Constella Intelligence

Potential Surge in Cryptocurrency Leaks

Increase in Cryptocurrency Leaks After Trump Supports Bitcoin

Recently, Constella Intelligence has observed an increase in attacks and data breaches resulting in cryptocurrency leaks. This surge could be partly attributed to comments made by former President Donald Trump in support of Bitcoin, which may have heightened hackers’ interest in these sites.

Former President Donald Trump has recently positioned himself as a pro-crypto presidential candidate. During his keynote speech at the Bitcoin 2024 conference in Nashville, Tennessee, held from July 25-27, 2024, Trump emphasized the transformative potential of cryptocurrencies. He pledged to make the United States a leader in Bitcoin mining and digital asset management.

These comments could have caused crypto-related sites to increase in value, making them more attractive targets for cybercriminals. As Bitcoin prices surge, the incentive for attacks on these platforms grows, highlighting the need for robust security measures.

Crypto Leaks Overview

In the first half of 2024, over 250 possible breaches or leaks related to cryptocurrencies, NFTs, and Bitcoin have been reported. These potential breaches could have affected users of various cryptocurrency platforms, including Bitcointalk, Crypto.com, Binance, eToro, and others.

Below are examples of how threat actors are offering information about these crypto-related sites on the Dark Web

Zuelacoin Data Leak:

zyelacoin cryptocurrency leak

This information was published on March 31, 2024. According to the threat actor the data includes:

  • Emails
  • Names
  • Social media profiles (Twitter, Facebook, Telegram)

Binance Cryptocurrency Leak:

Binance Cryptocurrency Leak

The post was made on May 27, 2024. The exposed information includes:

  • Emails
  • Full names
  • Phones
  • Countries

Mobile Apps like CashCoin, Coinbase, and KuCoin:

Mobile Apps like CashCoin, Coinbase, and KuCoin

The threat actor “whix” published this on March 26, 2024. The exposed information includes:

  • Emails
  • Usernames
  • Passwords
  • Countries
  • IP Addresses
  • Payment methods

eToro Cryptocurrency Leak:

eToro Cryptocurrency Leak

The same threat actor also reported this on March 25, 202, where the following information could be found:

  • Full names
  • Emails
  • Countries
  • IP Addresses
  • Amounts
  • Payment methods

Bitcointalk Cryptocurrency Leak:

Bitcointalk Cryptocurrency

According to the threat actor on March 25, 2024, a database exposing the following information was published:

  • Emails
  • Usernames
  • Ethereum Addresses

These platforms are integral to the crypto ecosystem, providing services such as trading, wallet management, and social interaction for crypto enthusiasts.

Extent of Infostealer Exposures

Constella Intelligence has checked if the information published could have been produced as the effect of infostealer infections. This check resulted in nearly 4 million users of these cryptocurrency companies being exposed to infostealer data. Most exposures have impacted major cryptocurrency exchange platforms:

  1. Binance: More than 2M users exposed.
  2. EToro: More than 500k users exposed.
  3. Crypto.com: More than 300k users exposed.
  4. Localbitcoins: More than 200k users exposed.

Digging into the infostealer exposures, Constella Intelligence also identified what seems to be infostealer infections of potential employees of some of those companies, including Binance.com, eToro.com, Crypto.com, and Localbitcoins.com, among others.

Implications of Crypto-Related Breaches

The exposure of such extensive and sensitive information has significant and far-reaching implications as it endangers the financial security and privacy of millions of users. The compromised data can be exploited for various malicious activities:

  1. Identity Theft: Personal information such as full names, addresses, and birthdays can be used to steal identities.
  2. Financial Fraud: Payment methods and transaction histories can be exploited to conduct unauthorized transactions.
  3. Phishing Attacks: Email addresses and social media profiles can be used to create convincing phishing scams.

Recommendations for Users

To mitigate the risks associated with the recent breaches, users should adopt the following security practices:

  1. Use Strong, Unique Passwords: Ensure that each cryptocurrency account has a strong, unique password. Consider using a password manager to generate and store complex passwords securely.
  2. Enable Two-Factor Authentication (2FA): Adding an extra layer of security through 2FA can significantly reduce the risk of unauthorized access to accounts.
  3. Monitor Crypto Transactions Regularly: Keep a close watch on your cryptocurrency transactions and wallet activity to detect any unauthorized activities. Early detection can help prevent significant financial losses.
  4. Be Wary of Phishing Attempts: Be cautious with emails and messages requesting personal information or directing you to log in to your accounts. Verify the authenticity of such requests through official channels.
  5. Update Security Settings on Crypto Platforms: Regularly review and update your security settings on cryptocurrency exchanges and wallets. Ensure that all recovery options are up-to-date and secure.

Recent El Salvador Cyber Attacks

El Salvador Cyber Attacks Pose Significant Threats

Cybercriminals and hacking groups are increasingly exploiting geopolitical instability to launch attacks, like the recent El Salvador Cyber Attack, that create chaos and financial gain. Data breaches pose significant threats to national security, economic stability, and individual privacy. In countries like El Salvador, with a population of approximately 6.5 million, these effects can be even more pronounced due to limited resources and infrastructure to combat such threats.

