Webhose Cyber Update

Posted on July 22, 2021 by Webhose

read the article

Busted: Opioid Vendor H00k3d Pleads Guilty to Drug and Counterfeit Trading

When we crawl dark web marketplaces and shops, we often see vendors offering various products, including hacking tools, databases, weapons, counterfeit goods, and the most popular of all – drugs. 

Sometimes, these vendors find their way to our news. This was the case with a man from New York, operating under the name H00k3d in nine different dark web markets, who was recently arrested and admitted to selling more than $1 million worth of opioids and counterfeit currency on dark web markets. 

In the past two years alone, Webhose has crawled over 100 posts by this vendor. All of these posts were listings of counterfeit currency and opioids drugs such as oxycodone, hydromorphone and hydrocodone for sale. 

To see content from dark web marketplaces use the query: Site.type:market

New on Webhose: Ransomware Group Websites Available

Since early 2020, we have continued to see a rising trend of ransomware groups creating their own sites on dark web networks where they post their victims’ stolen data and announce new victims.

Last week, we added a few new sites belonging to some of these latest popular ransomware groups: 

  • Grief – A ransomware group claiming to have stolen 2.5 GB of data, including internal company documents, PII and customer information. The group is known for demanding payment in cryptocurrencies such as Bitcoin and Monero.
  • Hive – This new ransomware gang made major headlines with a recent attack against Altus Group, a major real estate software firm. So far, two victims of the ransomware have been identified.
  • AvosLocker – A new ransomware group that uses a malicious program to invade the Windows host, encrypt the victim’s document files, and then ransom the victim as a condition for decryption. AvosLocker group published the names of their latest victims and their stolen data on the leak website, under one of two categories – Public Service Announcements and Leaks.

To see data from all the new ransomware sites we lately added, please use the following query:

site.domain:(griefcameifmv4hfr3auozmovz5yi6m3h3dwbuqw7baomfxoxz4qteid.onion OR hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion OR avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion/post/geneva-ohio)

Weekly Find: Guess Data Breach Compromises Data of Over 1300 People

Credit: Eva Rinaldi is licensed under CC BY-2.0.

Fashion retailer Guess announced a data breach that affected over 1300 people, revealing PII data such as credit card numbers, social security numbers, access codes and more. After the announcement, Guess notified all involved customers and offered a compensation package to those affected by the incident.

The ransomware group responsible for the attack, DarkSide Ransomware Gang, is notorious for targeting multiple large, high-revenue organizations. We discovered the post of the initial announcement of the ransomware group in our data as far back as February 21 – the same time that the attack was reported:

To find content related to Sodinokibi Ransomware use the query:

(Kaseya AND (Revil OR ransomware OR 0day )) OR “CVE-2021-30116”

Trending: Royal Market is Under Attack

Royal Market, a new marketplace in the TOR network, is under attack, according to their market manager, known as De_professor. The new marketplace, which we added to our coverage in late June, offers a variety of products from diverse categories such as drugs, counterfeit, digital goods, fraud and more.

Almost two weeks ago, the site went down, allegedly because of a DDoS attack (a Distributed Denial-of-Service Attack), a malicious attempt to disrupt the normal traffic of a target by overwhelming it with a flood of Internet traffic. 

Soon afterwards, we discovered a post by the market manager of Royal Market, known as De_professor, on Dread, announcing their marketplace is under attack:

In his post, De_professor mentions that he has recently received threats from other dark web marketplaces managers, leading him to suspect one of them is behind the attack. It remains unclear who is behind the attacks.

It is common to see dark web sites under attack from competing sites. Sometimes the claim of a DDos attack is fake and simply a step the actor takes before an exit scam. Whether the attack is true or not, however, it often serves as an indication of marketplace instability

To find content related to Sodinokibi Ransomware use the query:

(Kaseya AND (Revil OR ransomware OR 0day )) OR “CVE-2021-30116”

That’s it for now from our Cyber Team. We’ll be back again next time with more cyber news and discoveries. In the meantime, if you have any questions, comments or anything interesting you’d like to share, send us an email to: cyber@webhose.io

Until next time, 

Team Webhose