Search This Blog

Showing posts with label Stolen Data. Show all posts

Hacker Offers 5.4 million Twitter Account Details for $30,000

 

A threat actor acquired data from 5.4 million Twitter accounts by exploiting a now-patched vulnerability in the popular social networking site. Hacker is currently selling the stolen information on the prominent hacker site Breached Forums. 

In January, a Hacker report claimed the discovery of a vulnerability that may be used by an attacker to identify a Twitter account using the linked phone number/email, even if the user has elected to avoid this in the privacy settings. 

“The vulnerability allows any party without any authentication to obtain a Twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account,” reads the description in the report submitted by Zhirinovskiy via bug bounty platform HackerOne. 

“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number but an attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavailable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of targeting celebrities in different malicious activities” Twitter acknowledged the vulnerability and rewarded Zhirinovskiy with a $5,040 prize. 

The website Restore Privacy uncovered the advertising for the massive data trove on Breached Forums. A hacker has published a database of 5.4 million Twitter users. 

Database of 5.4 million Twitter users

According to the seller, the database comprises data (email addresses and phone numbers) from people ranging from celebrities to businesses. The vendor additionally included a data sample in the form of a csv file. 

“A few hours after the post was made, the owner of Breach Forums verified the authenticity of the leak and also pointed out that it was extracted via the vulnerability from the HackerOne report above.” reads the post published by RestorePrivacy. 

“We downloaded the sample database for verification and analysis. It includes people from around the world, with public profile information as well as the Twitter user’s email or phone number used with the account.” 

The seller told RestorePrivacy that he is asking for at least $30,000 for the entire database.

U.S. Agencies Seize Domains Employed for Selling Credentials

 

Earlier this week, the U.S. Department of Justice and the FBI announced that they seized three domains selling compromised personal information and launching cyber assaults on victim networks. 

The specific domains seized were weleakinfo.to, ipstress.in, and ovh-booter.com — the first of which allowed its users to traffic compromised personal data and offered a searchable database containing illegally amassed information obtained from over 10,000 data breaches. The other two domains offered DDoS-for-hire services to their users. 

The domains were taken down as part of an international investigation, in which the National Police Corps of the Netherlands and the Federal Police of Belgium arrested the primary suspect, searched several locations, and seized the underlying infrastructure. 

The weleakinfo.to domain offered access to seven billion records containing private data such as names, phone numbers, usernames, email addresses, and passwords. 

The seizure of this domain comes roughly two years after the FBI and the US Department of Justice took control of the internet domain name weleakinfo.com, which offered identical services. 

"Today, the FBI and the Department stopped two distressingly common threats: websites trafficking in stolen personal information and sites which attack and disrupt legitimate internet businesses," stated Matthew M. Graves, U.S. Attorney for the District of Columbia. “With the execution of the warrant, the seized domain names – weleakinfo.to and the related domains – are now in the federal government's custody, effectively suspending the website’s operation.” 

 "Cybercrime often crosses national borders. Using strong working relationships with our international law enforcement partners, we will address crimes like these that threaten privacy, security, and commerce around the globe." 

According to the DOJ, it remains unclear how long the weleakinfo.to the domain was in operation. Still, the website developed a reputation for selling names, email addresses, usernames, phone numbers, and passwords for online accounts to cybercriminals who would buy a subscription for a period of one day, one week, one month, three months, or a lifetime. 

Two years ago in January 2020, the FBI and the US DOJ announced the seizure of the WeLeakInfo.com domain, used in similar cybercrime activity. Just as WeLeakInfo.to, it also offered subscriptions, allowing customers to search 12 billion indexed records for specific information exposed in thousands of data breaches.

Ransomware Groups are Enlisting Breached Individuals to Persuade Firms to Pay Up

 

According to recent reports, attackers are utilising stolen data to contact individuals who have been compromised in the attack (through social media, email, or phone). These direct contact strategies are being used by ransomware gangs as additional leverage to get victims to pay up. They call employees or customers whose data was compromised in the attack and urge them to persuade the victim to pay up, threatening them with the release of their personal information if they do not. 

NBC News featured a story on a parent whose child attended a school run by a district that was the target of a ransomware attack. The attackers emailed the parent, asking him to put pressure on the district to pay up, or else all of the exfiltrated materials, including information on him and his son, will be posted on the dark web. 

According to the person interviewed by NBC, the district did not notify parents or many staff members that they had been the victims of an attack, at least not before the assailants established contact with them. The attackers exploit whatever contact information they can obtain, such as employee directories or customer databases, to identify individuals to pressure. 

