Cyber Updates – May 1st, 2021

Posted on May 1, 2021 by Webhose

read the article

This month our cyber updates include the recent REvil ransomware attack targeting Apple, the addition of Tea Horse Marketplace to Webhose’s coverage and the largest gift card sale in the dark web that included 3,000 top global brands. 

Chemical Weapons Sales Discovered on the Dark Web

Chemical weapons are chemicals containing toxic properties that are intended to cause death or harm. In the past month there were several incidents involving attempted purchases of chemical weapons on the dark web. One involved a Missouri man sentenced to 12 years in prison for purchasing a chemical weapon with Bitcoin.

In the past two years alone, Webhose has crawled thousands of posts involving actors selling toxins from dark web marketplaces. 

We usually discover these chemical weapons – mostly poisons – sold on dark web marketplaces and designated shops on the TOR network. There are even shops on the dark web dedicated solely to selling poisons.

Some chemicals are more popular on the dark web then others. For example, potassium cyanide is sold in several marketplaces on the dark web and is relatively more accessible than other poisons.

For more information about chemical weapons on the dark web use the query:

(poisons OR poison OR Ricin OR “Botulinum Toxin” OR Tetradotoxin OR Batrachotoxin OR Amatoxin OR Cyanide OR “Nerve Gas” OR Brodifacoum OR Strychnine OR Polonium) site.type:market extended.network:tor

Recent REvil Ransomware Targets Apple in a Supply Chain Attack

On April 20th, as Apple revealed its new iPad and iMac product lines, Quanta Inc, a primary supplier of the technology giant, announced that it had been attacked by REvil ransomware group. The ransomware group, one of the largest, most dangerous groups operating today, disclosed the attack after naming Quanta Inc as their latest victim in its dark web site. It gave the company a deadline of May 1st to pay a ransom of $50 million.

“In order not to wait for the upcoming Apple presentations, today we, the REvil group, will provide data on the upcoming releases of the company so beloved by many. Tim Cook can say thank you Quanta. From our side, a lot of time has been devoted to solving this problem. Quanta has made it clear to us that it does not care about the data of its customers and employees, thereby allowing the publication and sale of all data we have.”

While the post on the REvil website has been deleted by now, Webhose crawled and saved a cached version of the post, allowing investigators to view the content of the announcement even after it was deleted in the source.

Warnings of the attack were published in the known XSS hacking forum by one of the active members of the group, who goes by the handle Unknown and is associated with the affiliate program of the REvil ransomware group. Two days before the attack on April 18th, Unknown declared in Russian: “We work around the clock. We are stable. We make money. Much money. We are waiting for you.”

After further investigation about this actor from our content crawled in the Cyber Endpoint, we concluded that this actor:

  • Was in charge of the REvil ransomware affiliate program threat in the XSS forum as well as being the contact person for the group in the forum 

  • Is a Russian speaker

  • Was mostly active in the REvil affiliate program thread, but also offered his work in C++, PowerShell and Python

  • Has a total of 14 posts in the forum

  • Has not provided any further contact information

For more information about this incident and the actors behind it, use the query:
(author:unknown AND site.domain:xss.is) OR (quanta “happy blog” extended.network:tor)

Further reading: Apple Targeted in $50 Million Ransomware Hack of Supplier Quanta

600,000 Credit Card Details Leaked After Breach of Swarmshop

Last month, SwarmShop, an online crime shop which sells stolen information such as credit cards and SSN numbers, was breached. The database that was breached includes sensitive information; about 600,000 full PAN credit card information and dozens of thousands of uncensored SSN numbers. It also contains thousands of personal account details such as email addresses and passwords of the site buyers and vendors. The leaked information was posted on different hacking forums such as RaidForum and the Russian carding forum ClUB2CRD.

The phenomenon of personally identifiable information (PII) leaked online is one of the most disturbing trends the world has experienced in the last few years. The leaked information can include an individual’s name and phone number as well as more sensitive information such as healthcare data, social security numbers and credit card information. 

We also detected that the Swarmshop site admins are active on different forums Webhose has in its coverage.

For more information related to the SwarmShop data breach, data from the SwarmShop website and posts made by the site admins on different forums we cover, use the following query:

(((swarmshop OR “swarmshop”) AND (breach OR leak OR database)) OR extended.external_link:*swarmshop* OR author:swarmshop OR site.domain:swarmshop.ws)

Largest Sale Ever of Gift Cards on the Dark Web Estimated to be Worth $38 Million

In the world of financial fraud, trading gift cards on the dark web isn’t something new. In the past year alone Webhose has crawled hundreds of thousands of posts related to gift card trading. 

Two months ago we crawled a post from a hacker selling 895,000 gift cards. This was possibly the largest gift card sale ever to date in dark web forums.  

The cards were advertised for sale by an actor in a Russian dark web forum. They were from approximately 3,000 top brands, including Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, Walmart, and others.

Following the successful transaction, the same actor offered another sale of 330,000 credit and debit cards with the full cardholder name details, CVV codes, expiration date, card number, bank name, etc. This listing was also sold after only six days. Gemini Advisory concluded that the 330,000 payment cards likely came from a breach of the online gift card shop Cardpool.com between February 4, 2019 and August 4, 2019.  

The seller is a reputable threat actor with many listings in the forum since 2010. His sales include databases, credit cards, and personally identifiable information (PII).

Tea Horse Marketplace Now Available to Webhose’s Coverage

We recently added Tea Horse Marketplace, a new Chinese marketplace in the TOR network, to our coverage in the Cyber endpoint. The marketplace URL has been mentioned in different Chinese Telegram channels that advertise different illicit products and hacking services, as well as wikis and other Chinese websites in the TOR network.

In this marketplace we were able to find listings of credit card information from various places in the world, fake IDs,  as well as databases and hacking services. These listings were found for both domestic (Chinese) and international companies. 

The Chinese dark web is quite difficult to crack, especially due to the language barrier. Despite this challenge, over time we have successfully accessed and crawled several Chinese marketplaces, among them TOR China Market, Free City and United Chinese Escrow Market, DeepMix and others which have been active since at least 2019.

To query content from this marketplace, use the query:
site.domain:7zj4oshsyhokgus6fyk7pmdiubu4m*.onion

Further reading: Chinese threat actors extract big data and sell it on the dark web

A listing in the marketplace offering “Fresh first-hand American SSN”

That’s it for our Cyber News Update from our Cyber Team this time. We’ll be back again next time though with more exciting updates from the world of cyber. Stay tuned for more updates!

 Until next time, 

Team Webhose