Monitoring The Dark Web & Discovering The Breach

As part of our continuous monitoring of 4000+ Surface, Deep & Dark Web Forums for data breaches, we discovered this data being traded early last week, while it has been openly published for public consumption on the 5th of August 2020.

The data contains 29,186,600 rows of user data and the hacker has suggested that the initial breach took place in January 2020.

Zoosk Data Breach Published on Dark Web Forums

Inside The Zoosk Data Breach

The data contains two tables:

User Table
id, first_name, last_name, user_nicename, user_email, email_status, user_status, widget_guid, sex, interested_in, relationship, birthday, location_id, latitude, longitude, zipcode, country, discoverable, user_activation_key, media_request_id, user_registered, last_login, lastdailable_flatched migrated, height, ethnicity, education, religion, politics, children, smoking, drinking, bodytype, income, pets, settings, currency_id, balance, provider_map, photo_source, photo_count, locale_id, timezone_id, source, is_remarketed_to, dscore, rscore, sscore

Tig Users Table
uid, user_id, sha1_user_id, user_pw, last_login, last_logout, online_status, failed_logins, account_status

General Recommendations

Even though passwords were not leaked, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams.

So, as a rule of thumb:

• Use strong passwords.
• Enable multi-factor authentication for all your online accounts.
• Don’t open unsolicited email attachments and links, especially from senders you don’t recognise.
• Don’t share OTPs with third-parties.
• Review online accounts and financial statements periodically.
• Regularly update your apps and any other software you use.

The post Zoosk Data Breach Published on Darkweb Forum – 29 Million Users Impacted appeared first on ShadowMap.

About the CVE-2019-11510 Pulse VPN Server Vulnerability

The critical vulnerability (CVE-2019-11510) in Pulse Secure Pulse Connect Secure, allows an unauthenticated remote attacker to arbitrary read files stored on the PCS device. The vulnerability affects versions 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4 of the platform.

ShadowMap’s Cyber Threat Intelligence modules have checks integrated for this vulnerability since May 2019 and will have corresponding alerts for any vulnerable servers.

Timeline

• April 24, 2019 – Pulse Secure releases initial advisory and software updates addressing multiple vulnerabilities.
• May 28, 2019 – Large commercial vendors get reports of vulnerable VPN through HackerOne.
• July 31, 2019 – Full use of exploit demonstrated using the admin session hash to get complete shell.
• August 8, 2019 – Meh Chang and Orange Tsai demonstrate the VPN issues across multiple vendors (Pulse Secure) with detailed attack on active VPN exploitation.
• August 24, 2019 – Bad Packets identifies over 14,500 vulnerable VPN servers globally still unpatched and in need of an upgrade.
• October 7, 2019 – The National Security Agency (NSA) produces a Cybersecurity Advisory on Pulse Secure and other VPN products being targeted actively by advanced persistent threat actors.
• October 16, 2019 – The CERT Coordination Center (CERT/CC) releases Vulnerability Note VU#927237: Pulse Secure VPN contains multiple vulnerabilities.
• January 2020 – Media reports cybercriminals now targeting unpatched Pulse Secure VPN servers to install REvil (Sodinokibi) ransomware.

Monitoring The Dark Web & Discovering The Breach

The initial disclosure of the breach was made by Pulse Secure through an advisory in April 2019. This vulnerability was found to be mass exploited over the last 8-9 months with a large number of vulnerable servers found to be publicly open. As part of our continuous monitoring of 4000+ Surface, Deep & Dark Web Forums, around the 4th of August, we picked up posts on various Deep & Dark Web forums where attackers had published a dump of 1800 vulnerable servers along with several sensitive details.

Inside The 1800 Vulnerable Pulse VPN Servers

On analysing the data set, we found that the leak includes the following details for each of the 1800 IP addresses listed:

• IP addresses of Pulse Secure VPN servers
• Pulse Secure VPN server firmware version
• SSH keys for each server
• A list of all local users and their password hashes
• Admin account details
• Last VPN logins (including usernames and cleartext passwords)
• VPN session cookies

On further analysis, we found several Indian entities that were a part of this breach.

Multi Commodity Exchange (MCX India)

The compromised VPN server was running the vulnerable firmware version 8.3.3.59199  included 8 internal users and 6 active sessions at the time of the breach.

MCX India Data Leak Vulnerable Pulse VPN Servers

ICRA

The compromised VPN server was running the vulnerable firmware version 9.0.3.64015 and included 4 internal users and 6 active sessions at the time of the breach.

ICRA Data Leak Vulnerable Pulse VPN Servers

Panasonic owned Anchor Electricals

The compromised VPN server was running the vulnerable firmware version 8.3.7.65013 and included 665 internal users and 374 active sessions including both internal users and several third party consultants as well.

Anchor Panasonic Data Leak Vulnerable Pulse VPN Servers

General Recommendations

• Apply the patch as recommended by Pulse Secure.
• Review your patch management process to identify & address gaps
• Implement a hardware token, OTP or certificate based authentication to add a second factor check
• If you are a ShadowMap customer, review your Threat Intelligence alerts to identify all currently open vulnerabilities that need to be mitigated.

The post Hackers Publish 1800 Vulnerable Pulse VPN Servers – Includes MCX India, ICRA & Panasonic appeared first on ShadowMap.

Monitoring The Dark Web & Discovering The Breach

The initial disclosure of the breach was made by Dunzo it self on the 11th of July 2020. As part of our continuous monitoring of 4000+ Surface, Deep & Dark Web Forums for data breaches, we discovered this database being sold on DarkWeb forums around the first week of July 2020.

The forum post claims that the data contains 8,493,681 rows of user data and the hacker has suggested that the initial breach took place in June 2020. On analysing the breach data, we found there were 5,969,986 rows of data published as part of this leak and the breach itself took place around the 20th of June 2020.

Dunzo Data Breach Published on Dark Web Forums

Inside The Dunzo Data Breach

The database contains a single table: Users_DunzoUser

id, password, last_login, is_superuser, uuid, first_name, last_name, email, phone, country_code, type, status, device_token, phone_type, phone_make, date_joined, last_updated, secret_key, app_version, registered_on, registered_platform character, send_logistics_pricing, send_logistics_pricing_image_format, last_pricing_version_shared, preferred_mode_of_payment, credit_amount, credit_score, maximum_retries_count, profile_data_updated_on_firebase, merchant_id, permission_role, user_status, flow_version, extra_data_json, city_id, current_runner_task_id, source, first_known_location, last_known_location, referral_code, referred_by_code, advertising_id, device_id, bucket_id

The passwords in the database seem to be stored using Django Password Hashes (Salted SHA 256 hash with 20000 iterations), while some users don’t have a password string in the database since they are most likely using social or OTP based login. In-addition to the email addresses, mobile numbers, IP addresses & password hashes the GPS locations of the users while they installed and last used the application along with details about their phone devices are also available.

Dunzo Data Breach

General Recommendations

Since the password hashes have been leaked, there is a significantly likelihood of password stuffing attacks taking place against various platforms where the same email / mobile and password are being used. In-addition to this, threat actors can use the email addresses to send spam, phishing emails, and launch other online scams.

So, as a rule of thumb:

• Use strong passwords.
• Enable multi-factor authentication for all your online accounts.
• Don’t open unsolicited email attachments and links, especially from senders you don’t recognise.
• Don’t share OTPs with third-parties.
• Review online accounts and financial statements periodically.
• Regularly update your apps and any other software you use.

The post Dunzo Data Breach Published on DarkWeb Forum – 6 Million Users Impacted appeared first on ShadowMap.