December 14, 2021 • RBS

Categories: Security News

Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of November 2021.

Leaked Databases

Marshall Investigative Group for Sale

A massive 911GB database containing a trove of extremely sensitive and well-organized personal information was recently posted for sale in late November by the “Bonaci” hacking group. The threat actors attributed the data to Marshall Investigative Group, a private investigation office based in Illinois. An analysis of the data confirms Marshall Investigative Group as its source.

The listing was shared on the hackers’ self-managed dark web data site, where victims’ data is either free for download or available for purchase. While this type of site is similarly leveraged by ransomware groups, Bonaci claims that they do not engage in data encryption, but instead are interested in selling the “silence about data breaches and security vulnerabilities found”, suggesting they specialize in extortion.

A 5.8GB sample with 51 client cases was posted on the Bonaci site, as well as a full case list. The case files contain copious amounts of sensitive data, as they contain a highly-detailed dossier of the subject including:

  • Names
  • Surveillance findings and location histories
  • Photographs
  • Dates of birth
  • Family members
  • Court records
  • Employment history
  • Vehicle details
  • Analysis of social media posts
  • And much more

Moreover, similar dossiers can be found on the subject’s family members, romantic partners, and affiliates. Company documents, client information, emails, contracts and relevant case details are also included in the case folders. The full database allegedly contains 45,129 client cases, with State Farm and Philadelphia Insurance Companies standing out as the group’s main clients.

The data is certainly a threat actor’s dream, as it is ripe for extortion, account takeovers, spear phishing, identity fraud, and a number of other popular scams. Due to the amount and nature of the data, it is currently being auctioned for 16,880.7 Monero, a cryptocurrency focused on privacy, which is currently valued at $4 million. Monero is growing in popularity with threat actors on the dark web, as its transaction details are significantly more obfuscated than those on the bitcoin blockchain. While the auction was scheduled to end November 30th, 2021, the data is currently still available for purchase.

FBI Targeted

The Federal Bureau of Investigations was recently subject to a very public incident due to a website bug. On November 12th, 2021, thousands of hoax email alerts containing a fictitious alert were sent out en masse. The emails warned recipients that they had been breached and were subject to data exfiltration, while also pinning the blame on a security researcher. An analysis of the email headers proved that the emails had in fact originated from FBI servers, as opposed to email spoofing.

Soon after disclosure, the threat actor responsible for the incident shared their methods for exploiting the website vulnerability. After reaching out to a popular cybersecurity blog, the hacker detailed step-by-step how they targeted the platform and which specific HTML code was unsecure. According to the perpetrator, a one-time passcode was generated when users attempted to create an account for a law enforcement resource portal. This passcode was leaked by the FBI’s website, and editing the request allowed the threat actor to change the subject and contents of the email to craft the hoax alert. Despite generating attention-grabbing headlines, it appears that FBI servers were not breached and no data was exposed. On November 14th, the FBI issued a statement regarding the incident:

“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on FBI’s network. Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”

Robhinhood Breached

Social engineering attacks are often the subject of cybersecurity employee training simply because they are so successful. On November 3rd, 2021, a hacker using persuasion and persistence was able to obtain access to personal information for millions of Robinhood customers. According to Robinhood, the threat actor “socially engineered a customer support employee by phone and obtained access to certain customer support systems.” It is unclear how exactly they were able to convince the employee to provide access to Robinhood’s systems.

Using the illicitly obtained access point, the hacker successfully exfiltrated a list of email addresses for about 5 million customers. Full names for a different set of 2 million people were also obtained. Together, this list can be a powerful tool for hackers looking to commit spear phishing. For 310 users, their names, date of birth, and zip code were also exfiltrated. For 10 of those customers, even more extensive account details were exposed. These 310 victims are particularly at risk for account takeovers and fraud, since trading accounts are enticing for hackers looking to score a profit from the attack.

After the incident occurred the threat actor demanded an extortion payment, which Robinhood declined. The list of email addresses was subsequently sold on a popular hacking forum for at least $10,000. The other datasets containing driver licenses and other account information have allegedly not been sold.

Like Robinhood, Twitter was also subject to a successful social engineering attack back in July 2020. Hackers convinced Twitter staff that they were employees and gained access to an administrative tool that led to account takeovers of numerous well-known accounts. Twitter, as well as Robinhood, stated that they have updated their security policy since the respective social engineering incidents.

