Webhose Top Cyber Updates

Posted on September 9, 2021 by yafit

read the article

This edition features an exclusive story behind the latest T-Mobile breach. It also features a surprising discovery on the Poly Network crypto heist and our latest insights on the rise in use of paste sites, underground forums and DDoS attacks.

First, let’s start with our T-Mobile scoop.

Exclusive: First Post by Hacker Offering Stolen T-Mobile Data Revealed

Over 50 million T-Mobile customers have been affected by the company’s latest data breach. The leak included customers’ names, ID numbers, social security numbers, address, phone numbers, dates of birth, driver’s licenses, and more.

While news outlets around the world cited a post published on August 14, by a threat actor who provided 30M unique SSNs with driver’s licenses which T-Mobile CEO Mike Sievert referred to when confirming the breach, we were able to find an earlier post by the same user in our Cyber API (click here to read our full investigation).

The post we found contained the leaked T-Mobile database about an hour after it was uploaded  on August 11, offering 124 million SSNs, DOB and driver’s licenses “freshly breached” (see in the image below).

The image from our Cyber API from the very first post the threat actor posted on 11 August

When we investigated this specific seller, we discovered several interesting details relating to his identity, following the confession made by the alleged hacker. For more on this discovery, details on this breach and worrying findings on previous T-Mobile breaches, read our full blog post.

To see more content in the Cyber API related to T-Mobile breach, use this query:

“T-Mobile” AND (Database OR Leak OR Breach) AND (SSN OR “Social Security numbers” OR DOB OR “Dates of birth” OR DL OR (driver AND licenses) OR ID OR Telephone OR Address OR Information OR Customer)

Could The Biggest Crypto Heist Ever Have Been Prevented?

In one of the largest cryptocurrency thefts ever, hackers stole $600 million worth of crypto on August 10 from Poly Network, a decentralized financial platform. The hackers exploited vulnerabilities in the company’s system, taking thousands of digital tokens such as Ether.

Using our Cyber API, we were able to find an early indication of the vulnerability that could very well have been used in the attack against Poly Network already back in December 2020. In a post on Raidforums, the hacker stated he could exchange cryptocurrency through a connectivity vulnerability:

Although the original post was removed from the forum, Webhose crawled it before it was deleted. The image is from our Cyber API

When companies are mentioned on various dark web platforms, it can indicate that a future threat or leak is underway. We usually find discussions around new vulnerabilities, developing capabilities, hacking code reviews, and, of course, data breach of PII (personally identifiable information). Most of the posts appear on hacking forums, paste sites and chat applications such as Discord and Telegram.  

For more information on what we found on this breach and the type of data we see daily on the dark web read our full blog post.

To see more content in the cyber API related to this topic, use this query:
(“defi” OR “poly” OR “poly network”) AND site.type:discussions 

Discover: The Cyber Risk in Paste Sites and Underground Forums

Over the past 5 years, cyber criminals have been using Pastebin and other pastes sites, as well as underground forums, to share leaked accounts, stolen credit cards and other leaked PII (Personal Identifiable Information). Some studies also show that dark web leaks are being used 5 times more by cyber criminals, than on open sites.

The type of sensitive information that is often leaked includes companies’ data of employees or consumers. This exposes the organization to breach attacks that can end in reputational damage and loss of customers. 

In one example we found using our API, we found different types of leaked data of employees of Apple, Orange and other companies, published on a paste site called paste.wiki:

These types of data can expose these organizations to breach attempts in the future. For this reason, more and more companies are monitoring  dark and open web sites for suspicious content.

In another example (see below)  from an underground, closed, forum on the dark web, we found a leak of Spotify premium users, which can be freely used on the expense of paying customers, affecting the user experience and the company’s reputation.

Webhose collects and monitors tens of thousands of posts from underground paste sites underground forums on a daily basis, to help companies to assess risks and threats to organizations and employees.

Trending: DDoS Attacks Triple in Less Than a Year

DDoS, which stands forDistributed Denial-of-Service”, is a common form of cyber attack. These types of attacks are used to disrupt the normal traffic of a targeted server, service or network, by overwhelming it with a flood of web traffic to the point of collapse. A DDoS attack can lead to large financial loss to a targeted organization, which is the reason many enterprises of all sizes are looking to keep track of it and constantly monitor DDoS risks. 

Following the COVID-19 pandemic, many companies switched to long term remote work, moving their workforce to work from home with a less secure work environment. This allowed hackers an easier access to launch DDoS attacks targeting organizational systems.

To understand just how widely DDoS attacks are being used, we used our Cyber API to search for the number of times they were mentioned on the dark web (a summary of our findings can be seen in the graph below).

As can be seen in the graph, we have found a significant growth in the popularity of DDoS attacks in 2020-2021.The column on the left shows the sum of the mentions of DDoS in our Cyber API throughout 2020, which totaled around 200K mentions. Next to it, on the right column, you can see the sum of the mentions of DDoS in our Cyber API from January through to the end of August 2021. Overall we see the number of mentions has tripled in comparison to last year, and 2021 is still not over so we are likely to see this number increase by the end of the year.

The number of mentions of DDoS attacks on the dark web from January 2020 to late August 2021

We cover multiple sites across the dark web and chatting applications that are dedicated to discussions around cyber attacks and trading of methods of attack.

That’s it for this round of cyber updates. We’ll return next time with the latest cyber news and insights from our Cyber team. If you have any questions, comments or anything interesting you’d like to share with us, don’t forget to send us an email to: cyber@webhose.io.

Until next time, 

Team Webhose