Full Report
ASEC Blog publishes Ransom & Dark Web Issues Week 3, Februar 2025 Data breach of member information at a Korea-based cosmetics wholesale and retail online shopping mall Threat group Tooda: Hacking of Doxbin administrator account and internal data leak New ransomware group Linkc: Claims attack on a […]
Analysis Summary
This article summarizes three distinct security incidents/threat intelligence findings reported during the third week of February 2025, as compiled by ASEC. Since a single, unified incident timeline is not provided, the summary below addresses the key components of the three reported events.
# Incident Report: Threat Intelligence Summary (Week 3, Feb 2025)
## Executive Summary
Security intelligence gathered during the third week of February 2025 highlighted three key incidents: a data breach impacting a Korean cosmetics platform, a security incident involving the Doxbin administrator account and data leak by threat group Tooda, and the emergence of the Linkc ransomware group targeting a U.S. AI/AutoML company. The collective impact involved compromised customer data, internal forum data exposure, and sophisticated ransomware activity against critical technological infrastructure.
## Incident Details
- Discovery Date: February 20, 2025 (Publication date of summary report)
- Incident Date: Varies (Specific dates for individual incidents not provided, assumed to occur prior to Feb 20, 2025)
- Affected Organization:
1. Korea-based cosmetics wholesale and retail online shopping mall
2. Doxbin (Internal administrator account)
3. U.S. company providing AI and AutoML platforms
- Sector: E-commerce/Retail, Cybercrime Infrastructure, Technology (AI/ML)
- Geography: Primarily South Korea and the United States.
## Timeline of Events
*Since specific dates are unavailable for the operational timeline of each attack, this section summarizes thematic progression based on the reports:*
### Initial Access
- **Event 1 (Cosmetics Mall):** Vector unknown, resulted in initial compromise of member information.
- **Event 2 (Doxbin):** Threat group Tooda gained access, likely through exploiting vulnerabilities or credential compromise, to the Doxbin administrator account.
- **Event 3 (AI/AutoML Co.):** The new ransomware group Linkc initiated an attack wave, claiming compromise of the U.S. firm.
### Lateral Movement
- Not explicitly detailed for the compromised systems; focus is on data compromise and leak announcements.
### Data Exfiltration/Impact
- **Event 1:** Breach of member information at the Korean cosmetics online shopping mall.
- **Event 2:** Internal data leak following the compromise of the Doxbin administrator account.
- **Event 3:** Ransomware deployment claimed against the U.S. AI/AutoML vendor by Linkc.
### Detection & Response
- **Detection:** Incidents were identified through monitoring of the Dark Web/Leak sites and reported by ASEC on February 20, 2025.
- **Response Actions:** The report itself serves as an advisory; specific organizational response actions are not detailed but rely on subscription to AhnLab TIP for further analysis.
## Attack Methodology
*Methodology is inferred based on the outcome (data leak/ransomware):*
- **Initial Access:** Likely credential abuse, vulnerability exploitation, or phishing targetting customer/administrator accounts.
- **Persistence:** Not specified.
- **Privilege Escalation:** Implied in the Doxbin incident where access grew to administrator level.
- **Defense Evasion:** Not specified.
- **Credential Access:** Implied in the ability to steal "member information" and internal Doxbin data.
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified.
- **Collection:** Theft involved customer member information (cosmetics site) and internal data (Doxbin).
- **Exfiltration:** Data was posted on forums/Dark Web sites (implied by context of leak reporting).
- **Impact:** Data exposure and potential business disruption via ransomware (Linkc).
## Impact Assessment
- **Financial:** Not detailed, but high impact expected for the ransomware target (U.S. company) and the breached e-commerce site.
- **Data Breach:** Customer member information (Korean cosmetics). Internal data from a cybercrime forum (Doxbin).
- **Operational:** Potential disruption at the U.S. AI/AutoML provider due to ransomware.
- **Reputational:** Negative impact on the customer trust for the Korean cosmetics platform.
## Indicators of Compromise
*IOCs are not publicly listed in the summary provided; access requires a subscription to AhnLab TIP.*
- **Network indicators:** [Not shared publicly]
- **File indicators:** [Not shared publicly]
- **Behavioral indicators:** [Monitoring for activity related to Tooda, Linkc, and data posts on BreachForums/LeakbaseForum]
## Response Actions
*Organizational-specific actions are unknown. General response derived from the context:*
- **Containment:** Implied actions would include isolating affected systems and potentially taking down exposed data sources.
- **Eradication:** Implied steps involve revoking compromised credentials and patching systems.
- **Recovery actions:** Restoring services and rebuilding trust after data exposure.
## Lessons Learned
- **Key Takeaways:** Threat actors remain highly active, targeting both mainstream consumer platforms (e-commerce) and established cybercrime infrastructure (Doxbin). The appearance of new ransomware groups (Linkc) signifies continued market evolution in threat actors.
- **What could have been done better:** Stronger credential management and segregation of privileges, especially for administrator access (Doxbin incident), and robust network segmentation for critical infrastructure (AI/AutoML company).
## Recommendations
- Implement multi-factor authentication across all administrative and customer-facing portals.
- Enhance monitoring specifically for posts on known data leak forums (e.g., BreachForums, LeakbaseForum).
- Maintain an up-to-date inventory and patching schedule for the software supply chain, particularly targeting high-value AI/ML platforms that are attractive to modern ransomware groups.