New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research

Search Breached in Drive-by Style Attack

UK firearms trading site had its SQL database stolen and in turn posted to RaidForums earlier this week. The database included details from around 111,000 users who were active on the site between 2016 and July of 2021. These users had information such as names, mobile phone numbers, email addresses, user geolocation data, and more including bcrypt-hashed passwords. Analysis of the database by Andrew Barratt led him to believe the attack was a “drive-by style,” or in other words, a target of opportunity that the attackers stumbled upon. Barratt stated, “I suspect it was probably a drive-by style attack. So gut feeling looking at the response from the attackers that they posted on forums, [it was] completely un-targeted, it was kind of very much like ‘lol we pulled another site’ and then it’s like, oh, wow.” Guntrader is aware of the breach and is working with the proper entities to mitigate the issue and attempting to prevent its users from being affected any further. Barratt also warned that copies of the database are being passed around that have malware included in them, so he suggested against opening any that are seen.

Analyst Notes

Instead of directly checking the database themselves, users are advised to visit to verify if their information was included in the breach. Although bcrypt encryption is difficult to crack, it is suggested that users change their passwords and make sure they are not being re-used on other sites where important information could possibly be accessed.