Webhose Cyber Updates – May 27th

Posted on May 27, 2021 by Webhose

read the article

This month our cyber updates include the addition of many new ransomware groups to Webhose’s coverage, including N3tw0rm and Marketo, among others. We are also continually adding and monitoring social media sites that advocate free speech like Bitchut, Rumble MEWE – and of course Parler – that contain many far-right-wing extremist discussions.

Proud Boys One of Many Extremist Groups Identified in the Dark Web

Recently, U.S. authorities arrested three more alleged associates of two right-wing groups in the January 6th storming of the Capitol in Washington DC. One arrested suspect, Daniel Lyons Scott, is a Proud Boys member that goes by the name Milkshake.

Webhose has crawled posts written by this user from the past year in Parler, a “free speech” social network that hosts a lot of far-right-wing extremist discussions. Its user base includes a lot of members of extreme organizations like the Proud Boys and the Boogaloo. 

Alongside Parler, Webhose collects data from additional social media sites that advocate free speech such as Bitchut, Rumble, MEWE, and others. We collect extreme and violent discussions that constitute a threat on specific individuals, ethnic groups, etc. These threats can include anything from planning violent riots to explicit threats on an individual’s life. Regular monitoring of such content can help law enforcement prepare ahead of time and even prevent such violent events from taking place.   

To see content related to extreme groups active in different social media platforms, run the query: 

(site.type:social_media) AND (“Boogaloo” OR  “Proud Boys” OR “kkk” OR “kike” OR “nazi” OR “Oath Keepers” OR “Three Percenters” OR “race”)   

New Ransomware Gangs and Websites Now Available in Webhose’s Coverage

Since early 2020, we have seen a rising trend of ransomware groups operating public sites. In those sites, ransomware groups post their victims’ stolen data and announce new victims. One of the best-known ransomware groups and the first to have their own website was Maze group. This popular ransomware group shut down its activity a few months ago. 

Recently, we added a few new sites belonging to some of the latest popular ransomware groups. One is N3tw0rm, a ransomware group that counts a few Israeli companies among their victims. We also added the leak site belonging to the Marketo ransomware group who already attacked a few major companies including Axis Communications. Other sites we added are from Xing, Lorenz and LV Blog ransomware groups.

 We also recently added the leak site belonging to the Persian hacking group Arvin Club. This site contains a few major data leaks such as the latest breach to the Iraninan bank Mellat.

To see data from all the new ransomware sites we lately added please use the following query: 

site.domain:(*xing* OR *marketo* OR *4qbxi3i2* OR *lorenz* OR *i5zxsb*)

Russian Hacking Forum XSS Bans the Promotion of Ransomware on Its Site

XSS, one of the top-rated Russian-speaking hacker forums, includes discussions related to hacking, exploits, malware, vulnerabilities, and network penetration. It also has a marketplace section where users can make direct sales of mostly illegal digital products. The forum exists both on the open web and dark web.

Recently, the forum owner announced that the site is banning all the topics that promote ransomware on its platform. The post clearly mentions that all ransomware rental, ransomware affiliate programs, and the sale of lockers (ransomware software) are now prohibited.

The announcement aimed at stopping the negative media these posts attract. For example, ​the recent attack on the Colonial Pipeline by the DarkSide ransomware group caused law enforcement agencies (LEA) and security researchers to continue tracking the ransomware gang. LEA also started carefully monitoring the websites that promote it, including XSS. The XSS site wants to minimize this type of negative press as much as possible. 

To see content from XSS, run the query:

site.domain: xss.is

New Data Breaches Now Available in Webhose’s Coverage

Unfortunately, data breaches are continually on the rise. This year began with a few attacks that caused massive data breaches for companies of all sizes. Many of these breaches aren’t even mentioned in the dark web scene.

For other breaches, however, such as the recent Domino’s Pizza India data breach, the data is prominently sold on hacking forums. Most breaches containing a stolen database are regularly shared in the dark and deep web.

Here at Webhose we continue to monitor the dark web even after the latest data breaches are shared online. 

We recently added three big databases recently leaked online to our coverage.

  • ClearVoice – This database was shared online last month and contains about 15 million compromised records including emails, phones, IP addresses and other data.
  • Big Basket – Another big database we recently added belongs to the Indian online grocery delivery service Big Basket. The leak contains about 20 million compromised records including emails, phones, and full names, among other data.
  • ParkMobile – The database of the pay-by-phone parking company was first shared online last month and contains about 15 million compromised records. These include emails, account names, and social security numbers, among other data.

To see mentions of the above data breaches, please use the following query: 

(“parkmobile” OR “bigbasket” OR “Clearvoicesurveys”)

That’s it for our Cyber News Update from our Cyber Team this time. We’ll be back again next time though with more exciting updates from the world of cyber. Stay tuned for more updates!

Until next time, 

Team Webhose