Chinese shopping platform Pandabuy previously paid a ransom demand to an extortion group that extorted the company again this week.

The story of the attack against the Chinese shopping platform Pandabuy demonstrates that paying a ransom to an extortion group is risky to the victims.

BleepingComputer first reported that Pandabuy had previously paid a ransom to an extortion group to prevent stolen data from being published, but the same threat actor extorted the company again this week.

In April, at least two threat actors claimed the hack of the PandaBuy online shopping platform and leaked data of more than 1.3 million customers on a cybercrime forum.

The member of the BreachForums ‘Sanggiero’ announced the leak of data allegedly stolen by exploiting several critical vulnerabilities in Pandabuy’s platform and API. Sanggiero said that he breached the platform with another threat actor named ‘IntelBroker.’

PandaBuy has been breached by Threat Actors operating under the names "Sanggiero" and "IntelBroker". Exfiltrated data includes:

– UserId
– First name
– Last name
– Phone number
– Email
– Login Ip
– Full address
– Order information

Breach patrons are relatively excited pic.twitter.com/Gg0HLEMSj1

— vx-underground (@vxunderground) April 1, 2024

Stolen data included UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, and Country.

“In April 2024, almost 3M+ rows of data from the store company Pandabuy was posted to a popular hacking forum. The data was stolen by exploiting several critical vulnerabilities in the platform’s API and other bugs were identified allowing access to the internal service of the website. The data contained 3M+ unique UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, Country, and so on. The website was breached by @Sanggiero and @IntelBroker.” reads the announcement published by BreachForums.

The data is available for sale on the cybercrime forum, Sanggiero published a sample as proof of the data breach.

HIBP founder Troy Hunt confirmed that 1.3 million email addresses are valid, the remaining addresses are duplicates. Hunt added the leaked addresses to HIBP, users can check if they have been impacted in the incident.

A company representative said on a Discord channel that the security breach took place in the past, he also added that the company security team said no data breach took place this year.

On June 3, 2024, Sanggiero offered the entire database he had previously stolen from Pandabuy for sale at $40,000. The actor claims the database contains more than 17 million lines, greater than the initial dataset offered in April, which included 1.3 million lines.

“A Pandabuy spokesperson admitted to BleepingComputer that they had paid the hacker an undisclosed amount to stop the data leak, adding that the threat actor may have shared the data with others, so they would no longer cooperate with him.” reported BleepingComputer.

The company attempted to downplay the incident saying that the data offered by Sanggiero is the same of the previous leak

Pandabuy added that they could not continue paying ransom due to frozen funds, anyway they addressed the vulnerabilities exploited in the original attack. The company speculates the threat actors had “secretly sold” their data to cybercriminals.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, cybercriminals)

A new Linux variant of the TargetCompany ransomware family targets VMware ESXi environments using a custom shell script.

A new variant of the TargetCompany ransomware group uses a custom shell script as a means of payload delivery and execution, this is the first time the technique was observed in the wild.

The script was also used for data exfiltration, the stolen data are sent to two different servers so the ransomware actors have a backup of the information.

The new Linux-based variant was specifically designed to target VMWare ESXi environment.

TargetCompany has been active since June 2021, once encrypted a file it adds .mallox, .exploit, .architek, or .brg extension to the filenames of encrypted files.

Like other ransomware, TargetCompany removes shadow copies on all drives and kills some processes that may hold open valuable files, such as databases.

In February 2022, Czech cybersecurity software firm Avast released a decryption tool that could allow victims of the TargetCompany ransomware to recover their files for free under certain circumstances.

The threat actors behind TargetCompany are not targeting also virtualization environments to expand the scope of their attacks and cause greater damage and disruption. The ransomware operators have added the capability to detect if a machine is running in a VMWare ESXi environment by executing the “uname” command.

If the system name matches “vmkernel,” it indicates the machine is running VMware’s ESXi hypervisor. The malware then enters “VM mode” to encrypt files with specific extensions.

Once executed, the ransomware drops a text file named TargetInfo.txt that contains victim information. Like the Windows variant of the ransomware, the content of the file TargetInfo.txt is then sent to a C2 server.