Junkin Media Incident

While hackers are often motivated by their search for profit, they can also be driven by political or personal retribution. Companies that are perceived as greedy, immoral, or part of a repressive government are commonly targeted by hackers aiming to make a social or political statement. Jukin Media, which is best known for the Fail Army brand, was recently the focus of well-known threat actors who claim that “They [Jukin Media] are known for stealing money….”

As a result of the attack a large amount of sensitive data was leaked publicly, including multiple databases, invoices, Jenkins, Redis snapshots, VPN and site configurations, and application source code. Additionally, a leaked users table exposed more than 110,00 user records with user and email IDs, names, usernames, company names, email addresses and hashed passwords. No announcement regarding the incident was made, but a password reset was required for users on Jukin Media’s website, which was attributed to a security upgrade. Jukin Media is certainly not the first to fall victim to a hacker’s corporate retribution, and they are sadly not the last.

Travelio Data Leaked

On November 23rd, 2021, the well-known threat actor ShinyHunters resurfaced to leak a database that was presumably breached by them. The data belonged to, a company based in Jakarta, Indonesia that focuses on the Indonesian real estate market. According to Crunchbase, the seemingly successful startup specializes in making it easier for landlords to rent their apartment complexes and homes. ShinyHunters has recently been targeting Asia-based companies and the data leak puts Travelio users at high risk. An analysis of the data shows at least 473,463 users were affected with names, phone numbers, referral codes, user IDs, email addresses and hashed passwords exposed. Even though the passwords were hashed, or stored in an encrypted form, hackers often “decrypt” the passwords through various cracking methods or by linking the data to previous breaches. The data was attributed to 2021, but no specific date was given.

Ransomware Updates

Groove and Ramp

Groove ransomware and Ramp hacking forums made a splash on the dark web scene by launching following the release of more than half a million cleartext Fortinet credentials in September. Groove ransomware employed a victim naming and data sharing dark web site leveraged by many ransomware operators in order to garner attention and reputation, and had shared a few of their victims databases before appearing to cease activity.

In a similar timeline, Ramp launched as an exclusive Russian-speaking forum for hackers. Both Ramp and Groove were formed by a Babuk ransomware affiliate, after one of the hacking group’s threat actors went rogue. The creator has since repeatedly disclosed on a popular Russian-speaking hacking forum that these sites were created as a joke and have been taken offline. After a brief return recently, the sites appear to be offline again. It is unclear whether the websites are suspended indefinitely, and whether Groove was in fact a true ransomware operation. Passing off Ramp and Groove as a hoax may well be the truth, however it is also possible the threat actor was spooked by the recent waves of international arrests of ransomware operators and opted to close up shop early.

REvil Down

Just as they seemed poised for a comeback after this summer, the notorious REvil ransomware group appears to be down for the count. After the infamous Colonial pipeline ransomware incident that caused extensive damage to the company and customers, REvil went oddly quiet after news linked them to the attack. In early fall their infrastructure appeared to come back online, and they even added a new incident to their ransomware victim naming website, but shortly after the site went dark once again. One of the site operators later said that their servers were compromised.

In early November, in what may be the climax of the saga, authorities arrested five members of the REvil hacking group. $6.1 million in cryptocurrency was also seized during the operation, which REvil apparently set aside for a hacking affiliate. Some of the members are awaiting extradition, and it is estimated that the arrested individuals were involved in 5,000 ransomware attacks, including the Kaseya incident, with more than half a million Euros in payments.

Threat Actor Updates

AgainstTheWest and China

Companies in China have largely managed to avoid data breach headlines, but that doesn’t mean they’re not being targeted. While Chinese data infrastructure appears to be more segregated from the rest of the world, Chinese companies are certainly not immune. A new threat actor, which has taken on the peculiar name AgainstTheWest, has claimed to be exclusively targeting Chinese companies as political retribution for the government’s actions.

They have publicly leaked a number of databases belonging to Chinese organizations, including the state-owned CITIC Group, National Energy Commission, Ministry of Health, Zhangzhou Beskerin Technology, and many more from various Chinese organizations. It appears the targets are a mix of governmental organizations or institutions and corporations. Most recently, DateEye, a Korean company with ties to China, was added to the victim list.

The threat actor has also claimed responsibility for the destruction of Chinese data infrastructure, including compromising devices and defacing webpages. AgainstTheWest has not focused exclusively on China, however. They have also targeted North Korea and published data from a Polish real estate firm, claiming retribution for the Polish government’s recent policies.

Read More Dark Web Roundup
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020

Cyber Risk Analytics:

The standard for comprehensive and actionable data breach intelligence and risk ratings.

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more