This month, we’re looking at the newest and most concerning issues coming from the hidden parts of the internet, known as the dark web. We’ll explore complex ransomware attacks and the growing popularity of dangerous marketplaces like Abacus. The risks are more significant than ever. Cybercriminals are using clever tricks and new AI tools to trick people and organizations. Let’s explore some hot news and events from last month’s dark web world and see how these can be alarming for everyone!
Millions of records from the MOVEIT hack were made public on the dark web
A threat actor known as “Nam3L3ss” has posted at least 25 CSV datasets on the Breach Forums hacking site. These datasets contain millions of records from leading companies, likely stolen during last year’s MOVEit transfer vulnerability case. Hackers exploiting a zero-day vulnerability in Progress Software’s MOVEit transfer software caused the MOVEit hack, the most significant breach in 2023.
Israeli cybersecurity firm Hudson Rock reported that the stolen data includes employee directories from 25 major organizations, including Amazon, MetLife, Cardinal Health, HSBC, Fidelity, and US Bank. The directories contain detailed employee information, including names, email addresses, phone numbers, cost center codes, and sometimes entire organizational structures. Amazon received the most negative press due to 2.8 million Amazon records being exposed. However, Amazon spokesperson Adam Montgomery stated that Amazon and Amazon Web Services systems remain secure and that the company had not experienced a security incident.
The case highlights the weaknesses of third-party apps
Third-party software remains one of the most significant and least manageable cybersecurity risks organizations face, as well as massive and technically sophisticated enterprises. When companies react to these risks and vulnerabilities, they are already being actively exploited while being publicly disclosed. It is crucial for CISOs and their teams to focus on a proactive approach to their third-party software by shifting left and leveraging data to enable quick, accurate, and actionable risk assessments before they are exploited. New CVEs in other managed file transfer solutions, such as SolarWinds SERV-U and CRUSHFTP, can lead to data theft as severe as last year’s MoveIT incident. Security teams often need to be made aware of who uses these tools, how they are configured, or whether they are exposed to the public. This can lead to slow responses to vulnerabilities when they are disclosed.
Companies can avoid these blind spots by continuously analyzing their attack surface from the outside to understand what is exposed comprehensively and what needs to be protected. Effective third-party risk management should not be a “nice-to-have” but a “must-have,” according to Nick Mistry, senior vice president and CISO at Lineaje. Businesses must implement thorough procedures to proactively detect and address risks, such as frequent security audits, assessments, and ongoing third-party software monitoring. In today’s threat landscape, the security of an ecosystem extends far beyond the reach of an organization’s systems and infrastructure.
Prison layouts were leaked on the dark web
The Ministry of Justice (MoJ) has confirmed a data breach affecting prisons in England and Wales. Confidential prison layouts were leaked onto the dark web in the past two weeks, with a former prison governor stating that organized crime groups could potentially use the information to smuggle drugs or weapons into prisons or plan escapes. The leak is believed to be linked to organized crime groups using drones to smuggle drugs into prisons, while the blueprints could be used to evade security measures. The leaks include key security features, such as cameras and sensors, making it easier for criminals to bypass security or exploit vulnerabilities.
The Cabinet Office and the Prison Service are working to identify the source of the breach and assess who might benefit from the information. The National Crime Agency provided advisory support but is not investigating the incident. The MoJ has taken immediate action to ensure prisons remain secure.
490 million Instagram accounts listed for sale on the dark web
A threat actor on a popular Dark Web forum has claimed to have scraped a massive dataset containing over 489 million Instagram user records, allegedly accessing both public and hidden information. The data was obtained within the last three months through the Instagram API, and the post has gained attention across the cybersecurity community, questioning the potential privacy impacts on Instagram users worldwide. The dataset includes a wide range of user information, including usernames, full names, email addresses, first names, biographies, external URLs, account categories, targeted usernames, follower and following counts, location information, account creation dates, and user ID and scrape ID.
The threat actor provided a sample of over 100 records, offering a glimpse into the details they allegedly obtained, including email addresses and location data, alongside the usual public information such as usernames and follower counts. Such a mix of public and potentially private information could expose Instagram users to numerous security and privacy threats.