Once the encryption process is completed, it drops a ransom note file named “HOW TO RECOVER !!.TXT” in all folders containing encrypted files. The malware appends the “.locked” extension to the encrypted filenames.

“The IP address used to deliver the payload and exfiltrate a victim’s system information has not yet been observed in previous TargetCompany campaigns. Based on research, this IP address is hosted by China Mobile Communications, an internet service provider (ISP) in China.” reads the report published by Trend Micro. “The certificate also was recently registered and is valid for only three months, indicating that it might be intended for short-term use.”

Trend Micro linked the sample analyzed by its researchers to an affiliate named “vampire,” which was identified through data sent to its C2 server. The experts believe that larger campaigns with high ransom demands and extensive IT system targeting are ongoing. “Vampire” may be connected to an affiliate mentioned in a report published by Sekoia.

Malicious actors are continually enhancing their TTPs, as demonstrated by the emergence of TargetCompany’s new Linux variant. The lates development allows operators to broaden its range of potential victims by targeting VMware ESXi environments.

Trend Micro also published the indicators of compromise for this threat.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

The FBI is informing victims of LockBit ransomware it has obtained over 7,000 LockBit decryption keys that could allow some of them to decrypt their data.

The FBI is inviting victims of LockBit ransomware to come forward because it has obtained over 7,000 LockBit decryption keys that could allow them to recover their encrypted data for free.

“Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online.” said Bryan Vorndran, the Assistant Director at the FBI Cyber Division, during the 2024 Boston Conference on Cyber Security. “We are reaching out to known LockBit victims and encouraging anyone who suspects they were a victim to visit our Internet Crime Complaint Center at ic3.gov.” 

In February, a joint law enforcement action code-named Operation Cronos conducted by law enforcement agencies from 11 countries temporarily disrupted the LockBit ransomware operation.

This call to action comes after law enforcement took down LockBit’s infrastructure in February 2024 in an international operation dubbed “Operation Cronos.”

The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.

The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.

The NCA seized the Tor leak site and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.

The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.

Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.

“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”

The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA reached out to victims based in the UK providing support to help them recover encrypted data.

“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.” said National Crime Agency Director General, Graeme Biggar.

“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”

The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.

The FBI, UK National Crime Agency, and Europol have also unmasked the identity of the admin of the LockBit ransomware operation, aka ‘LockBitSupp’ and ‘putinkrab’ , and issued sanctions against him. It was the first time that the admin of the notorious group was identified by law enforcement.

The man is a Russian national named Dmitry Yuryevich Khoroshev (31) of Voronezh, Russia.

“The sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.” reads the press release published by NCA.

The NCA states that Khoroshev will now be subject to a series of asset freezes and travel bans.

“Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.” continues the NCA.

According to the UK agency, data retrieved from the systems belonging to the ransomware gang revealed that from June 2022 to February 2024, the criminals gave orchestrated over 7,000 attacks. The most targeted countries included the US, UK, France, Germany, and China.

However, despite the law enforcement operation, the LockBit group is still active and targeted tens of organizations since February.

LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.

According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

Researchers believe the RansomHub ransomware-as-a-service is a rebranded version of the Knight ransomware operation.

Cybersecurity experts who analyzed the recently emerged ransomware operation RansomHub speculate that is is a rebranded version of Knight ransomware.

Knight, also known as Cyclops 2.0, appeared in the threat landscape in May 2023. The malware targets multiple platforms, including Windows, Linux, macOS, ESXi, and Android. The operators used a double extortion model for their RaaS operation.

Knight ransomware-as-a-service operation shut down in February 2024, and the malware’s source code was likely sold to the threat actor who relaunched the RansomHub operation. RansomHub claimed responsibility for attacks against multiple organizations, including Change Healthcare, Christie’s, and Frontier Communications.

