A multitude of breaches have been discovered this month, with many being posted for sale in online hacking forums. Victims range from ecommerce platforms to online learning sites, exposing over millions of different personally identiﬁable information records. In early May 2020, a group known as “ShinyHunters” posted advertisements on dark web marketplaces for millions of user records.
Starting on May 8th, 2020 an actor known as “ShinyHunters” began posting advertisements on the Empire Market dark web marketplace for millions of user records from multiple companies. The actor stated they sell only what data they acquired themselves.
The user databases were allegedly stolen from the following organizations:
Other actors placed breach data for sale as well. StorEnvy, an e-commerce company, joined the ranks of companies suffering a data breach when a database of over 1.5 million StorEnvy customers and merchants were put up for sale on a hacking forum. Data included in the breach are emails, passwords, full names, IP addresses as well as links to social media proﬁles. All data from this database are presented in clear text. The data was being sold on a hacking forum for $500.
Figure 1. Example of leaked database from StorEnvy (Source: HackRead)
Fresenius Medical Care suffered a breach of medical data and personally identiﬁable information of patients after being targeted in a Snake ransomware campaign. The hackers posted close to 200 records on a paste website, with promises of “more to come.” Included were patient data from a Fresenius Medical care center in Serbia, with Full names, birth dates, postal addresses and phone numbers, including information on next of kin.
FIGURE 2. Example of breached databases (Source: Bleeping Computer)
Hackers also posted 2 dozen SQL databases stolen from various online shops in different countries for sale on a public website – with over 1.5 million entries of data. These threat actors are breaching insecure servers that are publicly accessible and copying the databases; they then offer the companies an opportunity to pay a ransom to return the stolen data ($525 dollars worth of bitcoin within 10 days). Some bitcoin wallets earned over $50,000 in payments. Depending on the store that was breached, information available include emails, full names, hashed passwords, postal addresses and dates of birth.
Many companies are suffering from data breaches, and a lot of incidents could have been avoided with proper system hardening. Breaches exposing customer data will damage your brand and could lead to ﬁnes and penalties. Even if your company is not involved in a data breach, you can still be at risk from credential stufﬁng attacks, where members of your team are compromised in a previous breach exposing the same credentials they use for work.
It is important to apply appropriate system hardening on your databases. Ensure that databases with sensitive information are not publicly accessible. Secure access points such as RDP and VPNs. Due to the frequent nature of breaches, have a rotating password policy for your company so that users don’t have the same password for an extended period of time to help protect against credential stufﬁng attacks, in addition to enabling two-factor authentication. Always apply the most update-to-date patches for your appliances and software after appropriate testing.
Security researchers have discovered a new strain of ransomware named Ragnar Locker that deploys a virtual machine on each targeted device to hide the ransomware from plain view. The threat actors behind the Ragnar Locker have been known to steal data from their targets and leverage the info prior to launching the ransomware. The latest of which was an attack on the network of Energias de Portugal (EDP), claiming to have stolen 10 terabytes of sensitive information. Other tactics of the group were attacks on the Windows Remote Desktop Protocol (RDP) connections and exploitation of vulnerabilities found in managed service providers to gain a foothold on their target’s network. In this attack, threat actors used an old Oracle VirtualBox and a stripped-down version of the Windows XP SP3 which includes the 49KB Ragnar Locker ransomware executable. A more detailed explanation of how the ransomware works have been made available by the researchers.
According to IBM researchers, Zeus Sphinx malware has resurfaced, ﬁrst reappearing in December of 20192. However, researchers observed an increase in Zeus Sphinx case volume in March with Sphinx’s operators spreading the malware through coronavirus themed emails with malicious attachments named “COVID-19 relief” in various countries. More and more APT groups have been leveraging the pandemic to spread data exﬁltration malware, especially as businesses continue to move to work from home.
A coronavirus-themed spear-phishing campaign was discovered delivering hundreds of unique Excel 4.0 ﬁles to spread the weaponized NetSupport Manager remote access tool (RAT). These emails pretend to come from an epidemics and disasters research center called Johns Hopkins Center, to deceptively provide updates using the email subject “WHO COVID-19 SITUATION REPORT”. In a sample email, opening the malicious attachment “covid_usa_nyt_8702.xls” shows a security warning and a graph of supposed coronavirus cases in the U.S. and enabling the macro on the ﬁle downloads the NetSupport Manager RAT. Researchers added that although NetSupport Manager is a legitimate tool, the tool was used to further deliver other components such as .dll, .ini, and other .exe ﬁles, a VBScript, and an obfuscated PowerSploit-based PowerShell script that connects to a C2 server, allowing attackers to send further commands.
Throughout this intelligence summary Masergy assessed probability using qualitative statements from the following deﬁned matrix. To give the reader perspective, each statement is bounded by a probability range.
Masergy evaluated sources using the two matrices deﬁned below, scoring the reliability of source and that of the information gleaned from them.