Webhose Top Cyber Updates

Posted on September 16, 2021 by yafit

read the article

We begin with a discovery that should’ve raised an alert at the United Nations headquarters followed by our exclusive story on the hacker offering “Moody’s Analytics Company data”. We also reveal a surprising new dark web forum in our coverage, one you shouldn’t miss as it’s quickly growing in popularity. 

Let’s first start with our United Nations story.

Revealed: U.N. Employee Credentials Detected on Dark Web Before Major Network Breach

Recently, several media outlets reported that hackers have been able to breach the United Nations’ computer networks in April 2021. In a report by Bloomberg News, it was suggested that the hackers “probably gained entry by purchasing employee log-in credentials from the dark Web”. 

We decided to test it. Using our Cyber API, we were able to find around 2,000 mentions of the main U.N. domain (un.org) on the dark web, about 300 of them were found on dark web marketplaces. In these marketplaces posts, we found the login credentials used on several U.N. subdomains, some of them were on offer in the past and some are still offered for sale.

Our data also shows that U.N. subdomain credentials have been offered for sale on the dark web for at least two years now. This means that U.N. credentials are readily available for hackers, who can buy those credentials at any given time as they keep renewing. The oldest post selling “inspira.un.org” credential we detected dates back to September 2019. The most recent post is from September 2021. 

We also found posts in one marketplace selling U.N. credentials in March and in early April, around the time of the reported breach. Those credentials are not available on the site anymore, this could suggest that they were bought. We were able to find another example of a post with U.N. credentials on offer on “Genesis”, a dark web marketplace.

The post, published on August 31, is offering logins to Inspira (inspira.un.org), the United Nations’ online recruitment platform:

Webhose keeps track of thousands of new posts like these everyday, helping companies to monitor leaks that expose companies and organizations to future breaches and attacks. 

To see more content from these marketplaces use the query: site.type:datastore

Exclusive: Hacker Claims to Have Breached A Moody’s Analytics Company

A hacker claims to have breached Bureau van Dijk – a Moody’s Analytics Company, in a post exclusively discovered by Webhose. 

We were able to discover a post on a hacking forum where a hacker shares samples of leaked data he claims to have stolen from Bureau van Dijk, a subsidiary of Moody’s Corporation, which provides economic research regarding risk, performance and financial modeling. The hacker also states in the post, dated 10 September, that the data is “too huge”, totaling 450GB of stolen credentials including entities belonging to some of the company’s clients, such as email addresses, phone numbers and more.

As Bureau van Dijk specializes in economic research, we were able to find information on related topics. For example, we can see that next to some of  the company’s clients, appears their business relationship status” which is either acquired or merged, and other related information.

The hacker’s post on September 10

Similarly to other leaks, it has spread to another platform quickly. We were also able to find a very similar post published on the next day, on September 11, on a Telegram channel dedicated to leaked data for sale. 

The hacker’s post the next day, on September 11

We could not confirm whether the full leak includes valid data as this data is currently available only for sale and the full leak has not been exposed. Although the leak cannot be confirmed, posts like this one need to be monitored to prevent reputational damage as they can reach the media or other hackers.

To see content related to this breach, use the query: “Bureau van Dijk”

New Source on Webhose: Leak Hispano Now Available

We have recently added Leak Hispano, a forum primarily catering to Spanish speakers but surprisingly attracts most of its traffic from China, the US, India, and Vietnam, to our Cyber API coverage.

Leak Hispano is a marketplace and a database-sharing forum, where users discuss topics relating to hacking, database leaks and general illicit trade topics. The forum, which was established in 2019, has seen an increase in popularity over the last few months, with more than 200K visits recorded in the last month.

The database leaks section is one of the most prominent on the forum. For example, the picture below shows the Fortinet’s leak, which revealed 500,000 VPN credentials, was published recently. The site also offers an easy way to download leaks or buy other illicit products, since users can gain virtual credits (called “diamonds”) for their activity, and use them to pay for purchases on the site, which is a method used on other similar forums.

With its fresh stream of leaked content and its friendly interface, we expect to see the site’s popularity and traffic to continue to rise in the coming months.

The post on Leak Hispano offering 500K leaked Fortinet VPN login details

To see content from this forums, use the following query:

site.domain:leakhispano.net

We hope you enjoyed our cyber updates this round. To stay in the loop of other cyber news, follow us on social media (via the links below). For any questions or comments you may have, feel free to send us an email to: cyber@webhose.io.

Until next time, 

Team Webhose