Researchers at Symantec, part of Broadcom, discovered multiple similarities between the RansomHub and Knight ransomware families, suggesting a common origin:

• Both are written in Go and use Gobfuscate for obfuscation.
• They share extensive code overlaps.
• The command-line help menus used by the two malware are identical, except for a ‘sleep’ command on RansomHub.
• Both employ a unique obfuscation technique with uniquely encoded important strings.
• The ransom notes from both Knight and RansomHub show significant similarities, with many phrases from Knight’s note appearing verbatim in RansomHub’s, indicating that the developers likely edited and updated the original note.
• Both payloads restart endpoints in safe mode before encryption.
• The sequence and method of command execution are the same, though RansomHub now uses cmd.exe for execution.

However, despite the two malware share origins, it is unlikely that the authors of Knight are now operating RansomHub. 

“One main difference between the two ransomware families is the commands run through cmd.exe. While the specific commands may vary, they can be configured either when the payload is built or during configuration. Despite the differences in commands, the sequence and method of their execution relative to other operations remain the same.” states the report published by Symantec.

Although RansomHub only emerged in February 2024, it has rapidly grown and, over the past three months, has become the fourth most prolific ransomware operator based on the number of publicly claimed attacks.

“One factor contributing to RansomHub’s growth may be the group’s success in attracting some large former affiliates of the Noberus (aka ALPHV, Blackcat) ransomware group, which closed earlier this year. One former Noberus affiliate known as Notchy is now reportedly working with RansomHub. In addition to this, tools previously associated with another Noberus affiliate known as Scattered Spider, were used in a recent RansomHub attack.” concludes the report that also provides Indicators of Compromise. “The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

A ransomware attack that hit the provider of pathology and diagnostic services Synnovis severely impacted the operations of several London hospitals.

A ransomware attack on pathology and diagnostic services provider Synnovis has severely impacted the operations at several major NHS hospitals in London. The attack forced the impacted hospitals to cancel some healthcare procedures, in some cases patients were redirected to other hospitals.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.

In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.

“On Monday 3 June, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB – was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” reads the statement published by the company. “Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.”

The pathology and diagnostic services provider has launched an investigation into the security breach with the help of experts from the NHS. The experts are working to fully assess the impact of the attack and to take the appropriate action to contain the incident. The company also announced they are working closely with NHS Trust partners to minimise the impact on patients and other service users.

NEW: Operations across 2 major London hospitals @GSTTnhs & @KingsCollegeNHS have been cancelled due to a cyber attack, with all transplant surgery at @RBandH axed. Problem is affecting pathology labs incl blood transfusions. Trauma cases at Kings being sent to other sites: pic.twitter.com/zmtsq6c0zL

— Shaun Lintern (@ShaunLintern) June 4, 2024

Below is the message sent by Professor Ian Abbs, Chief Executive Officer Guy’s and St Thomas’ NHS Foundation Trust:Dear Colleague

"I am writing to update you about the ongoing critical incident that is currently affecting our pathology services. I can confirm that our pathology partner  Synnovis experienced a major IT incident earlier
today, which is ongoing and means that we are not currently connected to the Synnovis IT
servers. This incident is also affecting King’s College Hospital NHS Foundation Trust and primary care across south east London. 
This is having a major impact on the delivery of our services, with blood transfusions being particularly affected. Some activity has already been cancelled or redirected to other providers at short notice as we prioritise the clinical work that we are able to safely carry out.
I recognise how upsetting this is for patients and families whose care has been affected, and how difficult and frustrating this is for you all. I am very sorry for the disruption this is causing. An incident response structure has been stood up, with colleagues from across the Trust meeting regularly to assess the situation and put contingency plans into place. All clinical groups are represented on this, so please do direct any clinical or operational questions to your clinical group or directorate leadership as your clinical group or directorate leadership as appropriate. While we do not yet know all the details or how long this issue will take to resolve we will keep you updated through the usual routes, including through the clinical alert system."

The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.

“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement.

“Emergency care continues to be available, so patients should access services in the normal way by dialling 999 in an emergency and otherwise using 111, and patients should continue to attend appointments unless they are told otherwise. We will continue to provide updates for local patients and the public about the impact on services and how they can continue to get the care they need.”

