Masergy Threat Intelligence Bulletin: ShinyHunters

Published on May 29th, 2020

In the Spotlight: “ShinyHunters” group sells millions of records on dark web

Key Topics Covered

Executive Summary

A multitude of breaches have been discovered this month, with many being posted for sale in online hacking forums. Victims range from ecommerce platforms to online learning sites, exposing over millions of different personally identifiable information records. In early May 2020, a group known as “ShinyHunters” posted advertisements on dark web marketplaces for millions of user records.

What happened?

Starting on May 8th, 2020 an actor known as “ShinyHunters” began posting advertisements on the Empire Market dark web marketplace for millions of user records from multiple companies. The actor stated they sell only what data they acquired themselves.

The user databases were allegedly stolen from the following organizations:

  1. Indian education platform Unacademy – 28 million user records
  2. Indonesian e-commerce company Tokopedia – 91 million user records
  3. United States newspaper Chronicle of Education – 3 million user records
  4. Indonesian online store Bhinneka – 1.2 million user records
  5. Design marketplace Minted – 5 million user records
  6. South Korea fashion and beauty company Styleshare – 6 million user records
  7. South Korean online store Ggumim – 2 million user records
  8. United States non-profit magazine Mindful – 2 million user records
  9. United States newspaper Star Tribune – 1 million user records
  10. Dating app Zoosk – 30 million user records
  11. Online math application Mathway – 25 million user records
  12. Printing company Chatbooks – 15 million user records
  13. United States meal delivery service Homechef – 8 million user records

Other actors placed breach data for sale as well. StorEnvy, an e-commerce company, joined the ranks of companies suffering a data breach when a database of over 1.5 million StorEnvy customers and merchants were put up for sale on a hacking forum. Data included in the breach are emails, passwords, full names, IP addresses as well as links to social media profiles. All data from this database are presented in clear text. The data was being sold on a hacking forum for $500.

Figure 1. Example of leaked database from StorEnvy (Source: HackRead)

Fresenius Medical Care suffered a breach of medical data and personally identifiable information of patients after being targeted in a Snake ransomware campaign. The hackers posted close to 200 records on a paste website, with promises of “more to come.” Included were patient data from a Fresenius Medical care center in Serbia, with Full names, birth dates, postal addresses and phone numbers, including information on next of kin.

FIGURE 2. Example of breached databases (Source: Bleeping Computer)

Hackers also posted 2 dozen SQL databases stolen from various online shops in different countries for sale on a public website – with over 1.5 million entries of data. These threat actors are breaching insecure servers that are publicly accessible and copying the databases; they then offer the companies an opportunity to pay a ransom to return the stolen data ($525 dollars worth of bitcoin within 10 days). Some bitcoin wallets earned over $50,000 in payments. Depending on the store that was breached, information available include emails, full names, hashed passwords, postal addresses and dates of birth.

Data Breaches – So what?

Many companies are suffering from data breaches, and a lot of incidents could have been avoided with proper system hardening. Breaches exposing customer data will damage your brand and could lead to fines and penalties. Even if your company is not involved in a data breach, you can still be at risk from credential stuffing attacks, where members of your team are compromised in a previous breach exposing the same credentials they use for work.

Data Breaches – What Do I Do?

It is important to apply appropriate system hardening on your databases. Ensure that databases with sensitive information are not publicly accessible. Secure access points such as RDP and VPNs. Due to the frequent nature of breaches, have a rotating password policy for your company so that users don’t have the same password for an extended period of time to help protect against credential stuffing attacks, in addition to enabling two-factor authentication. Always apply the most update-to-date patches for your appliances and software after appropriate testing.

Highlights in Brief

Ragnar Locker Ransomware Deploys Virtual Machine to Dodge Security

Security researchers have discovered a new strain of ransomware named Ragnar Locker that deploys a virtual machine on each targeted device to hide the ransomware from plain view. The threat actors behind the Ragnar Locker have been known to steal data from their targets and leverage the info prior to launching the ransomware. The latest of which was an attack on the network of Energias de Portugal (EDP), claiming to have stolen 10 terabytes of sensitive information. Other tactics of the group were attacks on the Windows Remote Desktop Protocol (RDP) connections and exploitation of vulnerabilities found in managed service providers to gain a foothold on their target’s network. In this attack, threat actors used an old Oracle VirtualBox and a stripped-down version of the Windows XP SP3 which includes the 49KB Ragnar Locker ransomware executable. A more detailed explanation of how the ransomware works have been made available by the researchers.

Texas courts slammed by ransomware attack

According to IBM researchers, Zeus Sphinx malware has resurfaced, first reappearing in December of 20192. However, researchers observed an increase in Zeus Sphinx case volume in March with Sphinx’s operators spreading the malware through coronavirus themed emails with malicious attachments named “COVID-19 relief” in various countries. More and more APT groups have been leveraging the pandemic to spread data exfiltration malware, especially as businesses continue to move to work from home.

‘Coronavirus Report’ Emails Spread NetSupport RAT, Microsoft Warns

A coronavirus-themed spear-phishing campaign was discovered delivering hundreds of unique Excel 4.0 files to spread the weaponized NetSupport Manager remote access tool (RAT). These emails pretend to come from an epidemics and disasters research center called Johns Hopkins Center, to deceptively provide updates using the email subject “WHO COVID-19 SITUATION REPORT”. In a sample email, opening the malicious attachment “covid_usa_nyt_8702.xls” shows a security warning and a graph of supposed coronavirus cases in the U.S. and enabling the macro on the file downloads the NetSupport Manager RAT. Researchers added that although NetSupport Manager is a legitimate tool, the tool was used to further deliver other components such as .dll, .ini, and other .exe files, a VBScript, and an obfuscated PowerSploit-based PowerShell script that connects to a C2 server, allowing attackers to send further commands.

Forward Look

1 https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
2 https://www.zdnet.com/article/texas-courts-slammed-by-ransomware-attack/
3 https://threatpost.com/coronavirus-emails-netsupport-rat-microsoft/156026/

Appendix A

Language of Uncertainty

Throughout this intelligence summary Masergy assessed probability using qualitative statements from the following defined matrix. To give the reader perspective, each statement is bounded by a probability range.

Source Evaluation

Masergy evaluated sources using the two matrices defined below, scoring the reliability of source and that of the information gleaned from them.