Allen ISD was the victim of a cyberattack in September 2021 and was afterward the target of attempted extortion by the perpetrators. Allen ISD, located roughly 30 miles north of Dallas, Texas, educates nearly 22,000 K-12 students. Following consultation with external cybersecurity experts, school administrators decided to refuse to pay the hackers' demands, even telling local media that there was no indication that data had been exfiltrated. Despite the fact that the ransomware gang claimed to have collected personal information from district children, families, and staff and sought to extort millions of dollars from Allen ISD. 

Another strategy used by ransomware attackers is to contact employees at a firm during the reconnaissance stages of an assault to see if they can bypass the infiltration stages by exploiting an insider threat. Insider threats are one of a few non-digital threats that have plagued businesses of all sizes to date. 

Insider threats represent a quarter of the eight main cybersecurity risks that significantly affect the corporate and public sectors, according to the Osterman Research white paper White Hat, Black Hat, and the Emergence of the Gray Hat: The True Costs of Cybercrime. 

According to a new survey conducted by identity protection firm Hitachi ID Systems, 65% of surveyed IT and security executives or their staff had been contacted to aid in ransomware cyberattacks. This marks a 17% increase over a similar survey conducted a year ago. The attackers used email and social media to contact employees in the majority of cases, while phone calls accounted for 27% of their approach efforts, a direct and brazen method of communication.

RedLine Stealer Identified as Major Source of Stolen Credentials on Dark Web Markets

 

A significant proportion of stolen credentials being traded on two dark web underground marketplaces were gathered via the RedLine Stealer malware, according to Insikt Group, Recorded Future's cybersecurity research arm. 

The RedLine Stealer, first discovered in March 2020, is a part of the info stealer family, a form of malware that once infects a computer and its primary goal is to capture as much user data as possible and then deliver it to the attackers, who often sell it online. 

The RedLine Stealer has data gathering features such as the ability to extract login credentials from web browsers, FTP applications, email apps, instant messaging clients, and VPNs. RedLine can also harvest authentication cookies and card numbers from browsers, chat logs, local files, and cryptocurrency wallet databases. 

Since March 2020, the malware has been sold on many underground hacking sites by a coder called REDGlade. After good feedback in a hacking forum thread, unauthorized versions of the RedLine Stealer were distributed on hacker forums a few months later, in August of this year, facilitating it to proliferate to even more threat actors who did not have to pay for it. 

But, even before the cracked version was released, RedLine had gained a devoted following. According to a report published last week by Insikt Group, the majority of stolen credentials available for sale on two underground marketplaces originate from computers infected with the RedLine Stealer. 

Insikt researchers stated, “Both Amigos Market and Russian Market were identified by Insikt Group (June 2021) posting identical listings regularly that contained the same timestamps, infostealer variants used, geographical locations of affected machines, and ISPs.” 

The results of the Insikt team follow similar research by threat intelligence firm KELA from February 2020, which discovered that around 90% of stolen credentials sold on the Genesis Market originated from infections with the AZORult infostealer. 

According to the two reports, underground cybercrime marketplaces are fragmented and often operate with their own independent suppliers, just as legal markets have their own choices for particular business partners. 

By going after the producers and dealers of these infostealers, this fragmentation opens the path to impairing the supply of multiple underground markets. In February 2020, a Chrome upgrade (which modified how credentials were saved inside the browser) halted the flow of newly stolen credentials on Genesis Market for months until the AZORult stealer was modified to assist the new format.

A Look at the Triple Extortion Ransomware

 

Ransomware has traditionally concentrated on encryption, but one of the most common recent additions is the exfiltration and threatening disclosure of critical data in a "double extortion" assault. Threat actors, on the other hand, must continually develop new ways to enhance the effect of a successful assault since the financial incentives are so high. One of the most recent methods is known as "triple extortion," which adds another way to extort money from targets. 

The prospect of stolen data being released online has been a typical point of leverage for criminals seeking further ransom payments in what is known as double extortion. More than 70% of ransomware assaults now include exfiltrate data, demonstrating how quickly this type of attack tactic has become the norm.

Threat actors have lately introduced another layer to ransomware assaults based on this approach. In other words, this latest ransomware advancement means that a ransomware assault no longer stops at the first victim. Ransom demands may now be directed towards a victim's clients or suppliers under triple extortion. At the same time, other pressure points such as DDoS attacks or direct media leaks are added to the mix. 