Geopolitical Context of El Salvador

El Salvador’s geopolitical landscape is marked by internal political changes, economic developments, and technological initiatives, such as the adoption of Bitcoin as legal tender. The current administration, under President Nayib Bukele, has implemented measures aimed at reducing gang violence and has undertaken various reforms. These actions, alongside ongoing economic and social challenges, impact the country’s cybersecurity landscape, influencing its vulnerability to cyberattacks.

CiberinteligenciaSV Group

The group responsible for several recent leaks, known as CiberinteligenciaSV, is a Salvadoran data breach group that claims to have extensive information available for those who contact them. They are highly active on BreachForums, regularly posting detailed and sensitive information about Salvadoran citizens and institutions. CiberinteligenciaSV also maintains a Telegram group with nearly 3,500 members, expanding their influence and reach within the cybercriminal community.

Recent Data Breaches in El Salvador

Police Data Breaches:

El Salvador Cyber Attacks

On July 3, 2024, Constella Intelligence identified ten breaches related to the police in El Salvador. The leaked information involves reports on disappearances, vehicles, extortions, weapons, and other types of warnings and incidents. Moreover, on April 7, 2024, more than 10,000 arrest warrants from El Salvador were leaked.

This dataset provided freely by the attackers includes sensitive legal information that could be used to intimidate or manipulate individuals involved in ongoing legal proceedings. The data exposed in these breaches includes:

  • Full names
  • Telephone numbers
  • Identity documents
  • Addresses
  • Crimes and events
El Salvador

These breaches pose significant risks to individual privacy and public safety, as the compromised data could be used for various malicious activities, including identity theft, extortion, and targeted attacks.

Movistar/Telefónica El Salvador:

El Salvador Attacks

A breach affecting Movistar de El Salvador was reported on May 4, 2024, compromising the personal data of more than 74,351 individuals. The leaked data includes:

  • Phone numbers
  • Full names
  • Email addresses
  • Addresses

This breach exposes sensitive personal information, potentially compromising the privacy and security of Movistar customers.

PGR El Salvador – Justice Institution:

Cyber Attacks

A breach affecting the Procuraduría General de la República (PGR), a key institution within El Salvador’s Ministry of Public Affairs, was reported on April 29, 2024. The leaked data includes:

  • SQL databases exported from the SQL server (37 GB)
  • Over 2,000 tables with millions of records
  • Complete files of backend and frontend systems (4 GB+)
  • CSV files, VPN access, IP addresses, and other credentials

This breach exposes sensitive legal and administrative information, potentially compromising the integrity of El Salvador’s justice system.

ATM Chivo Wallet:

El Salvador Cyber

The Chivo Wallet, an electronic wallet created by the Salvadoran government to facilitate payments in dollars and Bitcoin, suffered a data breach on April 23, 2024. The leaked information includes:

  • ATM code for Chivo Wallet
  • VPN credentials

This breach undermines the security of the country’s financial transactions and affects public confidence in the government’s digital initiatives.

Vehicle Registration Data:

El Salvador Attacks

A dataset containing information on 824,536 vehicles in El Salvador was leaked on April 7, 2024. The data includes:

  • Names
  • License plates
  • Models
  • Brands
  • Types
  • Colors
  • Years
  • Conditions of vehicles

This breach provides cybercriminals with a comprehensive registry of vehicle data, which could be exploited for various malicious activities.

Massive Database of Salvadoran Citizens:

El Salvador Cyber Attacks

On April 2, 2024, a massive database containing detailed personal information and high-quality images of 5 million Salvadoran citizens was leaked. The data includes:

  • ID and identification documents (DUI)
  • Names and last names
  • Dates of birth
  • Telephone numbers
  • Email addresses
  • Home addresses
  • 5,129,518 high-definition photos labeled by DUI numbers

This database, totaling 144 GB, represents a significant portion of El Salvador’s population, highlighting the severe implications of such a breach on national security and individual privacy.

Exploitation of Leaked Data by Cybercriminals

The accessibility of such extensive datasets significantly empowers cybercriminals. Attackers can exploit the leaked personal information to orchestrate various malicious activities. With detailed data on individuals, including their identification documents, contact details, and even vehicle registration information, cybercriminals can execute a range of harmful actions such as:

  • Identity Theft: Stolen personal information can be used to create false identities for fraudulent activities.
  • Financial Fraud: Banking details and personal data can facilitate unauthorized financial transactions and scams.
  • Extortion: Cybercriminals can threaten to release sensitive information unless a ransom is paid.
  • Targeted Attacks: Detailed personal data enables highly targeted and effective phishing campaigns, leading to further data breaches and financial losses.

Recommendations

Given the increasing frequency and sophistication of cyberattacks, it is crucial for individuals to adopt robust cybersecurity measures. Here are some key recommendations:

  • Change and Strengthen Passwords: Individuals whose personal information has been exposed should immediately change and strengthen passwords for their online accounts, especially those related to financial and sensitive personal data, to prevent unauthorized access.
  • Enable Two-Factor Authentication (2FA): For added security, enable 2FA on all accounts where this option is available, particularly for services like Chivo Wallet and Movistar, to provide an additional layer of protection against unauthorized access.
  • Monitor Financial Accounts and Credit Reports: Individuals affected by the breaches should closely monitor their financial accounts and credit reports for any unusual activity or signs of fraud, especially given the exposure of data such as names, addresses, and identification documents.
  • Be Cautious of Phishing Attempts: With detailed personal data potentially compromised, individuals should be particularly vigilant against phishing attempts. Verify the authenticity of emails, messages, and phone calls that request personal information or direct to login pages.

