Webhose Cyber Update

Posted on August 5, 2021 by yafit

read the article

Exclusive: Top 10 CVEs Trending in Dark Web

In the past month alone, it was reported that giants like Apple and Microsoft have been patching serious vulnerabilities, also known as CVEs, security vulnerabilities tested and patched by vendors.

Our analyst team has carried out research to discover the top CVEs trending in the deep and dark web to better understand the extent in which criminals discuss and exploit existing CVEs.

We first collected a list of more than 20 dark and deep web forums such as xss, raidforums, cracked, antichat, omerta and others. Then we analyzed the most mentioned CVEs over the past three months. In total, we found 2,279 CVE mentions in the dark web chatter in the last 3 months. Each of them averaged 10 mentions per discussion.

The results (seen in the picture below) show that Ubunto’s vulnerability, CVE-2021-30747,  which allows remote attackers to cause a denial of service, tops the chart with nearly 900 mentions in the past 3 months. Another clear trend we can see is that hackers are regularly exploiting Microsoft’s Windows technologies flaws.

Our analysts also found that most of the CVEs they discovered in this investigation were exploited by nation-state hackers and cybercriminals, including ransomware gangs and global attack campaigns targeting different types of industries.

The Tor Project is Set to End Support for V2 Onion Services

Last year, the Tor Project announced they would move away from URLs that use onion service version 2. 

Some may have noticed a v2 onion warning which the Tor Project has been displaying, stating that it would begin deprecating v2 URLs and use v3 as the default version when creating a new onion service. Tor’s v3 URLs use cleaner code, they have stronger cryptography and provide greater protection with longer URLs, now containing 56 characters.

We at Webhose are running a major project in which we closely monitor the new versions of sites as they start migrating to v3 and crawl the new version before their v2 URL is depreciated. So far, we are seeing a slow migration of sites to the new v3, but we expect it to peak by October.

Weekly Find: Tokyo 2020 Ticket Holders’ Credentials Sold on Dark Web

Several media sources have recently revealed that credentials, such as user name and password, of Tokyo Summer Olympics ticket holders and volunteers, were compromised and posted on the dark web. 

According to several sources, the hackers used the RedLine malware, which is a family of information stealers that are used to extract sensitive data from devices, and other types of info stealers.

We have monitored the dark web and detected credentials from two Olympics website subdomains that were reportedly attacked, id.tokyo2020.org and volunteer.tokyo2020.org, which are up for sale on two dark web marketplaces. We also crawled the first post offering credentials of “volunteer.tokyo2020.org” users for sale already back in 2019, with the most recent post offering credentials of “id.tokyo2020.org” users for sale posted and crawled in July 2021.

To see content we related to the leak use the query:

(tokyo2020 OR (tokyo2020) OR olympics) AND (leak OR accounts OR breach OR site.type:datastore)

Discord Chat Service Rising in Popularity Among Cyber Criminals

Discord, a VoIP, instant messaging and digital distribution platform designed for creating communities, has over 250 million users. Yet recently it is seeing a surge in popularity among malicious actors.

Similarly to Telegram, Discord is attracting a growing number of cyber criminals because it offers closed groups. This makes Discord an open and convenient space for users to interact with each other under themed groups. Many of these groups are labeled under illicit topics, including the trade of compromised data, hacking-related activities, discussions around new malwares, and much more. 

Webhose constantly monitors hundreds of different Discord servers to keep track of new activities and discussions related to illegal topics. Our analysts and automatic discoverer also constantly finds and crawls new servers that feature posts with different types of illicit activities. 

Below is an example of the posts we crawl, in which a user is looking to partner up with someone to spread a malware he created:

To see content we crawl from discord use the query:

extended.network:discord

That’s all from our Cyber Team this round. We’ll be back again with new key news from the cyber world next time. Until then, if you have anything interesting you’d like to share, send us an email to: cyber@webhose.io

Until next time, 

Team Webhose