Category Archives: dark web

KingNull leaks DB of Daniel’s Hosting dark web hosting provider

Earlier this year a hacker breached Daniel’s Hosting, the largest free web hosting provider for dark web hidden services and now leaked its DB.

A threat actor has leaked the database of Daniel’s Hosting (DH), the largest free web hosting provider for dark web hidden services.

The hacker has stolen the data in March when he breached the hosting provider, almost 7,600 dark web portals have been taken offline following the security breach.

Daniel Winzen, a German software developer that operated the service, revealed that attackers accessed the backend of the hosting provider and deleted all the databases of the websites hosted by Daniel’s Hosting.

Winzen definitively shut down the service on March 26.

Today ZDNet reported that a hacker that goes online with the moniker ‘KingNull’ uploaded a copy of Daniel’s Hosting database on a file-hosting site.

“According to a cursory analysis of today’s data dump, the leaked data includes 3,671 email addresses, 7,205 account passwords, and 8,580 private keys for .onion (dark web) domains.” reported ZDNet.

Threat intelligence firm Under the Breach that analyzed the leaked database told ZDNet that the archive includes sensitive information on the owners and users of thousands of darknet sites. IP addresses of administrators and users were not included in the archive.

The database could allow law enforcement agencies to deanonymize administrators of dark web services that were involved in illegal activities.

Unfortunately, the leak could put in danger activists and dissidents that use the darknets to avoid the censorship applied by regimes.

In November 2018, Daniel’s Hosting provider was victims of another incident, attackers hacked the service and deleted 6,500+ sites.

ZDNet revealed that Winzen plans to launch again the hosting service in several months.

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post KingNull leaks DB of Daniel’s Hosting dark web hosting provider appeared first on Security Affairs.

An archive with 20 Million Taiwanese’ citizens leaked in the dark web

Security experts from Cyble discovered in the dark web a database containing details of over 20 Million Taiwanese citizens.

A few weeks ago, threat intelligence firm Cyble discovered in the dark web a database containing details of over 20 Million Taiwanese citizens.

According to the experts, the leak includes government data of an entire country, it was leaked online by a reputable actor that goes online with moniker ‘Toogod.”

“A few weeks ago, our researchers came across a leaked database on the darkweb where a known and reputable actor ‘Toogod” dropped the database of “Taiwan Whole Country Home Registry DB” comprising of 20 Million+ records.” reads a post published by Cyble.

The database size is 3.5 GB, exposed data includes full name, full address, ID, gender, date of birth, and other info.

Taiwanese government data leak

The seller claims the database dates back as 2019, but Cyble researchers noted the last DOB record was from 2008. The database contains certain records with ‘NULL/empty’ DoB records, making it impossible to determine how recent the dump is.

Experts are still investigating the leak and will provide an update as soon as possible.

Cyble researchers have acquired the leak and will add soon its data to its AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – Taiwanese database, dark web)

The post An archive with 20 Million Taiwanese’ citizens leaked in the dark web appeared first on Security Affairs.

Account credentials of 26+ million LiveJournal users leaked online

A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums. The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users. After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected … More

The post Account credentials of 26+ million LiveJournal users leaked online appeared first on Help Net Security.

3 hacking forums have been hacked and database have been leaked online

Three hacking forums Nulled.ch, Sinfulsite.com, and suxx.to have been hacked and their databases have been leaked online

Researchers from intelligence firm Cyble made the headlines again, this time they have discovered online the databases of three hacking forums. The three forums are Sinful SiteSUXX.TO and Nulled, they were all hacked.

These cybercrime forums are places of aggregations for hackers and cybercriminals, that could use them to participate in general discussion and sharing related resources.

hacking forums

Members of the forums share and sell data leaks, hacking tools, malware, tutorials, and much more. The databases appear to have been leaking in May 2020.

“Recently, the Cyble Research Team obtained the database leaks of these hacking forums which appear to have been leaking in May 2020. The Cyble’s researchers obtained-:

  • The databases of SUXX.TO and Nulled contains detailed information of their users, which appears to be dumped on 20 May 2020.
  • The full database of Sinful Site including the private messages, which appear to be dumped on 15 May 2020.

” reads the post published by security firm Cyble.

Cyble experts said that all the above databases have been indexed at AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – data breach, cyber crime forums)

The post 3 hacking forums have been hacked and database have been leaked online appeared first on Security Affairs.

25 million Mathway user records available for sale on the dark web

A threat actor is offering for sale on a dark web marketplace a database containing 25 million user records belonging to the Mathway.

A data breach broker, known as Shiny Hunters, is offering for sale on a dark web marketplace a database that contains 25 million user records for Mathway.

Early May, Shiny Hunters attempted to sell on a dark web marketplace databases containing more than 73.2 million user records from 11 different companies.

Shiny Hunters started offering the Tokopedia dump, then it began proposing 22 million user records for Unacademy and data allegedly obtained from the hack of the Microsoft’s GitHub account.

Recently the group has begun selling databases for the meal kit and food delivery company HomeChef, the photo print service ChatBooks, and Chronicle.com.

