Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label BreachForums. Show all posts

Security Researcher Outsmarts Hackers with Fake Ransomware Tool

 

The debate surrounding the ethics and practicality of "hacking back" remains a heated topic within the cybersecurity community. When organizations face cyberattacks, is retaliating against the attacker a viable option? While opinions differ, one fact remains clear: breaking the law is breaking the law, regardless of intent.

However, in a fascinating case of strategic ingenuity rather than retaliation, a security researcher and penetration tester successfully infiltrated a notorious dark web criminal marketplace. This was less an act of hacking back and more a bold example of preemptive defense.

Quoting American philosopher Robert Maynard Pirsig, Cristian Cornea, the researcher at the heart of this operation, opened his riveting Medium post with, “Boredom always precedes a period of great creativity.” Inspired by these words, Cornea devised a clever honeypot strategy to target potential ransomware hackers frequenting the BreachForums marketplace on the dark web.

His plan revolved around creating a fake ransomware tool called the "Jinn Ransomware Builder," designed to lure cybercriminals. This supposed tool offered features to help bad actors deploy ransomware attacks. In reality, it was a honeypot—an elaborate trap with some real functionalities but embedded with hardcoded and backdoored command-and-control callbacks.

“Jinn Ransomware Builder is actually a honeypot,” Cornea explained, “but some of the features presented above are real.” For instance, the tool could initiate a remote connection and open a process with a server-hosted “CmD.eXE” executable. Other features, such as multi-language support and AES encryption, were merely designed to make the tool appear more authentic and appealing to malicious actors.

Cornea emphasized that his actions were performed within a controlled and simulated environment, ensuring no laws were broken. “I strictly discourage anyone else from executing such actions themselves,” he warned. He stressed the importance of staying on the ethical side of hacking, noting that the line between good and bad hacking is dangerously thin.

This operation highlights the creativity and strategic thinking ethical hackers use to combat cybercrime, reinforcing that innovation and legality must go hand in hand.

Critical npm Account Takeover Vulnerability Sold on Dark Web

 

A cybercriminal known as Alderson1337 has emerged on BreachForums, offering a critical exploit targeting npm accounts. This vulnerability poses a significant threat to npm, a crucial package manager for JavaScript managed by npm, Inc., a subsidiary of GitHub. Alderson1337 claims this exploit can enable attackers to hijack npm accounts linked to specific employees within organizations. 

The method involves embedding undetectable backdoors into npm packages used by these employees, potentially compromising numerous devices upon updates. This exploit could have widespread implications for organizational security. Instead of sharing a proof of concept (PoC) publicly, Alderson1337 has invited interested buyers to contact him privately, aiming to maintain the exploit’s confidentiality and exclusivity. If executed successfully, this npm exploit could inject backdoors into npm packages, leading to extensive device compromise. 

However, npm has not yet issued an official statement, leaving the claims unverified. The incident primarily impacts npm Inc., with npmjs.com being the related website. While the potential repercussions are global, the specific industry impact remains undefined. Account takeover (ATO) vulnerabilities represent severe risks where cybercriminals gain unauthorized access to online accounts by exploiting stolen credentials. These credentials are often obtained through social engineering, data breaches, or phishing attacks. 

Once acquired, attackers use automated bots to test these credentials across various platforms, including travel, retail, finance, eCommerce, and social media sites. Users’ reluctance to update passwords and reusing them across different platforms increase the risk of credential stuffing and brute force attacks. Such practices allow attackers to access accounts, potentially leading to identity theft, financial fraud, or misuse of personal information. To mitigate ATO attack risks, experts recommend adopting strong password management practices, including using unique, complex passwords for each account and enabling two-factor authentication (2FA) wherever possible. Regular monitoring for unauthorized account activities and promptly responding to suspicious login attempts are also crucial for maintaining account security. 