By implementing these strategies, individuals in El Salvador can better protect themselves from the growing threat of cyberattacks and data breaches. Staying informed and proactive is essential to maintaining security and trust in an increasingly digital world.

Taylor Swift Ticket Leak: A Potential Threat from the Recent TicketMaster Breach

A recent leak may have exposed sensitive information related to Taylor Swift’s concert tickets. This incident is directly connected to the data breach that occurred on TicketMaster a few weeks ago.

A New Data Package Surfaces on the Dark Web Following TicketMaster Breach

This new leak emerged following the TicketMaster incident. The threat actor known as Sp1d3rHunters has claimed responsibility for this potential data exposure, as shown in the screenshot below. The name suggests a possible connection to the user Sp1d3r and the group ShinyHunters, who have been linked to previous high-profile leaks, including those involving Santander Bank and AT&T.

According to reports, threat actors obtained barcode data for hundreds of thousands of tickets to Taylor Swift’s Eras tour. However, TicketMaster has denied engaging with the hackers and assured that their dynamic barcode technology will prevent the misuse of the leaked barcodes.

Details of the Incident

On July 4th, the malicious actor Sp1d3rHunters put the stolen data up for sale on a hacking forum for $2M, threatening to publish more data from the TicketMaster data breach and around 30 million barcodes for other events. These events supposedly include more Taylor Swift concerts as well as sporting events like F1 races, MLB games, and NFL matches.

ticketmaster data breach

The breach includes relevant information about Taylor Swift’s concert tickets, such as:

  • Event date
  • Event ID
  • Transaction ID
  • Ticket barcode
  • Ticket location (section, row, and seat)
  • Event location (venue, country, state, city, ZIP, address)

This exposure reveals crucial details that could potentially be misused by malicious actors.

Ticketmaster breach

Potential Risks and Implications of TicketMaster Breach

  1. Potential Ticket fraud: While it’s unclear if the leaked data can be directly matched to specific TicketMaster accounts, the information provided, such as ticket barcodes and transaction IDs, could potentially be used by unauthorized individuals to create counterfeit tickets. This poses a risk of ticket fraud, which could lead to financial losses and disruptions at events.
  2. Physical Security Risks: If it becomes possible to match the exposed TicketMaster data with specific tickets, there could be security risks for event attendees, including potential harassment or targeted attacks. However, we have not yet been able to confirm whether such a match is feasible.

If these potential scenarios are feasible, we could expect threat actors to engage in ticket scalping and resale fraud, using the stolen data to sell counterfeit tickets. Additionally, TicketMaster may face operational disruptions, including logistical challenges in reissuing tickets and managing event entries, which could affect both concertgoers and the company’s operational efficiency.

Recommendations for Users

Given the nature of the breach, users should take the following precautions to protect themselves:

  1. Verify Your Tickets: Before attending an event, confirm the authenticity of your tickets through TicketMaster’s official channels to ensure they have not been compromised or counterfeited.
  • Protect Your Privacy: Avoid sharing specific details about your event plans on social media, as this information could be misused by malicious actors for tracking or targeting purposes.
  • Home Security Awareness: Refrain from posting event dates and locations online, as this can alert potential thieves to your absence and increase the risk of home burglaries.
  • Stay Informed: Keep up to date with communications from TicketMaster and other trusted sources regarding the breach. Follow any additional instructions provided to secure your personal information and tickets.

Neiman Marcus Data Breach: Analysis and Example of How Criminals Exploit Data Using AI

The recent Neiman Marcus data breach was detailed in an official communication to their customers. In May 2024, Neiman Marcus Group (NMG) discovered that an unauthorized party accessed a cloud database containing personal information. The compromised data included names, contact details, birthdates, gift card information (without PINs), transaction data, partial credit card numbers, Social Security digits, and employee IDs. For more information, you can visit their official statement here.

Breach Details and Data Exposed

On June 25th, a threat actor, known as “Sp1d3r,” attempted to sell the stolen data on a hacking forum for $150,000. The data set includes 12 million gift card numbers, 70 million transactions with detailed customer information, and 6 billion rows of customer shopping records and store information according to the threat actor.

The compromised data includes the following information, as can be found in the screenshots below.

  • Full names
  • Email addresses
  • Dates of birth
  • Partial credit card numbers
  • Credit card types
  • Home and billing addresses
  • IP addresses
  • Gift card numbers (with name, gift card number, balances and more)
  • Purchase locations

Constella Intelligence’s breach analysis confirmed the exposure of the previously mentioned customer data. Additionally, the analysis revealed that the dataset likely contained personal information of several high-profile individuals from various sectors, including politics, fashion, and film.

The exposure of their data significantly increases the risk of targeted attacks, identity theft, and other social engineering attacks.

