[BreachExchange] WHO, Gates Foundation Credentials Dumped Online: Report

Destry Winant destry at riskbasedsecurity.com
Fri Apr 24 10:10:06 EDT 2020


About 25,000 email addresses and passwords that are apparently for
staff at the World Health Organization, the Gates Foundation, the U.S.
National Institutes of Health and other organizations have been dumped
online, according to the Washington Post.

Credentials that appear to be for the U.S. Centers for Disease Control
and Prevention, the World Bank and the Wuhan Institute of Virology in
China were also dumped, the Post reports. The list was first spotted
online by the SITE Intelligence Group, which says it tracks the
activities of terrorist and extremists. The organization then shared
the information with the Post.

This list of credentials, which was circulated online starting earlier
this week, is being used by extremists to hack into the accounts and
harass those working at the organizations, says Rita Katz, SITE's
executive director. The organiztion has been tracking the activities
of these groups in chatrooms and online venues, she told the Post.

It's not clear where the list came from, how it was compiled, or who
posted it online. But Vice reports that it was able to verify that
some of the email addresses and passwords worked. The credentials
could have been obtained via previous data breaches or leaks,
according to Vice.

Katz told the Post that some far-right groups have been targeting
organizations working on a vaccine and other healthcare initiatives
related to the COVID-19.

Rita Katz✔@Rita_Katz

1) BREAKING: Prominent Neo-Nazis group disseminating allegedly
"hacked" emails from @gatesfoundation & @WHO, two partner orgs at
front of #coronavirus fight. Data posted first to chan board & pasting
site. @siteintelgroup/@SITE_CYBER currently investigating. [THREAD]

10:00 AM - Apr 21, 2020
Twitter Ads info and privacy

1,145 people are talking about this

The list of email addresses and passwords appears to have been first
posted on 4chan, an anonymous online forum that is popular with some
far-right groups. From there, the list moved to text-storing site
Pastebin as well as Twitter and a far-right channel on the messaging
app Telegram, according to the Post.

Only Some Credential Valid

In a statement provided to Information Security Media Group, the World
Health Organization says that of the approximately 2,700 WHO email
addresses being circulated online, 457 were valid and active. "As a
precaution, passwords have now been reset for the 457 users whose
email addresses were exposed," according to the statement.

Robert Potter, a cybersecurity researcher who is CEO of the Australian
company Internet 2.0, wrote on Twitter that he was also able to
confirm the authenticity of some of the WHO email addresses, and that
hackers appeared to have dumped the credentials to encourage others to
conduct a larger breach of the organization.

Kent Liu at _mrkent
 · Apr 21, 2020
Replying to @rpotter_9

When did you verify those passwords worked? Do you believe hackers got
any new info since covid outbreak?

Robert Potter at rpotter_9

The attackers dumped the passwords to encourage a breach not because
they themselves caused one. This is the cyber equivalent of chumming
the water.

6:48 AM - Apr 22, 2020
Twitter Ads info and privacy

See Robert Potter's other Tweets

A Gates Foundation spokesperson tells ISMG: "We are monitoring the
situation in line with our data security practices. We don't currently
have an indication of a data breach at the foundation."

A spokesperson for the National Institutes of Health declined to
comment on the report. The CDC and World Bank could not be immediately
reached for comment.


Update (April 23, 2020): Cybersecurity reporters Nicole Perlroth of
the New York Times, and Steve Ragan, said they found that at least a
significant number of the dumped credentials are old, and harvested
from previous data breaches.

Nicole Perlroth✔@nicoleperlroth

For those asking how you date/vet dumps: Most time consuming is
matching dumped credentials with the dates orgs put password
requirements in place, which dated them back years. Also @SteveD3 and
I ran them through haveibeenpwned which showed signif. overlap with
older breaches.
https://twitter.com/nicoleperlroth/status/1252819365772197894 …

Nicole Perlroth✔@nicoleperlroth

I spent the vast majority of my day confirming the dumped usernames
and passwords from WHO, Gates Foundation and NIH are from old, dated
breaches of other companies. Someone went through all this trouble to
pull their credentials off dumps from other hacks (1/3)

5:31 PM - Apr 22, 2020
Twitter Ads info and privacy

More information about the BreachExchange mailing list