At this time, the company has yet to provide details on the attack, such as the malware family that infected its systems and if it has suffered a data breach.

In April, Synlab Italia, the Italian branch of the SYNLAB group, experienced disruptions due to a Blackbasta cyber attack. The company suspended all activities at sampling points, medical centers, and laboratories in Italy.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

The RansomHub ransomware group added the American telecommunications company Frontier Comunications to the list of victims on its Tor leak site.

The RansomHub ransomware group claimed to have stolen the information of over 2 million customers from the American telecommunications company Frontier Communications. The RansomHub group claims to have stolen 5GB of data from the telecommunications giant.

Stolen data include names, email addresses, SSNs, credits, scores, dates of birth, and phone numbers.

“Data is more than 2 million customer with address name email ssn credit score date of birth and phone number. We gave frontier 2 months to contact us but they don’t care about clients data. Below is screenshot of some of the data.” reads the message published by the group. “Now anyone who wants to buy this data can contact our blog support, we only sell it once.”

In April, Frontier Communications notified the Securities and Exchange Commission (SEC) that it had to shut down certain systems following a cyberattack. The incident was identified on April 14 after that an unauthorized threat actor gained unauthorized access to parts of its IT environment.

The company launched an investigation into the security breach and started operations to contain the incident.

“Based on our investigation, we have determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.” reads the Form 10-Q (quarterly report of financial performance) filed by the company with the SEC in May. “While we do not believe the incident is reasonably likely to materially impact our financial condition or results of operations, we continue to investigate the incident, have engaged cybersecurity experts, and have notified law enforcement authorities.”

The company did not provide details about the attack and has yet to disclose the number of the impacted people.

RansomHub has published an image of the stolen records as proof of the data breach and threatens to publish the stolen data if the victim will not pay the ransom within nine days.

At the end of May, Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred in the same month.

The extortion group said they had stolen 2GB of sensitive information, including personal information belonging to at least 500,000 Christie’s clients.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

Resecurity uncovered a cybercriminal group that is providing a sophisticated phishing kit, named V3B, to target banking customers in the EU.

Resecurity has uncovered a new cybercriminal group providing Phishing-as-a-Service (PhaaS) platform that is equipping fraudsters with sophisticated kit (known as “V3B”) to target banking customers in the EU.

“Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts. Their Telegram channel has over 1,255 members, a significant indicator of the scale and scope of the malicious activity being promoted by the group.” reads the report published Resecurity. “The majority of members on this Telegram channel are skilled cybercriminals who specialize in various forms of fraud. These include:

• Social engineering tactics
• SIM swapping schemes
• Banking and credit card fraud”

The attackers use various social engineering and spoofing tactics to trick victims into revealing their sensitive information, which supports real-time interaction to abuse and bypass MFA (Multi-Factor Authentication).

The kit is designed to intercept sensitive information, including banking credentials, credit card and personal information, and OTP/TAN codes. Besides traditional tokens (such as SMS code), the kit supports QR Codes and PhotoTAN method (widely used in Germany and Switzerland), which may indicate that fraudsters are monitoring the latest MFA/2FA technologies implemented by banks and seeking to exploit possible bypass methods to defraud their customers.

V3B phishing kit supports over 54 financial institutions (based in Austria, Belgium, France, Finland, Greece, Germany, Italy, Netherlands, Norway, Poland, Spain), featuring customized and localized templates to mimic authentication and verification processes of major online banking, e-commerce, cryptocurrency providers and payment systems in the EU.

Technical details about the phishing kit are included in the report published by Resecurity: https://www.resecurity.com/blog/article/cybercriminals-attack-banking-customers-in-eu-with-v3b-phishing-kit

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, V3B)

Spanish police dismantled a pirated TV streaming network that allowed its operators to earn over 5,300,000 euros since 2015.

The Spanish National Police dismantled a network that illicitly distributed audiovisual content, earning over 5,300,000 euros since 2015. The police arrested eight individuals in Las Palmas de Gran Canaria, Madrid, Oviedo, and Málaga, and searched two homes. The police also blocked 16 IPTV content distribution websites. According to the announcement, the investigation began in November 2022, following a complaint by the Alliance for Creativity and Entertainment against those responsible for two websites allegedly marketing videographic content that violated intellectual property rights.