Understanding Criminals’ Use of Data & AI: Safeguarding Against Scams with ScamGPT

Cybercriminals can take advantage of attributes such as names, email addresses, financial information, or transaction history using AI technologies to enhance their malicious activities. Here are some potential risks:

  • Automated Phishing Campaigns: AI can analyze the exposed data to craft highly personalized and convincing phishing emails, increasing the likelihood of recipients falling for scams.
  • Identity Fraud: Tools can quickly sift through large data sets to compile comprehensive profiles of individuals, making it easier for cybercriminals to impersonate victims and commit fraud.
  • Social Engineering Attacks: As previously mentioned, with the vast amount of compromised personal information, cybercriminals can craft highly sophisticated social engineering attacks. These attacks deceive individuals into divulging even more sensitive data or taking actions that compromise their security. By leveraging detailed personal profiles, attackers can tailor their tactics to exploit specific vulnerabilities, making their schemes more convincing and harder to detect.
  • Credential Stuffing. Algorithms can automate the process of trying to expose usernames and passwords across multiple websites, gaining unauthorized access to various accounts.

Below is an example of a scam automatically generated using AI and dummy data that simulates the information shared by “Sp1d3r.”

At Constella, we’ve identified a significant rise in the use of these techniques, leading to more sophisticated, credible, and effective attacks. These AI-driven scams leverage detailed personal profiles to craft convincing narratives, making them harder to detect and more likely to succeed.

To help combat this threat, Constella recently announced its new ScamGPT solution, which processes a target’s surface of attack using trained generative AI algorithms to generate hyper-targeted “scams,” which can then be used to help train individuals on this emerging, real-world threat.

Recommendations

Considering the recent Neiman Marcus data breach and the growing use of AI technologies by cybercriminals, victims should take precautions such as the below to help avoid further attacks:

  1. Be Wary of Phishing Attempts: Be cautious of unsolicited emails, messages, or phone calls asking for personal information. Verify the authenticity of the source before responding.
  • Enable Multi-Factor Authentication (MFA): Add an extra layer of security to your accounts by enabling MFA. This helps protect your accounts even if your password is compromised.
  • Regularly Monitor Your Accounts: Keep an eye on your bank statements, credit card bills, and other financial accounts for any suspicious activity and report any unauthorized transactions.
  • Protect Gift Cards: Given that some gift card information was compromised, it is crucial to take proactive steps. If you have Neiman Marcus gift cards, monitor their balances regularly and report any unauthorized transactions to the issuer immediately. This will help protect your funds and ensure any suspicious activity is addressed quickly.

Analysis of Recent Data Breach Surge in South Korea

Cybersecurity Experts Warn of Data Breach Surge

In recent weeks, South Korea has experienced a data breach surge that has heightened concerns among cybersecurity experts. Notably, this increase in cyber incidents aligns with South Korea’s prominent role in a significant cybersecurity debate at the United Nations Security Council (UNSC) in June. This situation underscores the intricate link between geopolitical events and cyberattacks, where major decisions or announcements can often trigger data breaches.

Context and Background

The United Nations Security Council is tasked with maintaining international peace and security, wielding powers such as peacekeeping, imposing sanctions, and authorizing military action. The presidency of the UNSC rotates monthly among its members. In June, South Korea, during its presidency, organized a high-level debate on cybersecurity to bolster the UNSC’s efforts in addressing cyber threats. This focus on cybersecurity has intensified due to the rise in cyber threats during the COVID-19 pandemic and the broader adoption of digital technologies.

Detailed Breach Information

The recent exposures have revealed various types of sensitive information, each posing unique risks:

Personal Information:

  • Names
  • Usernames
  • Emails
  • Passwords & Corporate Data

Contact Details:

  • Birthdates

  • Phone numbers

  • Addresses

Data Breach Surge Attack Vectors

data breach surge

With the data found and mentioned in the previous section, different types of attacks can be carried out, depending on the type of exposed data:

  • Phishing and Spear Phishing Attacks: Names, usernames, and emails can be used to craft targeted phishing emails. These emails deceive recipients into revealing more personal information, such as login credentials or financial details.
  • Account Takeover: Exposed passwords, especially if reused across multiple sites, allow attackers to gain direct access to personal and corporate accounts. This can lead to unauthorized transactions, data theft, and further compromises.
  • Social Engineering: Birthdates, phone numbers, and addresses provide attackers with the information needed to impersonate individuals or organizations, tricking targets into divulging sensitive information or performing actions that compromise security.
  • Corporate Espionage: Company affiliation data can be used to identify key personnel and exploit organizational weaknesses. This can result in the theft of proprietary information, disruption of operations, or targeted attacks against specific companies.
  • Network Attacks: IP addresses expose networks to unauthorized access and monitoring. Attackers can use this information to launch Distributed Denial of Service (DDoS) attacks, spread malware, or conduct further breaches.

Tips to Protect Your Personal and Sensitive Information

  1. Enable Multi-Factor Authentication (MFA): Adding an extra layer of security for your accounts can help protect against unauthorized access, even if your password is compromised.
  2. Use Secure Networks: Avoid using public Wi-Fi to access or transmit sensitive information. Instead, use a secured or virtual private network (VPN) to enhance online privacy.
  3. Remove Unused Accounts: Regularly review and delete any accounts for no longer use services. Ensuring that your information is not stored unnecessarily reduces the risk of it being exposed to a breach.

By implementing these measures, individuals can significantly reduce their risk of falling victim to data breaches and better protect their sensitive information from cyber threats.