While Alderson1337’s claims await verification, this incident underscores the ongoing challenges posed by account takeover vulnerabilities in today’s interconnected digital landscape. Vigilance and collaboration across the cybersecurity community are essential to mitigating these threats and preserving the integrity of online platforms and services.

Cybercriminal Group UNC5537 Strikes with Major Data Breaches

 

In recent weeks, the cybercriminal group UNC5537 has made significant waves. This ransomware gang, potentially linked to ShinyHunters or Scattered Spider, stole over 560 million customer records from Ticketmaster. On May 28, they listed this data for sale on their revamped leak site, BreachForums, with a price tag of $500,000. Just two days later, the group claimed to have obtained 30 million account records from Santander Bank in Spain, demanding $2 million for the data. Both companies confirmed the breaches after these announcements.

A June 10 analysis by Mandiant, an incident-response firm now part of Google, revealed that these data leaks, along with at least 163 other breaches, were not due to system vulnerabilities but rather the exploitation of stolen credentials and inadequate multifactor authentication (MFA) controls. According to Mandiant, no evidence indicates that the breaches stemmed from Snowflake's enterprise environment. Instead, all incidents are traced back to compromised customer credentials.

While implementing MFA could have prevented the data theft from Snowflake's systems, the companies involved have broader issues beyond this single control. Businesses must ensure visibility into their attack surfaces, promptly disable accounts of former employees and contractors, and minimize entry points for attackers. Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, emphasizes that attackers often exploit basic security lapses. "Targeting the low-hanging fruit — in this case, insecure credentials — can be achieved with little effort from the threat actor but provides ample opportunities," he notes.

Key Lessons from Recent Cloud Breaches

1. Start With MFA and Then Go Beyond

There is significant room for improvement in MFA adoption. Despite reports showing that 64% of workers and 90% of administrators use MFA, over 60% of organizations still have at least one root user or administrator without MFA enabled. According to Ofer Maor, co-founder and CTO at Mitiga, achieving consistent and verifiable MFA implementation is crucial. He suggests that companies enforce and require MFA, disable non-SSO logins, and enhance security measures with device- or hardware-based authentication for sensitive infrastructure.

2. Use Access Control Lists to Limit Authorized IP Addresses

Organizations should implement access control lists (ACLs) to restrict user access to cloud services or at least review access logs daily for anomalies. Jake Williams, a faculty analyst at IANS Research, recommends restricting IP addresses for cloud infrastructure access and emphasizes the importance of access reviews to identify unexpected access points.

3. Maximize Visibility Into Cloud Services

Continuous monitoring of applications, log data, access activity, and data aggregation services is essential for detecting and preventing attacks. Organizations need to alert on specific behaviors or threats, which could have identified the cybercriminals' attempts to access cloud data, says Brian Soby, CTO and co-founder at AppOmni.

4. Don't Rely on Your Cloud Providers' Defaults

Cloud providers often prioritize usability over security, so relying solely on their default settings can be risky. For example, Snowflake's default settings do not require MFA, making it easier for attackers with compromised credentials to gain full access. Companies must go beyond these defaults and enforce higher security standards.

5. Check Your Third Parties

Even if a company does not directly use Snowflake or another cloud service, third-party providers might, exposing their data to risk. Ensuring that all service providers handling company data follow proper security measures is essential, as highlighted by IANS Research's Williams. Reaching out to service providers to confirm their security practices is crucial in protecting data in today's complex supply chain environment.

D-Link Confirms Data Breach, After Employees Suffer Phishing Attack


Taiwan-based networking equipment manufacturer, D-Link recently revealed to have suffered a data breach in which it lost information linked to its network. The data was then put up for sale on illicit sites, one being BreachForums.

Reportedly, the hackers claim to have stolen the company’s source code for D-View network management software. The company has also compromised millions of personal data entries of its customers and employees, along with that of its CEO. 

The compromised data includes the victim’s names, addresses, emails, phone numbers, account registration dates, and the users' last sign-in dates.

A thread participant noted that the data appeared to be very old after releasing samples of 45 stolen records with timestamps between 2012 and 2013.