The international criminal organization was using advanced technology to capture and decrypt satellite signals to distribute over 130 international TV channels and thousands of movies and series illegally. The illicitly distributed the content to over 14,000 subscribers. The authorities arrested the key members of the organization and seized two computers, a vehicle, and 80,000 euros in bank accounts. The police identified servers used by the gang and blocked 16 web pages, redirecting users to a National Police website informing them of the law enforcement operation.

“This international criminal organization used the latest technology and the most advanced technical devices to capture signals emitted via satellite in many countries. They subsequently amplified them and decrypted the multimedia content they transported, content that they then distributed publicly and illegally.” reads the press release published by the Spanish Police. “In total, more than 130 international television channels and thousands of movies and series that they made available to citizens around the world, a service for which they charged each of their more than 14,000 subscribers between 10 and 19 euros per month, or between 90 and 169 euros per year – depending on the type of subscription -, with the consequent damage to the rights of the authors, producers and distributors of these artistic works.”

The Alliance for Creativity and Entertainment (ACE), the world’s leading anti-piracy coalition, applauded the Spanish National Police for the operation against the large-scale illegal IPTV service TVMucho (also known as Teeveeing). This is the first criminal action in Spain against an operation of this size and scope.

TVMucho/Teeveeing had more than 4 million visits in 2023 and offered more than 125 channels, including major networks like BBC, ITV, Sky, and RTL.

“We commend the Spanish National Police for protecting the intellectual property rights of dozens of ACE members through this successful raid,” said Karyn Temple, Senior Executive Vice President and Global General Counsel for the Motion Picture Association (MPA). “The operation reinforces ACE’s commitment to partnering with regional authorities in identifying and confronting digital copyright infringement. We look forward to continuing our joint mission to protect the creative economy in Spain and beyond.”

Let me remind you that also subscribers to illegal streaming services could be investigated and fined by law enforcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Spanish police)

Personal information of hundreds of British and EU politicians is available on dark web marketplaces.

According to research conducted by Proton and Constella Intelligence, the email addresses and other sensitive information of 918 British MPs, European Parliament members, and French deputies and senators are available in the dark web marketplaces. 40% of 2,280 official government email addresses from the British, European, and French Parliaments were exposed, including passwords, birth dates, and other details.

Most leaked data email addresses belong to British MPs (68%), followed by EU MEPs (44%).

The researchers pointed out that French deputies and senators had the best security, with only 18% of searched emails in cybercrime forums and dark marketplaces.

Many of these MPs, MEPs, deputies, and senators hold senior positions, including heads of committees, government ministers, and senior opposition leaders. These politicians have access to highly sensitive information, and particularly alarming is that several of them are currently, or have previously been, members of committees tasked with overseeing and enforcing national and international digital strategies.

The presence of the emails on dark web shows that politicians used their official emails to create an account on third-party web services that suffered a data breach.

“The fact that these emails, which are publicly available on government websites, are on the dark web isn’t a security failure by itself. Nor is it evidence of a hack of the British, European, or French parliaments.” reads the report. “Instead, it shows that politicians used their official email addresses to set up accounts on third-party websites (which were later hacked or suffered a breach), putting themselves and the information they’re entrusted to keep safe needlessly at risk.” 

Even more concerning is that researchers were able to match these email addresses with 697 plain text passwords. The experts notified impacted politician, they pointed out that if a politician reused one of these exposed passwords for their official email account, it could also be at risk.

It’s a miracle if British MPs were not involved in major scandals due to account takeovers, because 68% of searched email addresses were found on the dark web, including senior figures from both the government and the opposition. MPs’ email addresses were exposed a total of 2,110 times on the dark web, the researchers noticed that the most frequently targeted MP experiencing up to 30 breaches. On average, breached MPs had their details show up in 4.7 breaches.

