Webhose Top Cyber Updates

Posted on August 19, 2021 by yafit

read the article

Our latest on the Lockbit ransomware attack is on today’s update alongside the rise of illegal trade of weapons, the sale of fake vaccine cards on the dark web, and a new paste site we are covering now.

Let’s start.

Lockbit Ransomware Gang Hits Accenture

IT consulting firm Accenture is one of the latest victims of the LockBit ransomware gang, according to several sources.

Webhose is able to confirm that we crawled a post from LockBit ransomware dark web site on August 11, where the group announced that the accenture.com database will be made available for sale on August 17, 2021. The LockBit ransome gang posted a countdown timer (seen in the picture above) with a warning that unless Accenture pays $50 million by the time it reaches zero, the database (including more than 6 TB of data) will be published by the group on the dark web.

The latest update we have is that the site has since been locked behind a username and password, leading different users on the dark web wondering how to gain access to the site.

Here is what we found when trying to access the site:

A posts by a user on a dark web hacking forum asking for the pass:

LockBit is a ransomware group that operates similarly to DarkSide, REvil, and dozens of other groups that operate different ransomware attacks. These groups usually create their own website on the dark web, where they post databases they stole either for free or for sale. They also use these sites as a platform to post group announcements and new updates.  

Webhose has been crawling the LockBit website for some time; we keep track of all of the new ransomware groups’ websites and constantly add them to our coverage. 

To see content from LockBit’s dark web site use the query:


Trending: Fake Vaccine Cards Sales on Rise on Dark Web

Over the past months, we have seen an increase in the number of posts offering fake Covid passes, or Covid cards, for sale.

This trend comes as more and more countries are demanding hospitality vaccine pass as a condition to enter bars, restaurants and other public places. 

The sellers are looking to tap into the new and growing market of customers who look to cheat the system and gain access to such places. We are seeing a variety of fake Covid passes on offer, including COVID vaccine cards, fake negative COVID test results and fake vaccine passports. These vaccination cards are not particularly difficult to forge as in most countries they use a physical paper copy.

To avoid getting caught by law enforcement, many sellers are using encrypted platforms including Telegram, like the post we crawled from the “Covid19 Vaccine Cards/Certificate/Passport” channel (see the picture above). We are also seeing this type of trade taking place on the dark web, in places  such as forums like TorPress, different marketplaces on the TOR network and paste sites like DeepPaste, which you can see in the following post:

To see more content related to fake vaccinated card use the following query:

COVID AND (“Vaccine card” OR “Vaccination card”) AND (“Certificate Health” OR “Vaccination Booklet” OR “Cov Pass” OR “vaccine passport” OR “vaccine certificates” OR VaccinePassports OR FakeNegativeCOVIDTest OR FakeVaccinePassport OR “get your” OR available OR provide OR “QR code” fake OR forge OR counterfeit OR \$ OR \£ OR \€ OR \¥ OR BTC OR bitcoin)

Weekly Find: Weapons for Sale on the Dark Web

We are recently witnessing a growth in illegal weapon discussions and trafficking on the dark web.

Some of the most popular forums and marketplaces for these discussions include: 4chan, reddit, but also TOR-based sites such as: gunsganjkiexjkew.onion. This site, called Guns & Ganja Club, serves as a market where we see various suppliers of weapons trading in guns, rifles, ammunition, and accessories for firearms.

We analyzed discussions on weapon trade and found that 51% originated from marketplaces, where actors mainly traded guns and ammunition. About 43% of them originated from discussions on alternative social media platforms. The remaining 6% came from paste sites.

We took a closer look at the trends and we found that one of the factors that may have contributed to the increase in the sale of illegal weapons and ammunition is riots. We saw a spike in such discussions after the USA racial unrest, which started in May 2020 and continues sporadically, and pandemic-related protests sparked by economic and political tensions. 

New On Webhose: A New Paste Site

Textbin.net has just been added to our growing list of paste sites. Similarly to other paste sites, the illegal content we crawl on this site include hacking tutorials, breached PII (Personally identifiable information), and other posts on illegal activities such as illegal child labor, drug sale, and more.

Here is an example of the content we crawl, where an anonymous actor posts Netflix cookies on a daily basis:

Pastes are details that are “pasted” to a public facing website intended for sharing content, the most famous of which is Pastebin. These sites served in the 1990’s as a platform to share large blocks of computer code. Since then they have evolved and are now frequently used by actors, specifically hackers, as repositories where they can anonymously share stolen information, such as passwords and other personal information.

Here is another example of a post we crawl, one where an actor is offering a bitcoin stealer for sale:

The Bitcoin Stealer method uses an executable to monitor an infected computer’s clipboard content for signs of a bitcoin address. Bitcoin Stealer injects itself into bitcoin transactions through this method, tricking users into transferring cryptocurrency to the hackers’ wallets.

This marks the end of this round of cyber updates. As always, we’ll be back again next time with new cyber stories and discoveries. If you have any questions, comments or anything interesting you’d like to share with us, send us an email to: cyber@webhose.io. 

Until next time, 

Team Webhose