A dark web cryptocurrency laundering leader has been sent to 12.5 years in prison
Bitcoin Fog, the longest-running money laundering machine in dark web history, has been sentenced to 12 years and six months in US prison. The operator, Roman Sterlingov, was ordered to repay over half a billion dollars from the cryptocurrency mixing service he ran for a decade between 2011 and 2021. Bitcoin Fog processed 1.2 million Bitcoins during that time, worth roughly $400 million when shuttered. Sterling was ordered to repay $395,563,025.39 in restitution, forfeit approximately $1.76 million in seized assets, and relinquish control of Bitcoin Fog’s wallet containing more than $100 million in Bitcoin. Most of Sterlingov’s wealth came from the proceeds of crime, which he and his online service helped criminals hide from law enforcement.
The crimes associated with this activity included the sale of drugs, computer misuse offenses, identity theft, and child sexual abuse material (CSAM). The downfall of Bitcoin Fog won’t significantly dent criminals’ use of cryptocurrency mixers. However, investigators will be pleased that a service as relied upon as Sterlingov’s could be scuppered and distrust sowed throughout the community of criminals who use them. Mixers make investigators’ jobs more difficult by pooling all users’ funds together and redistributing them back to the users after taking a cut for the trouble. While mixers are not illegal in most places, they are widely abused and should be ended to prevent their widespread abuse.
Kaspersky predicts a nearly 25% increase in retail-related cyber threats ahead of Black Friday
In 2024, cybercriminals launched over 38 million phishing attacks, impersonating major marketplaces, banks, and tech retailers. Stolen payment card data is traded on dark web forums, with prices ranging from $70 to $315 per set. Between January and November 2024, Kaspersky Solutions blocked 38,473,274 phishing attacks related to online shopping, payment systems, and banking institutions.
Of these, 44% involved using banking services as bait, representing an increase of almost a quarter compared to the 30,803,840 million phishing attempts recorded during the same period last year. Scammers often impersonate major retailers like Amazon, Walmart, and Etsy, sending deceptive emails claiming to offer exclusive discounts. These emails link to fake websites designed to mimic legitimate ones, often with subtle errors like misspellings or slightly altered domain names. Victims attempting to shop on these sites typically lose money. Another widespread scam exploits consumers’ desire to win prizes by sending messages promoting limited-time surveys with prize draws, offering valuable rewards like a free iPhone 14. Kaspersky experts have traced the pathways of fraudulent activity, revealing that stolen data is exploited directly by scammers or sold on dark web marketplaces. The value of the data determines its price.
8,100 banks and financial institutions brace for fallout as hackers reveal a significant data breach on the dark web
Thousands of banks and financial institutions worldwide are preparing for new developments following a third-party data breach. Finastra, a financial services giant, has confirmed the discovery of suspicious activity in an internal file transfer system. The breach, first reported by cybersecurity journalist Brian Krebs, was discovered after someone claimed to have 400 gigabytes of compressed information from the firm. Finastra works with 8,100 financial institutions, including 45 of the world’s 50 largest banks. Early findings suggest the breach may involve sensitive data from significant banking clients, including financial records and transaction details. Confidential information on Finastra’s operations and services may also be at risk. The company has sent a letter to clients alerting them to its ongoing investigation, stating that the affected system remains isolated while the investigation continues. The source of the compromise is a priority aspect of the investigation.
A man who live-streamed a child sex assault was jailed
Wooly Spencer, a 34-year-old man from Exeter, has been sentenced to up to 25 years in jail after livestreaming himself on the dark web sexually assaulting a young girl. Spencer was arrested in March after the Australian Federal Police alerted the National Crime Agency (NCA) to the video, which contained 163 indecent images of children. He was previously found guilty of numerous offenses, including assault of a child under 13, sexual assault of a child under 13, causing a child under 13 to engage in sexual activity, attempted rape, engaging in sexual activity in the presence of a child, causing a child to watch sexual activity, and making and distributing indecent images of children. The NCA identified Spencer by examining the video and identifying the room he was in and his tattoos.
The prosecution, Nigel Wraith, stated that there had been no evidence of severe psychological harm to the victim and that Spencer had no previous sexual offense convictions. Judge James Adkin described the case as “repugnant” and described Spencer as “a hazardous man.” NCA operations manager Holly Triggs said the victims in the case suffered the most abhorrent sexual abuse, purely for his sexual gratification and others like him online. Spencer will spend 13 years in jail before he is eligible to apply for parole and will remain on the sex offenders register for life.