The member of the European Parliament experienced fewer breaches compared to their British counterparts, but nearly half of the emails searched were found on the dark web. Out of 309 MEPs exposed, 92 were involved in 10 or more leaks. EU politicians had their email addresses exposed 2,311 times, along with 161 plaintext passwords. This raises concerns, as the European Parliament has increasingly become a target of state-sponsored attacks and acknowledges its lack of preparedness.

Impacted politicians have used their official email addressed to create accounts several sites, including LinkedIn, Adobe, Dropbox, Dailymotion, petition websites, news services, and even, in a small number of cases, dating websites.

“Even if a hostile takeover of one of these accounts won’t grant an attacker (or foreign government) access to state secrets, it could reveal that politician’s private communications or other sensitive data. Attackers could then use this information to phish or blackmail the politicians.” concludes the report.

“And this is the best possible scenario. If a breached politician reused a password that was exposed on the dark web on one of their official accounts (and failed to use two-factor authentication), it could let attackers into government systems. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, dark web)

Ticketmaster owner Live Nation confirmed the Ticketmaster data breach that compromised the data of 560 million customers.

ShinyHunters, the current administrator of BreachForums, recently claimed the hack of Ticketmaster and offered for sale 1.3 TB of data, including full details of 560 million customers, for $500,000. Stolen data includes names, emails, addresses, phone numbers, ticket sales, and order details.

This week Ticketmaster owner Live Nation confirmed the data breach that compromised the data of 560 million customers.

On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

As of the date of this filing, the incident has not had, and we do not believe it is reasonably likely to have, a material impact on our overall business operations or on our financial condition or results of operations. We continue to evaluate the risks and our remediation efforts are ongoing.

Threat actors had access to a third-party cloud database environment containing company data. The company discovered the intrusion on May 20, 2024, and immediately launched an investigation with industry-leading forensic investigators.

The stolen data were offered for sale on the dark web a week later.

“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.” reads the form 8-K filing to the US Securities and Exchange Commission.

“On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web.”

Live Nation notified regulatory authorities and impacted users.

Bleeping Computer reported that ShinyHunters told Hudson Rock Co-Founder Alon Gal that he breached both Santander and Ticketmaster. The threat actor revealed that the data was stolen from cloud storage company Snowflake by using credentials obtained through information-stealing malware to access a Snowflake employee’s ServiceNow account. The threat actors used to credential to exfiltrate data, including auth tokens for accessing customer accounts. The threat actor also claimed to have used this method to steal data from other companies.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShinyHunters)

Crooks stole approximately 48.2 billion yen ($304 million) worth of Bitcoin from the Japanese cryptocurrency exchange DMM Bitcoin.

The Japanese cryptocurrency exchange DMM Bitcoin announced that crooks stole 4,502.9 Bitcoin (BTC), approximately $304 million (48.2 billion yen), from the its wallets.

“At approximately 1:26 p.m. on Friday, May 31, 2024, we detected an unauthorized leak of Bitcoin (BTC) from our wallet. We are still investigating the details of the damage, but the following is what we know at this stage. We have already taken measures to prevent the unauthorized leak, but we have also implemented restrictions on the use of some services to ensure additional safety.

We deeply apologize for any inconvenience caused to our customers.” reads a message published by the exchange on its website. The page is currently unavailable.

The company assured that the customers’ Bitcoin (BTC) deposits will be fully guaranteed.

In response to the heist, DMM Bitcoin limited the following services:

・ Screening of new account openings
・ Processing of cryptocurrency withdrawals
・ Suspension of buying orders for spot trading (only selling orders accepted)
・ Suspension of new open positions for leveraged trading (only settlement orders accepted)

The company added that limit orders for spot trading and leveraged trading that have already been placed will not be canceled and that withdrawals of Japanese Yen may take longer than usual.

DMM Bitcoin has yet to provide details about the attack.

Cryptocurrency security firm Elliptic reported that this incident would be the eighth-largest crypto heist of all time, and the largest since the $477 million hack suffered by FTX, in November 2022. Elliptic also confirmed it has identified the wallets involved in the attack.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Bitcoin)