Mathway is a free math problem solver, from basic algebra to complex calculus, it instantly solves users’ math problems simply by typing their problem in (or point their camera and snap a pic!). Users will receive instant free answers through their website or mobile apps (both iOS and Android).

The Mathway app has over 10 million installs on Android Play Store and the Apple Store.

The dump was discovered by cyber intelligence firm Cyble, which confirmed that the archive was being sold in private sales in underground markets.

The Shiny Hunters group is offering for sale the Mathway database for $4,000.

Users’ records in the dump include email addresses and hashed passwords.

“We are aware of reports of a potential data compromise.  We are working with cybersecurity experts to investigate further, and will take the appropriate steps to ensure the security of customer information.” reads a statement published by Mathway.

Mathway is currently investigating the security breach, meantime its users should also change their password on the site and on any other site where they used the same credentials.

Mathway users could check if their account was impacted by the data breach by querying the Cyble’s AmIBreached data breach lookup service.

Pierluigi Paganini

(SecurityAffairs – Mathway, hacking)

The post 25 million Mathway user records available for sale on the dark web appeared first on Security Affairs.

Personal details and documents for millions of Indians available in the deep web

Researchers have discovered a dump containing 29.1M Indian jobseekers personal details that was offered for free in the hacking underground.

Researchers discovered a dump containing 29.1M Indian jobseekers personal details that was offered for free in the hacking underground.

An anonymous entity told Cyble researchers that the data were stored on an unprotected elastic search instance that is no longer accessible.

While Cyble was investigating the issue, a threat actor published more than 2,000 Indian Identity cards (Aadhaar cards) on one hacking forum, files appears to have originated from 2019.

Indian Identity card leak

Then the threat actor leaked 1.8M identity cards belonging to citizens of the Madhya Pradesh state on their forum.

“Cyble has indexed this information on their data breach monitoring and notification platform, Amibreached.com. People who are concerned about their information leakage, can ascertain the risks by registering to the platform.” reads the post published by Cyble.

Cyble researchers also discovered that a threat actor posted 2.3 GB (zipped) file on one of the hacking forums.

This time the leak contains a lot of personal details of millions of Indians Job seekers from different states. At the time of writing this article, the experts are still investigating the source of the leak.

“It appears to have originated from a resume aggregator given the sheer volume and detailed information.” state the experts.

“Cyble researchers have identified a sensitive data breach on the darkweb where an actor has leaked personal details of ~29 Million Indian Job Seekers from the various states. The original leak appears to be from a resume aggregator service collecting data from various known job portals. Cyble’s team is still investigating this further and will be updating their article as they bring more facts to the surface. This breach includes sensitive information such as email, phone, home address, qualification, work experience etc.”

Crooks could use personal information exposed in both data leaks to conduct various malicious activities, including identity thefts, scams, and corporate espionage.

Pierluigi Paganini

(SecurityAffairs – Indians data leaks, hacking)

The post Personal details and documents for millions of Indians available in the deep web appeared first on Security Affairs.

Silent Night Zeus botnet available for sale in underground forums

Experts reported the existence of a botnet, tracked as Silent Night based on the Zeus banking Trojan that is available for sale in several underground forums.

This week researchers from Malwarebytes and HYAS published a report that included technical details on a recently discovered botnet, tracked as Silent Night, being distributed via the RIG exploit kit and COVID-19 malspam campaign. 

Silent Night

The source code of the Zeus Trojan is available in the cybercrime underground since 2011 allowing crooks to develop their own release since.

Experts found multiple variants in the wild, many of them belonging to the Terdot Zbot/Zloader malware family.

The name “Silent Night” Zbot is likely a reference to a weapon mentioned in the 2002 movie xXx, it was first spotted in November 2019 when a seller named “Axe” started offering it on the Russian underground forum forum.exploit[.]in.

Axe was advertising the Trojan as the result of over five years of work, a total of 15k ~ hours were spent for the development of the malicious code.

“The author described it as a banking Trojan designed with compatibility with Zeus webinjects. Yet, he claims that the code is designed all by him, based on his multiple years of experience – quote: “In general, it took me 5+ years to develop and support the bot, on average about 15k ~ hours were spent.”.” reads the report published by the researchers.

The botnet goes for $4,000 per month for a custom build, $2,000 per month for a general build, while an extra for HVNC functionality is available for 1,000 USD/month and 14 days to test the code for 500 USD.

Experts believe that Axe is the developer of the Axe Bot 1.4.1, comparing Axe Bot 1.4.1 and Zloader 1.8.0 C2 source codes, experts noted that all of their custom PHP functions have the prefix CSR, which can either be a naming space or a developer’s handle

Silent Night is able to grab information from online forms and perform web injections in major browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer, monitor keystrokes, take screenshots, harvest cookies and passwords.

Silent Night leverages web injections to hijack a user’s session and redirect them to malicious domains or to grab the login credentials for online banking services. Data collected by the malware are then transferred to the operator’s command-and-control (C2) server.

The malware is able to infect all operating systems.

The seller also claims to use an original obfuscator, the decryption is performed only “on demand.” The analysis of the content of an open directory on the Command and Control server allowed the researchers to discover a manual for bot operators that includes instructions for the set up of the malware.