The more leverage the perpetrators have in a ransomware assault, the more likely the victim is to pay. If the gang is successful in not just encrypting vital systems but also downloading sensitive data and threatening to leak it, they will have the upper hand and will be able to demand payment if the victim does not have sufficient backup procedures. 

According to Brian Linder, a cybersecurity evangelist at Check Point Software, triple extortion has become more common in the previous six months, with ransomware gangs making robocalls to customers, shareholders, partners, the press, and financial analysts if the victimised organisation fails to fall victim to the first two extortion efforts. 

“So, imagine if you don’t pay the ransom, we’re going to let all the stock analysts know that you’ve been attacked and likely drive some percentage of your market value out of the market,” Linder says. “We do expect this to be highly exploited. It’s fairly easy to do.” 

Depending on the attacker's initial effectiveness in infiltrating the network, they can get access to information about the victim's clients, including names and phone numbers, and have automated messages ready to go. 

Companies and organizations that retain client or customer data, as well as their own, are the most apparent targets for ransomware operations that go beyond single or double extortion. Healthcare organizations are obvious targets in this regard. As a result, the first known instance of triple extortion occurred late last year when hackers obtained access to Vastaamo, a Finnish physiotherapy provider. Threat actors demanded money directly from the thousands of Vastaamo clients whose records they were able to exfiltrate, rather than contacting the provider for a ransom.

1GB of Puma Data is Now Accessible on Marketo

 

Hackers have stolen data from Puma, a German sportswear firm, and are now attempting to extort money from the corporation by threatening to expose the stolen files on a dark web page specialized in the leaking and selling of stolen data. The Puma data was posted on the site more than two weeks ago, near the end of August. 

The publication claims that the threat actors took more than 1 GB of private information, which would be sold to the highest bidder on an unlawful marketplace, according to Security Affairs analysts. This operation appears to be devoted only to the theft and sale of private information, ruling out the possibility that it is a ransomware offshoot. 

To back up their claims, the threat actors released some sample files that, based on their structure, suggest the attackers got Puma's data from a Git source code repository. The information is now available on Marketo, a dark web platform. The platform, which was launched in April of this year, is quite simple to use. 

Users can register on the marketplace, and there is a section for victim and press inquiries. Victims are given a link to a private chat room where they can negotiate. Marketo includes an overview of the company, screenshots of allegedly stolen data, and a link to a "evidence pack," also known as a proof, in each of the individual postings. They utilise a blind bidding mechanism to auction sensitive data in the form of a silent auction. Users place bids depending on how much they believe the data is worth. 

Site administrators first compile a list of potential victims, then provide proof (typically in the form of a small downloadable archive) that their network has been infiltrated. If the victimised firm refuses to cooperate with the hackers, their data is exposed on the web, either for free or for VIP members only. The website claims to compile data from a variety of hacking groups but does not cooperate with ransomware gangs.

“Right now, I can say that Puma haven’t contacted us yet,” the administrator of the dark web leak portal told The Record in a conversation last week. “The rest of the data would be released if Puma will decline the negotiations,” they added.

Data From Fujitsu is Being Sold on the Dark Web

 

An organisation called Marketo is selling data from Fujitsu on the dark web, although the firm claims the information "appears to be tied to customers" rather than their own systems. Marketo announced on its leak site on August 26 that it had 4 GB of stolen data and was selling it. They claimed to have private customer information, company data, budget data, reports, and other company papers, including project information, and gave samples of the data.

Fujitsu Limited, based in Tokyo, is a Japanese multinational information and communications technology equipment and services firm founded in 1935. After IBM, Accenture, and AWS, Fujitsu was the world's fourth-largest IT services company by yearly sales in 2018. Fujitsu's hardware portfolio consists mostly of personal and enterprise computing solutions, such as x86, SPARC, and mainframe compatible servers. 

Initially, the group's leak site stated that there were 280 bids on the data, but now it only shows 70 offers. A Fujitsu representative downplayed the event, saying there was no evidence it was linked to a case in May in which hackers used Fujitsu's ProjectWEB platform to steal data from Japanese government agencies. 

"We are aware that information has been uploaded to dark web auction site 'Marketo' that purports to have been obtained from our site. Details of the source of this information, including whether it comes from our systems or environment, are unknown," a Fujitsu spokesperson said. 

Marketo is a reliable source, according to Ivan Righi, a cyber threat intelligence expert at Digital Shadows. The veracity of the material stolen, according to Righi, cannot be validated, but prior data leaks by the group have been found to be real. 

"Therefore, it is likely that the data exposed on their website is legitimate. At the time of writing, Marketo has only exposed a 24.5 MB 'evidence package,' which contained some data relating to another Japanese company called Toray Industries. The group also provided three screenshots of spreadsheets allegedly stolen in the attack," Righi said.