Analyzing Ticketmaster Sample Data Breach: Key Insights and Implications

As commented in our previous blog, The Resurgence of Major Data Breaches?, in May 2024, a potential data breach involving Ticketmaster surfaced on deep and dark web forums, and we want to analyze it as a sample data breach. The original breach, as shown in the accompanying image below, was posted by the user named ShinyHunters on May 28, 2024. This breach includes data of 560 million customers and 1.3TB of detailed information, including full names, addresses, emails, phone numbers, ticket sales, event information, order details, credit card details, customer fraud details, and more. The data was offered for sale at a price of $500,000 USD.

sample data breach

Understanding the Breach

Recently, another user named Sp1d3r seems to have taken more prominence on the forum, possibly due to the ShinyHunters user having fallen back to a somewhat more secondary role. Sp1d3r advertised the data on the forum, indicating that the potential data breach affected 680 million customers, with data available for $100,000 USD. In addition to selling the entire 680M data set, it has offered a sample of the first million records to all users.

ticketmaster saample data breach

Constella Intelligence obtained the 1 million records sample offered in the forum and analyzed it, providing a glimpse into the scale and severity of the incident. The sample dataset includes:

  • Personal Information: Names, email addresses, phone numbers, physical addresses.
  • Financial Data: Credit card details, payment methods, and transaction information.
  • Web Sessions and Cookies: Session details, IP addresses, browser identifiers.
  • Transaction Details: Purchase history, patron IDs, party lookup IDs.

Key Statistics from the Sample

Analyzing the sample dataset provides several important statistics that illustrate the scope and impact of the potential breach. These statistics offer a quantitative perspective on the breach, helping to understand the extent of the data exposure and identify trends that could inform future protective measures.

  • Total Records: 999,998 entries
  • Total Fields: 53 fields encompassing various data types
  • Email Statistics: 999,985 total email addresses, 761,041 unique email addresses
  • Top Email Domains: Gmail.com (620,985), Yahoo.com (57,796), Hotmail.com (45,490)
  • Geographical Distribution: USA (800,414 records), Mexico (99,910), Canada (64,011)
  • Payment Methods: VISA (429,279 records), MasterCard (304,484), American Express (64,369), PayPal (59,747)

AI-Driven Scams: What You Need to Know

sample data breach ai scams

The exposure of such detailed and sensitive information in the potential data breach poses several significant risks to the affected individuals. At Constella, in our experience, we are seeing many spear phishing attacks that use credit card data or payment methods as inputs for AI models trained to generate realistic, targeted phishing attacks.

Spear phishing is a targeted attack aimed at stealing sensitive information from a specific individual by posing as a trusted entity. Unlike mass phishing, it is highly personalized and tailored using detailed information from breaches.

With access to names, email addresses, financial information, payment methods, web session cookies and transaction histories, threat actors can create highly convincing emails that appear legitimate using actual AI tools (using LLM models like WormGPT, HackerGPT or DarkBERT, or even prompt jailbreaking into corporate LLM modes).

As the previous example, an email might reference recent user purchases or use personal financial information to make the message more believable. The use of AI can enhance the realism and effectiveness of these scams, making it harder for individuals to distinguish fraudulent emails from legitimate ones.

Protecting Exposed Data

If the information published by “Sp1d3r” is accurate, Constella recommends taking the following actions:

  1. Clear cookies and close any active sessions: Regularly clearing your browser cookies and cache and closing any active sessions can help protect your web session data.
  2. Reset the password associated with your account and any other accounts using the same password: Although Ticketmaster claims that no passwords were compromised and the banking data is encrypted, it is wise to reset the password for your Ticketmaster account and any other accounts using the same password. Use strong, unique passwords for each account, and consider using a password manager to generate and store these securely.
  3. Stay alert for possible spear-phishing campaigns, as mentioned earlier: Be vigilant with emails, especially those that seem related to Ticketmaster or recent transactions. Avoid clicking on links or downloading attachments from unknown senders, and verify the authenticity of any requests for personal information.

By following these specific recommendations, individuals can better protect their personal information and mitigate the impact of data breaches like the one potentially experienced by Ticketmaster.

Infostealers on the Rise: A New Wave of Major Data Breaches?

This blog continues our previous article, The Resurgence of Major Data Breaches, where we discussed the alarming increase infostealers in data breaches orchestrated by the notorious ShinyHunters group. In this part, we delve into the role of infostealers in these breaches and how they contribute to the rising wave of cyberattacks.

Why Are We Seeing More Major Breaches?

Lately, we have noticed an alarming increase in the number of major data breaches, with millions of records being exposed and shared on dark web forums. This resurgence has been driven in large part by the spread of infostealers – malicious software designed to gradually and unobtrusively steal sensitive information from infected devices without the victim’s awareness. This wave of cyberattacks, along with the resurgence of the names of these former hacking groups/users, raises the question of whether we are entering another “golden age” of mass leaks, similar to what we experienced a few years ago.

The potential reason behind these significant breaches could be the mass leakage of credentials due to infections from various infostealers. Infostealers infiltrate systems through phishing emails, malicious downloads, or compromised websites, extracting valuable data such as usernames, passwords, and other personal information. Once collected, this data is sold or shared on dark websites, providing cybercriminals with the tools they need to conduct further attacks.