The attacker stated, "I have breached the internal network of D-Link in Taiwan, I have 3 million lines of customer information, as well as source code to D-View extracted from system[…]This does include the information of MANY government officials in Taiwan, as well as the CEOs and employees of the company."

The stolen data has been available on the illicit forums since October 1st, with the hackers demanding a ransom of $500 for the stolen client data and purported D-View source code.

Data Stolen From a “Test Lab” System

According to D-Link, the security lapse happened as a result of a worker falling for a phishing scam, which gave the attacker access to the company's network.

After realizing what had transpired, the company quickly shut down possibly impacted systems in reaction to the hack, and all user accounts used for the investigation — except two — were disabled. 

D-Link further noted that the hackers have also gained access to one of its product registration systems when it was running on an old D-View 6 system, which reached its end of life in 2015, in what D-Link described as a "test lab environment,"

However, D-Link did not make it clear as to why the end-of-life server was still running on the company’s network and was subsequently exposed to the Internet for the past seven years.

D-Link confirmed that the compromised system only had about 700 records, with information on accounts that had been open for at least seven years, in contrast to the attacker's assertion that millions of users' data had been stolen. 

"Based on the investigations, however, it only contained approximately 700 outdated and fragmented records that had been inactive for at least seven years," D-Link stated. "These records originated from a product registration system that reached its end of life in 2015. Furthermore, the majority of the data consisted of low-sensitivity and semi-public information."

D-Link believes the threat actor intentionally altered the timestamps of recent logins in order to give the impression that more recent data theft occurred. The majority of the business's current clients aren't anticipated to be affected by this issue, the company added.  

Baphomet Revives BreachForums: Return of the Infamous Cybersecurity Platform

 


In recent days, BreachForums, one of the most well-known dark web hacking forums on the dark web, was reported to be shut down after one of its top administrators was arrested by United States federal authorities, including the Federal Bureau of Information (FBI). 

A dark web forum named BreachForums was a popular cybercrime forum. It has grown to become a significant platform for trafficking illicit content on the dark web. 

A wide range of topics were discussed on the site, including issues related to breaches of personal information, hacking, phishing, exploiting, and fraud against financial institutions. Many of its users are involved in trading various types of stolen information, including databases, documents, and compromised accounts that contain email addresses, passwords, and credit card details, such as stolen addresses, passwords, and credit card numbers. Threat actors and cybercriminals used the forum as a means to communicate with each other. 

On March 20, 2023, BreachForums, which had been one of the most popular forums for hacking and data leaks this year, will cease to exist. Conor Brian Fitzpatrick (also known as 'pompompurin') has been arrested for a crime relating to the website and has had the site closed down. There was a remaining administrator of the forum, Baphomet, who claimed that the servers of the forum were accessed by law enforcement, which caused him to shut it down.  

It is believed that the shutdown was prompted by suspicions that law enforcement might have obtained access to the site's configurations, source code, and user information in the forum. This was to compile a report on the forum. 

However, despite BreachForums being shut down and Raidforums being seized, those forums' databases are still easily accessible through top hacking forums such as XSS and Exploit, which are competing with BreachForums in popularity. 

In April 2022, after the arrest of Omnipotent, the founder of BreachForums, in the UK, the FBI confiscated and closed the site for violating its terms and conditions, causing it to be seized by the FBI. 

A sudden turn of events occurred on March 19, 2023, when Baphomet, the current admin of BreachForums, informed the public in an update that the hacking forum had been officially closed since it had posted its last post. However, he stressed that "it was not the end." 

In addition to this, there has appeared along with Baphomet a Telegram account with the alias ShinyHunters (@shinycorp), which will be responsible for dealing with the former BreachForums users. It has already begun disseminating information and updates related to the forum's operations through its Twitter account, and it has drawn both the attention of potential members and those who are concerned about the forum's development. 

