AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/01/2021

Ransomware Group Rebrands Multiple Times to Evade Detection

A mid-sized ransomware group known for targeting healthcare and education sector organizations has repeatedly rebranded over the past year to avoid scrutiny, according to Mandiant. The “54BB47h” (Sabbath) group first appeared on the radar in September when it advertised for affiliate partners, the threat intelligence firm said. Unusually for a ransomware group, it provides these affiliates with their own pre-configured Cobalt Strike Beacon backdoor payloads. While this posed a challenge for Mandiant’s attribution efforts, it also offered a starting point for its investigation. “Mandiant Advanced Practices began proactively identifying similar Beacon infrastructure across past Mandiant Consulting engagements, Advanced Practices external adversary discovery programs, and commercially available malware repositories,” it explained. “Through this analysis, Advanced Practices linked the new Sabbath group to ransom activity under previously used names including Arcane and Eruption.”


FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs

The FBI seized $2.3 million in August from a well-known REvil and GandCrab ransomware affiliate, according to court documents seen by BleepingComputer. In a complaint unsealed today, the FBI seized 39.89138522 bitcoins worth approximately $2.3 million at current prices ($1.5 million at time of seizure) from an Exodus wallet on August 3rd, 2021. Exodus is a desktop or mobile wallet that owners can use to store cryptocurrency, including Bitcoin, Ethereum, Solana, and many others. The FBI does not state how they gained access to the wallet other than that it is in their custody, indicating that they likely gained access to the wallet’s private key or secret passphrase. “The United States of America files this verified complaint in rem against 39.89138522 Bitcoin Seized From Exodus Wallet (“the Defendant Property”) that is now located and in the custody and management of the Federal Bureau of Investigation (“FBI”) Dallas Division, One Justice Way, Dallas Texas,” reads the United States’ Complaint for Forfeiture. 


DNA testing firm discloses data breach affecting 2.1 million people

DNA Diagnostics Center (DDC), an Ohio-based DNA testing company, has disclosed a hacking incident that affects 2,102,436 persons. The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, and the firm concluded its internal investigation on October 29, 2021. The information that the hackers accessed includes the following: Full names, Credit card number + CVV, Debit card number + CVV, Financial account number, and Platform account password. The compromised database contained older backups dating between 2004 and 2012, and it’s not linked to the active systems and databases used by DDC today.


Dark web marketplace bites the dust after colossal DDoS attack

One of the world’s largest dark web marketplaces for all things cannabis has been permanently shut down after a major distributed denial of service (DDoS) attack kept the site offline for a prolonged period of time. In an official announcement, the operators of the Cannazon marketplace said the DDoS attack wasn’t the reason for the shutdown, but it presented an opportunity to close the website down, as was always the plan. “No market will be here forever,” the announcement reads. “We are officially retiring. The massive DDoS attack was a very good chance to lower the number of orders and we decided to keep the market partially offline afterwards. This is the reason why the market was not reachable and not fully functional in the last days. By this, we could ensure that the number of orders was minimized and all paid orders were shipped.”


Wait, so now I can’t tweet photos of other people on Twitter?

It’s just been a day since Parag Agarwal took over Twitter as CEO after Jack Dorsey resigned, and the company has rolled out a seemingly controversial policy. Under this new norm, you can’t tweet out pictures of another individual. Twitter already had a private information policy that barred users from sharing other people’s phone numbers, addresses, and email IDs. Now it’s extending that to media, including videos and photos of someone. One of the biggest conditions for an image or a video to be taken down is the person in it — or their legal representative or guardians  — have to report it. So you can’t report an image on behalf of a friend. It’s not clear if the people reporting an image or video have to be on Twitter. We’ve asked the company for clarification, and we’ll update the story if we hear back.



The holiday shopping season is here, and while millions of Americans will be looking for the best deals the internet has to offer, cyber criminals will be hard at work looking to target online shoppers. The holiday shopping season is a prime opportunity for bad actors to take advantage of unsuspecting shoppers through fake websites, malicious links, and even fake charities. Their goal is simple: get a hold of your personal and financial information to compromise your data, insert malicious software, steal your identity and take your money. At CISA, we are committed to helping Americans better protect themselves online. This holiday shopping season, we’re here to provide a few easy steps to prevent you from becoming a victim of cyber-crime. Using strong passwords, updating your software, thinking before you click on suspicious links, and turning on multi-factor authentication are the basics of what we call “cyber hygiene” and will drastically improve your online safety.  

Related Posts