Analysis of Notorious Infostealers

Analysis of how infostealers operate reveals that their modus operandi typically involves certain threat actors developing these tools as a service. Other actors then pay to use that infostealer infrastructure, allowing them to simply steal sensitive information from victims easily and efficiently. Let us take a brief look at some of the most infamous infostealer families that are currently wreaking havoc:

  • RedLine Stealer is known for its effectiveness in stealing credentials from browsers, FTP clients, and even cryptocurrency wallets. Distributed through phishing campaigns and malicious downloads, RedLine quickly extracts and transmits sensitive data to attackers. Its widespread use has linked it to numerous breaches, making it a formidable threat in the cybersecurity landscape.
  • Racoon Stealer focuses on stealing information from browsers, email clients, and other software. Its user-friendly interface makes it accessible to even novice cybercriminals. Racoon Stealer has been a key player in many data breaches, contributing significantly to the rise in stolen credentials. Its ease of use and effectiveness has cemented its place in the toolkit of many cybercriminals.
  • Meta Stealer is a versatile malware targeting a broad range of applications and platforms, including browsers, gaming accounts, and VPN credentials. Its adaptability and extensive reach make it a potent tool for cybercriminals aiming to harvest a wide array of sensitive information. The ability to target multiple platforms increases its value and impact, making it a significant threat.
  • Lumma Stealer is particularly well known for its ability to resurrect session cookies, allowing attackers to bypass security measures like multi-factor authentication. This capability has made Lumma a critical component in several high-profile breaches, including recent attacks where stolen session tokens were used to gain unauthorized access. Its advanced functionality poses a serious risk to both individuals and organizations.

Potential for More Major Breaches

A recent analysis conducted by Constella has detected thousands, even millions, of credentials from companies whose employees might be infected by these info stealers. This compromised data includes not only personal information but also access credentials to corporate networks and cloud services. Such widespread exposure significantly increases the risk of large-scale data breaches similar to those we have seen in recent weeks.

Certain cloud service companies have had between 100k and more than 1M credentials exposed in infostealer infections. This wide range of exposed credentials underscores the pervasive threat posed by infostealers across various cloud services, indicating a high likelihood that both employees and customers are exposed on a daily basis, thus increasing the risk that these credentials will increasingly be used maliciously by threat actors.

Protecting Against Infostealer Threats

Given the current landscape, it is crucial for individuals and employees to take specific measures to protect against infostealer infections and subsequent data breaches:

  1. Use Browser Extensions Cautiously: Avoid installing unnecessary browser extensions, as they can sometimes be exploited by infostealers to capture the credentials and session data.
  2. Monitor for Unusual Browser Behavior: If the browser behaves oddly (e.g., redirects, pop-ups, or unusual login prompts), it could be a sign of an infostealer infection. Disconnect from the internet and start proceeding to remove the infection.
  3. Regularly Clear Cookies and Cache: Periodically clear the browser cookies and cache to minimize the risk of session hijacking through stolen cookies.
  4. Enable Security Features: Use browser security features such as disabling saving autofill and enabling warnings for untrusted websites. Additionally, avoid storing your credentials in the browser to prevent them from being easily stolen. These steps can help make it more difficult to steal such sensitive information.
  5. Protect Against Infostealers: As infostealers are malware designed to steal personal information by exploiting user behavior and system vulnerabilities, avoid downloading files, opening email attachments, or clicking on links from untrusted or unknown sources or without making a thorough prior check of the sender.

By following these targeted recommendations, users and employees can better protect their personal and corporate information from infostealer infections. The fight against these threats is ongoing, but with the right precautions, we can mitigate their impact and safeguard our data and privacy.

The Resurgence of Major Data Breaches?

In the past few weeks, we have noticed an alarming increase in major data breaches, with millions of records being exposed and shared on dark web forums. This resurgence has been largely driven by a user who appears to be using the name ShinyHunters, a notorious hacking group. This wave of cyberattacks, along with the resurgence of the names of these former hacking groups/users, raises the question of whether we are entering another “golden age” of mass leaks, similar to what we experienced a few years ago.

The Golden Age of Major Data Breaches

Between 2019 and 2021, the cybersecurity community witnessed what many refer to as the “golden age” of massive data breaches. During this period, numerous hacker groups, including ShinyHunters, conducted large-scale attacks, compromising the data of millions of users. These stolen data were shared and sold on the dark web, creating a highly lucrative black market for personal and business information.

ShinyHunters stood out during this period for their attacks on companies such as Tokopedia, Unacademy, and Zoosk, leaking tons of sensitive data, including names, email addresses, passwords, and more. In 2020 and 2021, ShinyHunters conducted a series of hacks on prominent entities, including clothing retailer Bonobos, photo app Pixlr, and Microsoft’s GitHub account. They also claimed to have information on 70 million AT&T accounts, although AT&T denied the leak.

Recently, a user named ShinyHunters allegedly reopened BreachForums, a deep web forum for sharing stolen data breaches, and became its “owner” after the original forum was taken down. The resurgence of BreachForums at the hands of ShinyHunters has coincided with new leaks of data breaches impacting large companies, along with the emergence of other users registered under the names of former famous hackers and database sharers. This begs the question of whether we could be starting a new “golden age” of breaches. However, due to the major issues the group was facing, including recent arrests, there is a possibility that we are witnessing identity impersonation to gain credibility when sharing breaches.

