[Security Weekly] 15 Billion Login Credentials Circulating on the Dark Web

2nd Week of July 2020


1. Over 15 billion login credentials currently circulating on the dark web, says report

On July 8, the Photon Research Team at cybersecurity firm Digital Shadows published a report with the latest findings on web and account security.

The researchers spent the past 18 months analyzing how hackers gain unauthorized access into accounts and how they leverage these login credentials for monetary gains.

The research shows that as of today, over 15 billion login credentials are circulating around hacking forums, either for sale or given out for free. This number shows a 300% increase compared to 2018. Most of these appear to come from the 100,000 separate data breaches throughout the past year.

The stolen credentials vary in nature, ranging from network administrator accounts, bank accounts, accounts for streaming services, and accounts for antivirus software programs. The average price of an account is at $15.43. Prices for bank accounts average at $70.91. Accounts for network administrators that provide access to corporate IT systems are usually put on auctions, with the most expensive deal closing at $120,000.

The researchers warned that account takeovers are easier than ever. Some of the common methods include phishing, malware injection, and credit card skimmers. Even those without any IT background could purchase tools for brute-force attacks online at $5.

Web attacks like the injection of malicious codes and Magecart skimmers can be easily stopped with a logical web application firewall like WAPPLES. By using machine learning, WAPPLES detects new attack patterns without the need for any manual updates. Click to learn more.

Source: Digital Shadows


2. US fitness company V Shred exposes personal data of 99,000 customers and trainers

On July 2, security researcher firm vpnMentor disclosed a data breach incident involving V Shred, a fitness provider based in Las Vegas that offers personalized training and diet plans. 

Researchers at vpnMentor first discovered the incident on May 13, where a publicly accessible Amazon Web Services (AWS) S3 bucket caught their attention. The database contained 1.3 million files with a total size of 606GB. Among them, three CSV files adding up to 180MB contained the personally identifiable information of 99,000 of V Shred’s clients and trainers.

Specifically, the CSVs contained the full names, genders, dates of birth, home addresses, email addresses, citizenship status, social media accounts, usernames and passwords, before- and after-training photos of clients, and the social security numbers of some trainers.

VpnMentor notified V Shred on May 18 about how it had misconfigured its AWS cloud database. However, V Shred responded on June 1 that having the database set to publicly accessible was necessary for its clients and trainers to access their information through the portal, which is not true at all. VpnMentor had to go on and explain the details, before V Shred finally removed the sensitive CSV files on June 18, yet still leaving the rest of the database public.

It appeared that V Shred lacked basic knowledge about information security and did not know how to properly configure their cloud database. We emphasize again that no matter how small a business is, as long as it handles sensitive data, it needs to take data protection seriously.

Source: ZDNet


3. EDP Renewables hit by Ragnar Locker ransomware, sensitive data compromised

Early July, renewable energy producer EDP Renewables North America (EDPR NA) sent out a notification letter to its customers, informing them about a ransomware attack incident.

Serving renewable energy to 11 million customers across 19 countries, EDPR NA is the US-based subsidiary of Spanish renewable energy producer EDP Renewables (EDPR), which is again a subsidiary of the Portuguese electricity firm Energias de Portugal (EDP).

The incident can be traced back to April 13, where the Portuguese parent firm EDP suffered an attack by the Ragnar Locker ransomware. EDPR NA was only made aware of it a month later on May 8. It is unknown how EDP responded to the attack during that month, but apparently it did not manage to stop the spread to its North American subsidiary.

The ransomware operators claimed to have stolen 10TB worth of data and demanded a ransom payment of $10 million worth of Bitcoin. The compromised databases contained confidential information about billing and transactions, contracts, partners, and customers, along with sensitive personal information such as names and social security numbers.

Although the company stated that there was no definite evidence that customer data was stolen, it offered identity theft protection services to its customers for a year as a preventative measure.

Had the databases been securely encrypted, such costs would have been easily avoided.

Penta Security’s D’Amo is a data encryption solution that utilizes multiple encryption algorithms and technologies for optimized security, compatible with on-premises and cloud databases.

To learn more about how to prevent a double extortion ransomware attack, click here.

Sources: ZDNetBleeping Computer


4. Iranian nuclear facility severely damaged in fire, officials suspect cyberattack

On July 2, a massive fire followed by an explosion broke out in an underground nuclear facility at Natanz, Iran. The facility is a fuel enrichment plant (FEP) that enriches uranium.

A day after the attack, Iran’s top security officials stated that they had identified the cause, but would announce it at a later date. Most Iranian officials suspected it to be the result of a cyberattack from a hostile state, however, none were able to provide evidence to support the suspicion.

An Iranian nuclear official said that this fire would significantly slow down Iran’s development of centrifuges used to enrich uranium.

The Natanz fuel enrichment plant (FEP) is the only uranium enrichment facility allowed under the US-Iran nuclear deal, allowing the country to produce uranium with 3 to 4% concentration for use in power plants. A concentration of above 90% is needed for use in weapons.

Sources: CNNBBC


5. Russian-based threat actors target large corporations with sophisticated email scams

Researchers at Agari, an email security company, recently discovered a set of new business email compromise (BEC) operations launched by a threat group that appeared to be based in Russia. 

Dubbed Cosmic Lynx, the BEC group has been operating for at least a year since July 2019. During this time, over 200 BEC attacks were initiated by the group, targeting senior employees from large multinational corporations.

Cosmic Lynx’s tactics are highly sophisticated. They target high-level employees with access to their company’s financials, and begin by sending the employee an email impersonating a top executive at the company. They would tell the victim about a secret plan to purchase a company in Asia, and tell them that they would be in charge of the acquisition. Soon later, they would introduce a lawyer to the victim that makes arrangements for the transaction, usually involving millions of dollars. The fake lawyer would have a seemingly legitimate company name and a domain that matches the name.

Phishing campaigns are on the rise in 2020. It is now a great time to re-educate employees on how to watch out for phishing scams.

Sources: InfosecurityBleeping Computer


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt