)
BreachForums, a notorious cybercrime site known for its involvement in the distribution of stolen data, hacking tools, and other illegal services has been hitting the headlines over the past month. In May 2024, the FBI announced it had seized control of the BreachForums platform, only for it to reappear 2 weeks later, trading credentials affecting 590million individuals.
FBI Seizure of BreachForums
The FBI, in coordination with international partners from Australia, Iceland, New Zealand, Switzerland, the U.K., the U.S., and Ukraine, successfully seized the BreachForums platform. The operation led to the seizure of both the clearnet and darknet versions of the site, which were found to be under the control of the FBI who replaced the website with a seizure banner. This action is part of a broader crackdown on cybercriminal activities facilitated by the forum.
Key Details
BreachForums operated on the clear-net with various domains (.cx, .is, .vc) under the administration of ShinyHunters from June 2023 until May 2024. This period marks the active phase of the platform before the seizure.
The FBI claims to have gained access to the backend data of BreachForums, which could include email addresses, IP addresses, and private messages among members – data that is crucial for ongoing investigations and potential future arrests. The seizure announcement did not specifically mention arrests directly tied to the takedown of BreachForums. However, the operation is part of a larger investigation.
A dedicated subdomain on the FBI's IC3 portal was set up to investigate BreachForums and Raidforums, indicating a focused effort to dismantle the infrastructure supporting these forums. However, a mere 2 weeks after the seizure, BreachForums was resurrected and trading once more at breachforums[.]st. The admin using the moniker ShinyHunters announced the return despite the FBI’s efforts, this was followed by posts from forum members selling data from two major attacks, the details of which are reported below:
Attack 1:
The attack targeted several financial institutions, with notable mentions of Ticketmaster and Christie’s auction house. Ticketmaster confirmed a breach affecting 560 million customers, with compromised data including names, email addresses, phone numbers, and partial credit card information. Christie’s reported a breach impacting 500,000 individuals, exposing names, phone numbers, email addresses, signatures, and financial records.
The attackers utilized BreachForums to coordinate the attack and potentially sell stolen data. The group behind the Ticketmaster attack, identified as ShinyHunters, claimed responsibility and offered the data for sale.
The initial intrusion vector remains under investigation. However, it is speculated that the attackers exploited vulnerabilities in third-party cloud database environments and possibly leveraged phishing or social engineering tactics to gain unauthorized access.
The attack demonstrates the use of sophisticated techniques, including the exploitation of system vulnerabilities and possibly the deployment of malware or ransomware in the case of Christie’s. The exact nature of the malware, if used, has not been disclosed.
Attack 2:
In June 2024, the healthcare sector experienced a critical data breach incident, with sensitive patient information being exposed on BreachForums. The exposed data includes patient medical records, personal identification information (PII), and potentially financial details.
Multiple healthcare organizations have been implicated in this breach. However, specific names of the affected entities are withheld in this report to maintain confidentiality and prevent further exploitation. The breach primarily involves organizations with inadequate security measures against modern cyber threats.
The exposure was first identified by cybersecurity researchers who monitor dark web forums for stolen data. BreachForums users began discussing the availability of a large dataset pertaining to healthcare information, which was subsequently verified by independent cybersecurity entities.
BreachForums played a pivotal role in this incident by serving as the platform for distributing the stolen healthcare data which was advertised and made available for purchase, indicating a monetization intent behind the breach.
Preliminary analysis suggests that the attackers exploited vulnerabilities in public-facing applications to gain unauthorized access. Specific CVEs and TTPs (Tactics, Techniques, and Procedures) used in the attack are currently under investigation.
The attackers likely employed automated scripts to extract vast amounts of data rapidly. Indicators of compromise (IoCs) associated with this activity include unusual outbound traffic patterns and suspicious server access logs.
Analysis of compromised systems has revealed the use of web shells for persistent access, enabling the attackers to conduct further operations undetected.
The initial seizure of BreachForums provides a unique opportunity to monitor the fallout within the cybercriminal community. Analysts should watch for shifts in communication platforms and marketplaces as users migrate to alternative forums, however as the resurrection of the forum came quickly, security teams should not underestimate the capabilities of cybercriminals running the operation.
)
)
)
)