On Dec 23 2019, this variant of Zloader was observed being distributed by the RIG Exploit Kit, experts observed small campaigns, likely for testing purposes. The spreading intensified over time, in March 2020, it was delivered in a COVID-19-themed spam campaign using weaponized Word documents.

“The design of Silent Night is consistent and clean, the author’s experience shows throughout the code. Yet, apart from the custom obfuscator, there is not much novelty in this product. The Silent Night is not any game changer, but just yet another banking Trojan based on Zeus.” concludes the report. “Based on the analysis of the bot’s configurations, we may confidently say that there is more than one customer of the “Silent Night”.”

Pierluigi Paganini

(SecurityAffairs – Silent Night, hacking)

The post Silent Night Zeus botnet available for sale in underground forums appeared first on Security Affairs.

The dark web is flooded with offers to purchase corporate network access

There is a flood of interest in accessing corporate networks on the dark web, according to Positive Technologies. In Q1 2020, the number of postings advertising access to these networks increased by 69 percent compared to the previous quarter. This may pose a significant risk to corporate infrastructure, especially now that many employees are working remotely. “Access for sale” on the dark web is a generic term, referring to software, exploits, credentials, or anything else … More

The post The dark web is flooded with offers to purchase corporate network access appeared first on Help Net Security.

Meal delivery service Home Chef discloses data breach

Meal delivery service Home Chef has confirmed that it recently suffered a security breach that exposed its customer information.

Meal delivery service Home Chef has disclosed a data breach that exposed its customer information. Home Chef also explained that only a portion ot its customers were impacted in the security incident.

In early May, Shiny Hunters hacking group started offering for sale the databases containing tens of millions from user records from over 11 companies.

Below the complete list published by BleepingComputer:

CompanyUser RecordsPrice
Tokopedia91 million$5,000
Home Chef8 million$2,500
Bhinneka1.2 million$1,200
Minted5 million$2,500
Styleshare6 million$2,700
Ggumim2 million$1,300
Mindful2 million$1,300
StarTribune1 million$1,100
ChatBooks15 million$3,500
The Chronicle Of Higher Education3 million$1,500
Zoosk30 million$500

At the time, the Shiny Hunters were offering more than 8 million records for $2500.

Now the company confirmed the data breach, saying that the incident has impacted select customer information.

Exposed data includes email addresses, names, phone numbers, hashed passwords, and the last four digits of credit card numbers.

“Was My Credit Card Information Compromised? Home Chef does not store complete credit or debit card information” reads the FAQ published by the company.

“Information such as frequency of deliveries and mailing address may also have been compromised,”.

Home Chef also underlined the fact that it does not store complete credit or debit card information. The company is investigating the incident and announced that it is taking action to strengthen its security defenses and prevent similar incidents in the future.

Although the company stores passwords in encrypted format, it recommends users to change the password in an abundance of caution following these process:

  1. Visit www.homechef.com
  2. Click on “Log in”
  3. Click on “Account Information”, which is located under the “Account” dropdown menu
  4. Complete the “Change Your Password” section and click “Save your settings.” There’s no need to adjust the other sections on the Account page (e.g. “Subscription”)

Home Chef users should remain vigilant against phishing attacks and suspicious activity in their accounts.

The company is notifying the incident to the impacted users.

Pierluigi Paganini

(SecurityAffairs – HomeChef, hacking)

The post Meal delivery service Home Chef discloses data breach appeared first on Security Affairs.

129 million records of Russian car owners available on the dark web

A hacker is offering for sale on a dark web forum a database containing 129 million records of car owners in Moscow.

A hacker is attempting to sell on a dark web forum a database containing 129 million records of car owners in Moscow.

As a proof of the authenticity of the data, the hacker has leaked some anonymized data containing all the car details present in the traffic police registry.

The archive doesn’t include car owners’ details, exposed data includes the car’s make and model, place of registration, and the date of first and last registration.

The seller is offering the full version of the database for 0.3 BTC, which at the current rate is about $ 2677, paying 1.5 BTC ($ 13.386) it is possible to purchase information for “exclusive use.”

The accuracy of the data has been verified by Vedomosti media.

“Hackers posted a darknet database of Russian car owners, it includes 129 million positions from the traffic police registry. The authenticity of the information was confirmed by an employee of the car-sharing company, Vedomosti reports.” reads the website rbc.ru.

“In the published data there is only anonymized information. These include: place and date of registration of the car, make and model. According to hackers, the full version also contains the name, address, date of birth, passport numbers of car owners and their contact information.”

According to the Russian blog Nora the Hedgehog, several portals where people can pay fines for violating COVID-19 quarantine are leaking their full names and passport numbers by simply providing the registration number of the ticket.

The worst news is that the portals don’t implement any protection against brute-force attacks, allowing attackers to try all the possible combinations of unique ticket numbers to retrieve personal details of the people that paid the fines.

Pierluigi Paganini

(SecurityAffairs – dark web, hacking)

The post 129 million records of Russian car owners available on the dark web appeared first on Security Affairs.