The notorious online criminal marketplace, BreachForums, has made a swift comeback just two weeks following a major coordinated law enforcement operation spearheaded by the United States that dismantled its infrastructure and seized its assets. This resurgence has raised significant alarm among cybersecurity experts and organizations alike.
Cybersecurity analysts and dark web monitors, including Brett Callow, Dark Web Informer, and FalconFeeds, confirmed that BreachForums has reappeared at the domain breachforums[.]st. The site’s revival is attributed to an individual operating under the alias ShinyHunters, who has reportedly begun selling a massive 1.3 terabyte database that allegedly contains personal information on approximately 560 million Ticketmaster customers for $500,000.
The leaked data, as disclosed, includes sensitive information such as full names, addresses, email addresses, phone numbers, ticket sales history, and even the last four digits of credit card numbers along with their expiration dates. This allows for a clear understanding of the potential risks posed to affected individuals and organizations alike.
Interestingly, the new site requires visitors to create an account to access this content, which could suggest an attempt to establish a more secure environment for illicit transactions or a tactic to trap unwitting users. This development follows a recent law enforcement raid that secured various domain names associated with BreachForums and hints at the possibility of arrests among its key operators, including the alleged masterminds Baphomet and ShinyHunters.
The FBI has emphasized its commitment to scrutinizing the backend operations of the recently seized sites. Although it remains ambiguous if the individual behind the ShinyHunters pseudonym is indeed the original hacker of the same name, reports suggest they regained control of one of the seized domains from the registrar NiceNIC.
Notably, within the cybersecurity community, concerns have been raised about the possibility that the re-emerging site could serve as a honeypot to detect and trap cybersecurity professionals monitoring dark web activities. Such tactics align with various adversary techniques outlined in the MITRE ATT&CK framework, particularly under tactics for initial access and persistence, suggesting a strategic approach to elude law enforcement scrutiny.
BreachForums initially surfaced in March 2022 after the closure of RaidForums, and has undergone various iterations since then. The Department of Justice (DoJ) and the FBI have not provided public comments regarding their recent takedown actions or the current status of BreachForums.
Ticketmaster Confirms Data Breach
Following this alarming online activity, Ticketmaster’s parent company, Live Nation, announced on May 31, 2024, a confirmed data breach involving the theft of data from a third-party cloud service. While precise details regarding the cloud provider remain undisclosed, speculation points towards Snowflake based on findings from cybersecurity firm Hudson Rock.
The breach reportedly stemmed from a compromised employee account using ServiceNow credentials obtained through a malicious campaign involving a Lumma Stealer. This breach not only highlights the vulnerabilities associated with third-party integrations but also underscores how threat actors exploit information-stealing software to facilitate broader cyberattacks, a tactic that has surged approximately 6,000% since 2018.
Hudson Rock notes that the compromised credentials were also utilized to infiltrate other organizations, including Santander, which confirmed it had suffered a breach affecting customers in multiple countries such as Chile, Spain, and Uruguay. Snowflake has acknowledged the spike in malicious activity and stated it’s investigating unauthorized access incidents, indicating that threat actors may have first accessed an employee’s demo account through compromised credentials. The company has urged its clients to review their security settings and conditions surrounding two-factor authentication.
Despite the revelation of a former employee’s demo account being accessed, Snowflake asserts that no sensitive organizational data was compromised, reiterating that the access did not penetrate any production-level or corporate systems. In light of these incidents, business leaders and stakeholders must exercise vigilance towards their potential vulnerabilities in the face of increasingly sophisticated cyber threats.
Note: This article has been updated to include information about the Ticketmaster breach.