The group has gone as far as sending samples of stolen data to a company's competitors, clients, and partners in the past to embarrass victims into paying for their data back. The group has listed hundreds of firms on their leak site, most notably Puma, and releases one every week, usually selling data from US and European corporations. At least seven industrial goods and services firms, as well as healthcare and technology firms, have been targeted. 

According to Brett Callow, a ransomware expert, and threat analyst at Emsisoft, it's unknown how Marketo gets the data it offers, but there's evidence that the data is frequently linked to ransomware attacks.

City Officials of Grass Valley Negotiates with the Handlers of Ransomware Attack

 

The city of Grass Valley is one of the latest victims of a ransomware attack. The operators of the ransomware attack informed the city officials that they had obtained data from city systems and threatened to post it on the web if the city doesn't pay a ransom. Surprisingly, the city officials decided to pay the ransom. 

“I think everyone’s a target. We’re not supposed to negotiate with terrorists – it emboldens them,” said Matthew Coulter, a Grass Valley resident who clearly wasn’t happy by the decision taken by the city officials.

According to Grass Valley police, they were left with no choice after the perpetrators contacted them in late June and threatened to publish the stolen data. The copied data allegedly included information on people or businesses that had conversations with various Grass Valley systems, including law enforcement.

“If we didn’t pay a small ransom and that data was dumped on the world wide web, then all of the people that we interacted with would be at risk of identity theft, loss of privacy, et cetera. One of the factors that weighed heavily for the city council was if this was something we could do to protect the people that we serve,” said Grass Valley attorney Michael Colatuono. 

City and emergency services were not greatly affected, and some discretionary outages were temporarily implemented. The cost of the incident is covered by the city’s insurance, according to an earlier press release and statements during the news conference.

Grass Valley isn’t the first city in the region to become a target, and likely won’t be the last. Sierra College was affected earlier this year, others are dealing with similar issues. City officials said the Federal Bureau of Investigation was contacted and that various state agencies are still investigating to find the perpetrators behind the attack. Credit monitoring is available to anyone interested if their personal data may have been breached.

To counter any cyberattack, the most important thing to look out for is ‘phishing’ emails. They may come from emails that you seem to recognize, but they could be pretending to be someone you are familiar with. He said to always check email addresses and avoid clicking on links you don’t recognize, referencing how one click could read this chaos, said Matt Bishop, a cybersecurity expert and UC Davis professor.

Japanese Games Publisher Koei Tecmo Suffers Cyber Attack, 65,000 Users Account Compromised


The Japanese games' publisher Koei Tecmo was targeted by hackers who compromised the company's English language website and stole confidential data belonging to over 65,000 users. Following the attack, Koei Tecmo announced that they have temporarily shut down their US and European website as a precautionary measure. 


The hackers targeted the company’s website to obtain confidential information about the user accounts like names, encrypted passwords, and email addresses, however, the hackers were not successful in their attempt to acquire the data related to 'user payment details'.  

The Japanese publisher announced in the press release that “Within the website operated by KTE, the ‘Forum’ page and the registered user information (approximately 65,000 entries) has been determined to the data that may have been breached. The user data that may have been leaked through hacking is perceived to be the (optional) account names and related password (encrypted) and/or registered email address.” 

In the press release, the publisher further stated that users do not need to worry about personal financial information because they do not store this confidential information about the users.  

Referencing the reports of Bleeping Computer, the hacker has leaked critical information about users' accounts for free on a hacker forum like IP addresses, email addresses, and passwords.  

Founded in 2009, following the merger of 'Koie' and 'Teo', Koei Tecmo is a Japanese video game and anime holding organization that is responsible for many popular PC and console games like Hyrule Warriors; Age Of Calamity, Dead or Alive, Nioh 2, Atelier Ryza, to name a few. 

The attackers assert that they have used a spear-phishing campaign to hack the koeitecmoeurope.com website on December 18th. The operators behind the attack also claimed that they were deliberating to sell a forum database for 0.05 bitcoins or about 1,300 dollars on a hacking marketplace.  

As per the reports by Bleeping Computer, stating their malevolent motives, the hackers told that they have “leaked the data to punish the Koei Tecmo publisher because they were not following the General Data Protection Regulation (GDPR) guidelines and they were refusing to spend the money on encrypting the users' information and were using a fragile salted MD5 hashing algorithm from 1992 and further warned them if they do not use the strong encryption techniques, we will continue to attack them”.