Deep and Dark Web Round Up

Weekly Highlights

• U.S. Sanctions Chinese Cybersecurity Firm and Indicts Chinese National

• Black Basta Ransomware Employs New Social Engineering Techniques

• Romania’s Election Infrastructure Targeted by Cyber Attacks

• Members of Cybercrime Gang Arrested in Belgium and the Netherlands

Malware/Ransomware

U.S. Sanctions Chinese Cybersecurity Firm and Indicts Chinese National

In a December 10 press release, the U.S. Department of the Treasury (USDT) announced its sanctioning of the Chinese cybersecurity firm Sichuan Silence Information Technology Company for its role in the targeting of firewalls worldwide in April 2020. Companies targeted in the series of ransomware attacks also included U.S. critical infrastructure companies. The U.S. Department of Justice (DOJ) has also charged a Sichuan Silence employee—Guan Tianfeng—for his involvement in the same hacking campaign.

Black Basta Ransomware Employs New Social Engineering Techniques

The known ransomware operation Black Basta has been observed using new social engineering techniques to distribute different sets of payloads, including Zbot and DarkGate. The change in tactics has been observed since October 2024, with cybersecurity firm Rapid7 releasing a new report this month detailing the evolution. Analysts at Rapid7 observed a notable increase in activity associated with the campaign in early October; the firm had previously released reports detailing the group’s tactics in August and May this past year.

Threat Actor Activity

Romania’s Election Infrastructure Targeted by Cyber Attacks

On December 4, Romania’s top security council declassified reports from its intelligence agencies which revealed an extensive influence operation carried out by Russia against the Romanian presidential election. According to the agencies’ findings, Romania’s election infrastructure was the target of over 85,000 cyber attacks. Furthermore, in the weeks leading up to the first round of the presidential election, intelligence agencies identified 25,000 TikTok accounts supporting Călin Georgescu, a far-right candidate who has “vowed to end all Romanian aid to neighboring Ukraine.”

Members of Cybercrime Gang Arrested in Belgium and the Netherlands

Eight suspects have been arrested in Belgium and the Netherlands in an operation launched in 2022 and supported by Europol. The suspects were arrested for their involvement in an international cybercrime network, specifically for their roles in committing “large-scale ‘phishing’ campaigns and trying to gain access to financial data by phone or online.” The suspects also impersonated police and banking staff.

Notable Leaks and Breaches

• Ladies.com - 118,809 breached accounts

• Senior Dating - 765,517 breached accounts

• pureincubation.com - (121,879,191 entries)

• thuocsi.vn - (34,984 entries)

• expandia.es - (21,957,869 entries)

• alphacapitalgroup.uk - (62,388 entries)

• smarthome.rt.ru - (698,399 entries)

• komplettfritid.no - (140,591 entries)

• movistar.com.pe - (22,550,831 entries)

• Argentina.gob.ar 

On December 7, a threat actor on BreachForums claimed to have leaked data from Argentina.gob.ar, Argentina’s official online portal. According to the post, the breach occurred on December 7. The database allegedly contains 11292132 rows.

•  PharmaWeb

On December 12, a threat actor on BreachForums claimed to have leaked data from PharmaWebCanada, a prescription marketing broker based in Canada. According to the post, the breach occurred in November 2024. Compromised data includes names, emails, addresses, phone numbers, affiliates, and cards.

• MYWEBSPORT

On December 12, a threat actor on BreachForums claimed to have leaked data from MYWEBSPORT, an Austrian “IT and laser based solution for semi-virtual table-to-table billiards at remote locations.” The BreachForums user claims to have stolen the data from a breach impacting the company in December 2024.

Suggested Further Reading

• Hackers Weaponize Visual Studio Code Remote Tunnels for Cyber Espionage

• US arrests Scattered Spider suspect linked to telecom hacks

• Fake Recruiters Distribute Banking Trojan via Malicious Apps in Phishing Scam

• Bitcoin ATM firm Byte Federal hacked via GitLab flaw, 58K users exposed

• Gamaredon Deploys Android Spyware "BoneSpy" and "PlainGnome" in Former Soviet States

• Europol Dismantles 27 DDoS Attack Platforms Across 15 Nations; Admins Arrested

• New EagleMsgSpy Android spyware used by Chinese police, researchers say

• Russian Turla hackers hit Starlink-connected devices in Ukraine

• Lynx ransomware behind Electrica energy supplier cyberattack

• ZLoader Malware Returns With DNS Tunneling to Stealthily Mask C2 Comms

About DarkOwl

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.   

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and  secure manner without having to access the darknet itself. 

DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. As importantly, DarkOwl data is ethically and safely collected from the darknet, allowing users secure and anonymous access to information and threats relevant to their mission. Our passion, our focus, and our expertise is the darknet. 

For more information, visit www.darkowl.com.