Recent Breaches

In the last week of May 2024, ShinyHunters was allegedly responsible for two significant breaches. While it cannot be confirmed 100% that ShinyHunters is behind these breaches, the following incidents have been reported:

Santander Bank Breach

  • Countries Affected: Spain, Chile, Uruguay
  • Date Published: May 30, 2024
  • Data Compromised:
    • 30 million customer records
    • 6 million account numbers and balances
    • 28 million credit card numbers
    • HR employee lists
    • Consumer citizenship information
    • And much more
  • Price: $2 million USD

Ticketmaster Breach

  • Date Published: May 28, 2024
  • Data Compromised:
    • Full details of 560 million customers (name, address, email, phone)
    • Ticket sales, event information, order details
    • Credit card details, last 4 digits of the card, expiration date
    • Customer fraud details
    • And much more
  • Price: $500,000 USD

Recommendations if Impacted By Major Data Breaches

To be protected from the repercussions of these breaches, users should consider the following measures:

  1. Be Cautious with Phishing Emails: Avoid clicking on links or downloading attachments from unknown or suspicious emails.
  2. Use a Password Manager: A password manager can help securely generate and store complex passwords.
  3. Stay Informed: Keep up to date with the latest news on cybersecurity threats and breaches.

By staying vigilant and taking these proactive steps, users can better protect their personal information from being compromised in future data breaches.

Growing Cyber Threats Amid Israel-Palestine Tensions

Growing Cyber Threats Focus on Ransomware, Infostealers, and Defacements

This blog continues our geopolitical series, highlighting the growing cyber threats during the ongoing Israel-Palestine tensions. Recent months have seen a significant increase in cyberattacks targeting Israeli institutions, with a particular focus on ransomware, infostealers, and defacements. This blog delves into the most recent incidents, primarily orchestrated by the Handala group.

Escalation of Tensions in Israel

As mentioned in our previous blog, the escalating tensions between Israel and Palestine are mirrored in cyberspace by increased activity from the Handala Hack Group. Active since 2011, this pro-Palestinian hacker collective has intensified its cyber offensives against Israeli targets, employing defacements and ransomware attacks to disrupt operations and steal sensitive information. These attacks not only aim to cause financial and operational damage but also to broadcast their political message and gain support against Israel.

Recent Ransomware Attacks by Handala

Handala has potentially conducted numerous ransomware attacks, targeting the technology, education, and healthcare sectors. Here are some of the most recent incidents:

  • On May 27, 2024, Zionist Information Technology was potentially attacked.
    • The affected entities include Cello (formerly Cellopark), MER Group, ForSight Robotics, Magnet Accelerator, Citizen Café Tel Aviv, Toks, Barak Finance, EasyUP, Sirius Electronics, Israel Archaeological Services, and Shai Nursing Company.
    • This attack compromised multiple sectors, including technology, healthcare, and academic services, highlighting significant breaches in Israeli cybersecurity.
  • Ramat Gan Academic College faced a possible attack on May 25, 2024, affecting its educational infrastructure and data.
  • Harmony Pharm, the largest pharmacy in Tel Aviv, was attacked on May 22, 2024, disrupting the pharmaceutical supply chain.
  • Amigour Company, a major housing and community development company, was hacked on May 16, 2024. The attack led to 522 GB of data being dumped and wiped.
  • High Group, a key settlement development source, was attacked on May 2, 2024, resulting in 84 GB of data being dumped.

Defacement Attacks: Exposing the Faces of Cyber Warfare

A defacement attack involves altering the visual appearance of a website, often to display a political or social message. Handala Group and other hacktivist groups have been actively engaging in defacement attacks to criticize and expose Israeli entities publicly.

Here are some notable recent defacements:

  • Handala Group: Two defacements recorded on makombelev.org.il and hadct.co.il
  • Cyb3r_Drag0nz_Team: Defaced www.infodent.co.il and www.argal.co.il
  • Mr.Rm19: Targeted gedera.gogeek.co.il
  • adem:): Defaced maxlock.co.il
  • jokeir 07x: Targeted tudiotb.co.il and ugarit.co.il
  • P1Y4D3: Defaced multiple pages under ugaritgroup.co.il
  • TOMODACHI: Defaced call.ugarit.co.il and mishkan-store.co.il
  • ./r0cky_n00bz: Targeted horoot.co.il
  • Cyber Ghost: Defaced hadpeami.co.il, korki-net.co.il, and shoo-fee.org.il
  • DragonForceMalaysia: Defaced bridgesalon.co.il
  • Hacktivist Indonesia: Targeted isr.org.il
  • JH-TEAM H: Multiple defacements including www.nsc.org.il and maccabi.co.il
  • the key40: Targeted maccabi.co.il
  • systemadminbd: Defaced www.ite-cat.co.il

Infostealer Infections: A Growing Concern

The data previously exposed in ransomware attacks could lead to further infections by infostealers. Infostealers are malware designed to gather sensitive information from infected systems, such as login credentials and personal data.

  • Smart College
  • 99 Digital
  • Ramat Gan Academic College
  • Barak Finance

These infections could be the root cause of some of the previous ransomware attacks or, even worse, could be used to enhance the damage of the existing ones.

