Dark Web Roundup: December 2021
January 13, 2022 • RBS
Malicious threat actors never stop, but neither do we. Risk Based Security’s Cyber Risk Analytics research team is dedicated to gathering the latest in data breach intelligence. Here is our round-up of December 2021.
The holiday season is typically a prolific time for cyber threat actors. As employees take extended vacation, and offices close for long weekends, hackers can leverage lax monitoring and heightened distractions. This year, a severe labor shortage and a record number of ransomware cases, as well as more repeat victims in particular, had businesses especially nervous even though a significant percentage did not have a specific contingency plan, if attacked.
As the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) pointed out and alerted last summer– Mother’s Day, Memorial Day, and July Fourth all witnessed significant ransomware cases. DarkSide and REvil, two prolific ransomware groups, managed to suspend operations in a critical infrastructure energy company and a meat production facility, respectively. This past November, the FBI and CISA issued another reminder about the heightened threat companies face during the end of December, providing specific advice to mitigate the threat.
So far, there have not been reports of devastating hacks occurring during the recent holiday season. While successful breaches certainly did take place, it may take time for the news to surface, or for returning employees to discover lurking threat actors on their network. Given the recent Log4j vulnerability and its severity, we may see news of holiday breaches very soon. But for now, it seems as if the threat has generally been pushed off…until the next holiday weekend.
Marketing Companies Targeted
Marketing service providers and lead generation companies profit from having a strong network of contacts and users. The more information they collect, the better. In turn, this makes them a prime target for threat actors seeking to amass data. Even when personal information does not contain passwords or sensitive account numbers, hackers can use email addresses, names, job titles and similar information to carry out spam campaigns, phishing emails, or social engineering attacks.
On December 6th, 2021, a threat actor leaked numerus databases from RedCappi, an email marketing service. A private user directory was allegedly left public, which was consequently collected and leaked. In total, 13.8GB of data with 30,140 varied CSV files was circulated on hacking forums. The customer generated tables contain names, genders, phone numbers, addresses, companies, occupations, social media profiles and 177,375,414 email addresses. This included numerous email addresses from significant government entities and organizations such as the Department of Homeland Security, Texas Education Agency, Accenture, and Metlife.
In 2018, more than 125 million records with similar information were also leaked online from sales engagement company Apollo.io. The data was also publicly exposed and found by a cybersecurity researcher, and has since circulated widely between threat actors and hacker forums. While there are a number of examples of marketing companies that have had their data leaked, they typically leak a hefty number of email addresses, much to any end users’ chagrin.
Chinese Airport Hacked
Last month, we highlighted an emerging threat actor named AgainstTheWest. This hacker focuses on China, or companies that do business with the Chinese government, and is a very vocal opponent of the ruling political party in China. Near the end of 2021, AgainstTheWest published their hack of the Beijing Capital International Airport, which is one of the two main international airports serving Beijing. It is unclear on which day the attack occurred, but on December 30th, 2021 the hacker released an assortment of files pilfered from the airport in what was dubbed “Operation Renminbi”.
While it does not appear that user, employee, or personal data was impacted, a debug APK file and lint report were leaked. Lint is used by Android developers to find and improve poorly structured code. The leaked files are certainly sensitive in nature, and ripe to be abused in the wrong hands, but more importantly serves as an impactful message as the onslaught of Chinese entities continues.
Not all breaches are created equal. Some hacks are stopped quick enough to leave threat actors empty-handed, or unable to exfiltrate valuable user data. On the other hand, some incidents end with a massive trove of data being pilfered and leaked on the dark web. This past year, Epik was successfully breached by hacktivists and published more than 15 million customers’ personal details as well as sensitive company data and credentials. Twitch, the popular streaming service, not long after had 125GB stolen and leaked online with source code, tools, and 3 years worth of creator payout details.
On December 28th, 2021 a hacker similarly released a trove of databases from Flexbooker, an online booking and scheduling software. Unfortunately for Flexbooker and their clients, the hackers made off with 10,000,000 records with customer names, partial plaintext credit card details, phone numbers, email addresses, hashed passwords with salts, and account information. Moreover, the numerous data tables include SMS messages, merchant information, and payment and transaction records meaning customers weren’t the only ones affected. The hackers also claim to have and plan to publish an unknown number of driver licenses and ID scans. When these types of far-ranging breaches occur, with a wide variety of information leaked, the extent of the risk can carry on for years as source code, company data, and merchant details are always ripe for abuse since they are difficult to change.
Dark Web Market Hacked
Hackers, and the infrastructure they employ, are not immune to being hacked. Dark web hacking forums and chat groups have routinely reported data breaches, including the notorious Maza forums and REvil ransomware group. On December 31st, 2021, a threat actor on a Russian-speaking hacking forum shared a database from the Alien Dark Web Market. The data included user IDs, pins, account timestamps, wallet addresses, usernames and plaintext passwords. Many users leverage the dark web, and most popularly TOR, to secure anonymity for their transactions and illegal activity. However, these data breaches and leaks illustrate the limits of anonymity as researchers or law enforcement can link names, usernames, or even passwords across data breaches to expose hackers or vendors on the dark web. The exposed accounts are also particularly ripe for account takeovers. The Alien Market appears to be currently operational.
Night Sky Ransomware Launched
A new ransomware operator appeared in December under the ominous name Night Sky. Researchers noted that their infrastructure was registered and launched on December 27th, 2021, though they have yet to be prolific. Currently, their victim name-and-shame dark web site contains two entries. The first is the “Tokyo Computer Service” and the second is “Akij Group”, both of which appear to be based in Japan. Some ransomware operators target specific regions due to language or expertise, but it has yet to be seen if Night Sky will continue to target Japanese organizations. Their ransomware entries also contain the following message:
“WE ARE NIGHT SKY
This company has been hacked by us.
Internal files have been stolen and encrypted by us.
If this company isn’t willing to meet our requirements,
We will release all data after a week”
Black Cat on Christmas Day
The Black Cat ransomware group, also known as ALPHV, was launched in late November and was described as one of the year’s most sophisticated ransomware malware. Making it even more worrisome, while much of the world was enjoying an off-day during the Christmas holiday, ALPHV in particular was reported to be operating in full swing. It has yet to be seen if this Christmas Day campaign was successful, but it is certainly another reminder that hackers will use any trick in the book to overcome a company’s security.
|Read More Dark Web Roundup|
Cyber Risk Analytics:
The standard for comprehensive and actionable data breach intelligence and risk ratings.