The BreachForums community has been filling the void left behind by RaidForums last year in a major way, becoming a lucrative marketplace where stolen databases have been purchased and sold by a variety of organizations and companies. 

There has also been a development regarding the arrest of Conor Brian Fitzpatrick (aka pompompurin) who is facing one count of conspiracy to commit fraud against access devices and has already been charged with one count of conspiracy to commit fraud against access devices.

Baphomet says neither they nor Pompompurin has access to these domains at present since neither of them has access to them. 

The timing of the disinformation campaign was noted as suspicious. Baphomet posited that the disinformation campaign was meant to undermine the revived community's credibility by using disinformation. 

There is no doubt that the resurrected BreachForums presents a promising opportunity to its loyal users. However, Baphomet said that it would continue to warn against a "continued campaign against the community" and a "disinformation campaign", without providing any details regarding the campaign.

On April 4th, 2023, an online hacking forum was established using a name similar to the one seized by the FBI in April 2022. It is known as RaidForums. In terms of the admins of the new forum, there has been no indication that they are affiliated with the old forum in any way. As well as forums for discussion of hacking and leaks, there is also a section dedicated to the marketplace and tutorials, alongside discussions of exchanges and the marketplace. There are currently 1,725 members on the forum since it was launched on April 9, 2023, and plans to grow in the future. 

In the wake of BreacheForums' closure, cybercriminals have been faced with the challenge of finding a new replacement forum, which has impacted the cybercriminal community. Even though the emergence of online forums such as LeakBase and RAID FORUM indicates that there is still a large demand for platforms like these. These platforms include forums that trade stolen data and discuss hacking, which suggests that the market for such platforms will continue to grow. 

The usage of the top hacking forums such as XSS and Exploit has already seen a sudden increase as a result of these migrations. The fact that such platforms exist on the deep and dark web, as well as the fact that they can be monitored to provide the cybersecurity community with an accurate picture of evolving threats and sources, shows yet again why monitoring the dark web in general and dark web platforms, in particular, is so important.   

An Arrested Administrator Shut Down the Notorious Hacking Forum

 


An FBI officer has arrested a former administrator and owner of an infamous hacker forum that exposed data on companies such as HDB Financial Services, Rail Yatri, Acer, WhatsApp, Truecaller India, Hyundai India, Skoda India, etc. 

According to the FBI, a man was arrested last week who is suspected of being "Pumpompurin", the administrator of the infamous and popular BreachForums website. As soon as the cybercrime website's new administrator was informed of the arrest and the arrest of its administrators, he announced plans to close the forum down permanently. 

According to the FBI, a New York man has been arrested on suspicion of being Pompompurin, the owner of the BreachForums hacking forum. Documents filed in court indicate that he is charged with conspiracy to solicit an individual to sell an unauthorized access device. 

A defendant, Connor Brian Fitzpatrick, was allegedly arrested on the charge of fraud and admitted to being Connor Brian Fitzpatrick during his arrest. It was also revealed that the person who owned the Breach Forums cybercrime forum was Pompourin, who is the owner of the forum. 

The suspect, Conon Brian Fitzpatrick, who is known to the public as "Pompompurin" or "Pom" has earned a high-profile status online for several years now. He has been a target of authorities for quite some time. Fitzpatrick claimed responsibility for the November 2021 attack on an FBI server under the pseudonym Pompompurin, before the breachforums.com website was founded in 2022 by him. 

A million fake cybersecurity emails were sent from the FBI's eims@is.fbi.gov address at the time of Fitzpatrick's alleged exploit in 2021 based on the false information they were provided by Fitzpatrick. A series of emails, containing the subject lines “threat actor in systems” and describing the attack as “a sophisticated chain attack” on your virtualized clusters, were sent out claiming that their intelligence monitoring reported the exfiltration of several of your virtualized clusters. 

There was an operation by U.S. and European law enforcement agencies in April 2022 that led to the takedown of RaidForums, one of the most popular regular internet forums for hackers at the time. Having been a regular member of Raid Forums, Fitzpatrick is known to have become the most popular successor site to Raid Forums after it was demolished. 

