazon, announced the incident “was a result of a server configuration change that allowed improper access by an unauthorized third party”. It was discovered after the trove of data was shared on a popular messaging board and subsequently circulated on numerous online forums.
The massive 128GB leak contained source code for a number of Twitch owned products such Twitch.tv, Vapor, and multi-platform console clients as well as tools, training materials, and proprietary SDKs. Source code leaks are naturally incredibly dangerous, fueling the chance of hackers finding weaknesses to exploit and exposing the product to competitors. While Twitch has been under scrutiny for their security policies, the hack is certainly one of the largest source code leaks of the year. The details of some creator payouts, which Twitch uses to pay popular streamers, were also exposed in the leak.
While high-stakes hacks and ransomware attacks continue to grab headlines, many major companies also continue to fall victim to misconfigured servers. In early October a database backup for Thingiverse, a website where users share 3D printing plans, was found to be exposed allegedly due to a poorly configured AWS server hosting the data. The 36GB database contained 3D model schemes and users’ names, addresses, email addresses, usernames, IP addresses, dates of birth, OAuth tokens, and SHA-1 or bcrypt hashed passwords for at least 228,000 users.
The information has now been downloaded and shared on numerous hacking forums, although the breach is believed to have occurred a year ago, in October 2020. Makerbot, the company that owns and operates Thingiverse, was criticized for not reporting the incident earlier. After a period of silence, MakerBot recently claimed that the incident was not as significant as it seems, stating that:
“For clarification, the exposure affected a handful (less than 500) of real user data. The non-production, non-sensitive data included encrypted passwords (random salted) with mostly testing data. The affected users have been notified.”
Central Restaurants Group’s Wide Reaching Data Leak
On October 26, 2021, a hacker group by the name of Desorden claimed to have hacked Thailand’s Central Restaurants Group and consequently leaked a significant amount of their data. Part of one the largest and wealthiest conglomerates in Thailand, the Central Restaurants Group operates thousands of chain restaurants and brands including Kentucky Fried Chicken, ColdStone Creamery, and Auntie Anne’s.
Naturally, this far-reaching data affects a number of Thai businesses. The massive 80GB of information contained customer names, dates of birth, addresses, email addresses, phone numbers, and ID numbers as well as franchise, employee, supplier, and vendor details. Financial records and information on daily transactions from more than 2,000 restaurants were also found in the files, leading to a potentially damaging blow to a wide-range of consumers and businesses alike. Parts of the data appeared to be as recent as the day of the leak, making the incident not only wide-reaching but as fresh and relevant as it gets.
Numerous Arrests in October
In what may be a hopeful sign for those fighting ransomware around the world, a number of arrests were made in October against ransomware operators. With the combined powers of 5 different agencies working together, an October 4th press release highlighted an arrest of “two prolific ransomware operators known for their extortionate ransom demands (between €5 to €70 million).” The head-turning total once again shows the power and profit of recent ransomware attacks, and the multinational coordination necessary for the arrest that involved Ukrainian, French, American, and European authorities. And more recently, last week saw the arrests of hackers behind 1,800 ransomware attacks in 71 countries.
The eye-popping number of hacks caused significant damage to a number of large corporations, allegedly including the 2019 Norsk Hydro incident that cost the company $50 million. The 12 individuals arrested seemed to have been running a highly organized operation, and leveraged various ransomware strains showing that while some operators are associated with a single ransomware, others use as many necessary to make their victims pay.
Threat Actor Updates
A new hacking group by the name of Desorden (Spanish for disorder), has made a big name for themselves in October. Starting on September 30, 2021 and continuing into late October, the group released a number of breached databases belonging to well known companies on a popular hacking forum. While one of the victims, Central Restaurants Group, was detailed above, the other organizations faced similar leaks of large amounts of source code, employee, and customer information. Quite a few of these hacks appear to have millions of custom records exposed, such as 5 million customer records from Acer and 36 million from ABX Express, on top of other sensitive business data.
The organizations who have been targeted and successfully breached include Acer, ProTemps, Centara Luxury Hotels, Central Restaurants Group, ABX Express, Central Retail Corporation, and SkyNet. All of the organizations are also located in Asia, including Malaysia, Singapore, Taiwan, Thailand and India, implying an operational focus. The incidents all appear to have taken place in September or October, signifying an impressive efficiency by the group.
Desorden’s technique seems similar to other ransomware groups, as they focus on large corporations in one region and publicly leak or attempt to sell the data if a ransom is unsuccessful. Risk Based Security noted that the threat actor ShinyHunters attempted to do the same, targeting Indian companies and asking for a ransom before releasing the data, though that campaign appears to have ended quickly. It is unclear what ransomware strains Desorden uses, who they might be affiliated with, or why they focus on Asian businesses. Their name-and-shame technique also potentially suggests that some companies may have quietly paid the ransom to avoid the data leak and the negative attention that comes with it.
|Read More Dark Web Roundup|
Cyber Risk Analytics:
The standard for comprehensive and actionable data breach intelligence and risk ratings.