Conclusions and Recommendations

The recent surge in cyber attacks amid the Israel-Palestine conflict underscores the evolving nature of digital warfare. Ransomware, infostealers, and defacements are being utilized to disrupt, expose, and damage critical sectors in Israel. Understanding these threats is crucial for mitigating the impact of these malicious activities.

Recommendations:

  • Be Careful with Emails: Avoid clicking links or downloading attachments from unknown or unsolicited emails. Phishing is a common method hackers use to access personal information.
  • Use Two-Factor Authentication (2FA): Enable 2FA on all accounts to add an extra layer of security.
  • Regularly Update Systems: Keep all software and systems up to date with the latest security patches to prevent exploitation of known vulnerabilities.

By adopting these practices, individuals can significantly reduce their risk of falling victim to cyberattacks and ensure a robust defense against the ever-evolving threat landscape.


Recent Data Breach at Ayesa: A Ransomware Case Study

Strengthening Defenses Against Ransomware Attacks

In recent years, ransomware attacks where criminals lock up a victim’s data and demand money to unlock it have become a serious threat to organizations worldwide. These attacks target many sectors, including healthcare and finance. The goal is often not just to make money but also to cause disruption and chaos. One group known for these aggressive tactics is Black Basta. They use a method called double extortion, where they not only lock the victim’s data but also threaten to release sensitive information unless they are paid. As these cybercriminals continue to improve their methods, it is increasingly important for organizations to strengthen their defenses.

The Ayesa Data Breach

Ayesa, a leading Spanish company providing technology and engineering services, seems to have recently fallen victim to a potential ransomware attack by Black Basta. With over 12,500 employees and a presence in 23 countries, the possible breach at Ayesa highlights the extensive reach of these cyber criminals. The attack, which was made public on May 13, 2024, potentially resulted in the theft of about 4.5 terabytes of sensitive data, including:

  • Company data (treasury, human resources, administration, general management, security, audits, etc.)
  • Employees’ data
  • Projects and CAD files
ransomware attacks

The Threat of Detailed Profiling

The types of data potentially stolen from Ayesa, such as personal details of employees and company information, can be highly valuable for criminals. With this information, threat actors can create synthetic identities to impersonate employees. These synthetic identities can then be used to commit fraud, purchase illicit items, or even access secure company systems by posing as legitimate employees. Additionally, cybercriminals can further enhance these synthetic identities by accessing the information available from data brokers. Data brokers collect and sell large amounts of personal information, often gathered from public sources such as social media profiles, past employment history, and other publicly available records. This information can be accessed by cybercriminals to enhance their profiling efforts significantly. Additionally, information from previous breaches can be cross-referenced to enrich these profiles further.

example of ransomware attack

For example, if a cybercriminal obtains an employee’s name, job title, and contact information from Ayesa, they can look up additional details such as social media profiles, past employment history, and other personal records from data brokers. This enriched profile can then be used to craft highly targeted phishing emails or impersonation attempts, making the attacks more convincing and increasing the likelihood of success.

ayesa ransomware attack

The Ease of Exploiting Leaked Data

Generative AI tools, especially those without ethical restrictions like WormGPT or FraudGPT, enable cybercriminals to automate and carry out more realistic and sophisticated fraudulent attacks.

These tools can write undetectable malware, create convincing phishing pages, and generate spear-phishing emails that appear to come from trusted sources within an organization. The ability of AI to exploit human psychology significantly increases the likelihood of successful cyberattacks.

Potential Attack Vectors

With the kind of data a cybercriminal can obtain from these data breaches, several attack vectors can be exploited:

  1. Identity Theft: Personal data such as ID card photos and employee information can be used to commit identity theft, leading to financial loss and reputational damage.
  2. Phishing and Social Engineering: Detailed personal and company data can help attackers craft convincing phishing emails, increasing the success rate of these attacks.
  3. Intellectual Property Theft: Projects and CAD files contain valuable intellectual property that malicious actors could exploit.
  4. Credential Stuffing: Access to employee credentials could allow attackers to gain unauthorized access to other systems where the same credentials might be used.

Cybersecurity Recommendations

In addition to the classical tips we have provided in previous blogs, such as enabling MFA, it is important to take additional steps to secure your devices and networks.

  • Secure Your Devices: Ensure that any device used to access sensitive information is secured with updated antivirus software and a firewall. Regularly update your operating system and software to protect against vulnerabilities.
  • Use Secure Networks: Avoid using public Wi-Fi to access or transmit sensitive information. Instead, use a secured or virtual private network (VPN) to enhance online privacy.
  • Remove Unused Accounts: Review and delete any accounts for unused services regularly. Ensuring your information is not stored unnecessarily reduces the risk of being exposed to a breach.
  • Be Cautious of Phishing and Scams: Always be wary of unsolicited emails, messages, or phone calls asking for personal information. Verify the authenticity of the source before responding, and avoid clicking on links or downloading attachments from unknown senders. Recognizing and avoiding phishing attempts can significantly reduce the risk of falling victim to scams.

By following these steps, individuals can better protect their personal information from cyber threats and mitigate the impact of potential data breaches. In an increasingly digital world, staying informed and proactive is essential to maintaining security and trust.