There are countless hacking stories linked to BreachForums since its creation because it quickly developed into one of the most popular sites for selling stolen data, especially among independent hackers and other groups that are not associated with ransomware gangs or other ransomware threats. 

In the cybercriminal underground, Pompompurin has gained a reputation of a very well-known player involved in a wide range of activities including hacking companies, and selling or leaking stolen data through forums and social media networks. 

The Raid Forum's cybercrime forum was also a well-known forum where he was active. 

It was an initiative of Pompourin to fill the void left by RaidForums' seizure by the FBI in 2022 by founding an independent forum called 'BreachForums.' 

In recent years, it has been one of the largest forums of its kind, used by malicious users of ransomware and hackers to leak stolen information to the public. 

Earlier this week, a threat actor attempted to use BreachForums to sell the personally identifiable information of U.S. politicians that had been breached in a breach in Washington. 

The Washington Health Link is a healthcare provider for U.S. congressmen and women. Members of the House, their staff, and their families will be affected by the legislation. 

Pompompurin has also been involved in various high-profile breaches of high-profile companies over the years, as BreachForums has become a force in cybercrime. 

Several breaches have been reported, including sending bogus cyberattack emails through a vulnerability in the FBI's Law Enforcement Enterprise Portal (LEEP), stealing customer data from Robinhood, and allegedly confirming the email addresses of 5.4 million Twitter users using a bug.

BreachForums Mastermind Pompompurin Arrested in New York

 


Earlier this week, U.S. law enforcement officials arrested a New York man as part of their efforts to crack down on the infamous hacking forum BreachForums, which was run by an individual who used the alias “Pompompurin.”

According to Bloomberg Law, a federal investigator spent hours inside as well as outside a Peekskill home earlier this week following reports from News 12 Westchester that federal investigators “had spent hours inside and outside a home in Peekskill.”

Several bags of evidence were removed by investigators from the house at one point, according to a local news service based in New York. 

The suspect has been identified as Conor Brian Fitzpatrick as per an affidavit filed by the Federal Bureau of Investigation (FBI). He also admitted to owning the BreachForums website according to the affidavit. 

A special agent of the FBI, John Longmire, stated that the defendant's statements to him on March 15, 2023, showed that: 

a) he was Conor Brian Fitzpatrick; 
b) he referred to himself as 'pompompurin,' and 
c) he owned and administered a website called 'BreachForums.' He was the owner and administrator of that website. 

A conspiracy charge against Fitzpatrick has been filed on behalf of a salesperson in connection with unauthorized access to devices sold by him to individuals. It was announced that the defendant would be released from jail a day later after his parents signed a bond for $300,000. The District Court for the Eastern District of Virginia plans to see him on March 24, 2023, at a hearing scheduled to take place there. 

Along with not being able to obtain a passport or other international travel documents, Fitzpatrick is being prohibited from contacting any of his co-conspirators, or using narcotics or other controlled substances unless he has a prescription from a licensed medical practitioner, among other restrictions. 

A coordinated law enforcement operation in March 2022 led to the seizure of the control of RaidForums and the emergence of BreachForums last year. Security firm Flashpoint said at the time that popompurin stated in the threat actor's welcoming thread that BreachForums was not affiliated with RaidForums in any way. 

Because this forum has been hosting stolen databases belonging to several companies, which often include personal information that can be sensitive, the forum has gained notoriety since it was founded. 

A forum user named Baphomet, who was on the forum after Fitzpatrick's arrest, said they owned the website and that Fitzpatrick was the owner. In their report, they noted that no evidence was found that the breached infrastructure had been accessed or modified in any way by anyone. 

In the latest development, the Cyber Police of Ukraine announced the arrest of a 25-year-old developer who had created what they believe was an "app" for gaming, which infected over 10,000 computers with a remote access Trojan.