Preemptive Cyber Defense Blueprint for Incident Response Teams: Download Today
A person sits in a chair in the middle of a dark room full of computers. A pink glow emits from the wall, reflecting on the shiny floor.

Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs from Big Tech

/in /by

Watch our on-demand threat analysis webinar on Infrastructure Laundering.

Sign Up Here

Key Findings

Silent Push is coining the term “Infrastructure Laundering” to describe a growing criminal practice our analysts have observed where threat actors operating “hosting companies” rent IP addresses from mainstream hosting providers and map them to their criminal client websites.

  • Our research team was surprised to find mainstream cloud providers, such as Amazon Web Services (AWS)* and Microsoft Azure, are often seen in large-scale use by threat actors. While providers are consistently banning specific IP addresses used by the FUNNULL content delivery network (CDN), the pace is unfortunately not fast enough to keep up with processes being used to acquire the IPs.
  • FUNNULL has rented over 1,200 IPs from Amazon, and nearly 200 IPs from Microsoft – nearly all have been taken down as of this writing, but new IPs are continually being acquired every few weeks.
  • There are indications of FUNNULL illicitly acquiring the IPs using stolen or fraudulent accounts. However, external visibility into this process is limited.
  • Silent Push’s research into the FUNNULL CDN’s activities has revealed a direct association with money laundering as a service hosted on shell websites, retail phishing schemes, and pig-butchering scams being kept online via infrastructure laundering.
  • Given that it’s easier for enterprises to defend against this type of network if the services of mainstream providers are made unavailable to those criminals, our team is left to wonder: If FUNNULL has been using the same illicit IP rental schemes and CNAME mapping tactics for years, activity which is clearly visible to us as cyber threat professionals, why are cloud providers still struggling to keep up? Are cloud providers not investigating deeply enough to find illicit IP rentals in real time?
  • This line of thinking led us to a few larger, and as of yet unresolved, questions around infrastructure laundering:
    • If a hosting account is banned for fraud and abuse concerns, are cloud providers not investigating what content was hosted there and looking for similar content elsewhere on their network?
    • How and why does an organization like FUNNULL keep renting one IP after another from mainstream providers, even if using illicit means to acquire those IPs, when they are mapping them to one of three CNAMEs?
    • How come thousands of IPs have been taken down historically, but the new ones stay mapped for days or weeks without actions?
    • How is it that cloud providers are unable to see or stop this in real time?

*Note: Amazon responded to our findings with a public statement, which we attached to the bottom of this report, along with our comments.

Table of Contents

Executive Summary

Over the past few years, Silent Push Threat Analysts have been investigating and exposing threat actors whose crimes are not restricted to the internet but are very much a part of real-world criminal organizations. Our team is tracking this growing cyber line-blurring practice, now better known as “infrastructure laundering,” which leverages legitimate, mainstream hosting providers through intermediaries.

As we examine this particular brand of threat actor behavior, we must assess the scale of the technical infrastructure involved and critically examine the suppliers that are helping keep these organizations in business. The results have been surprising. Our analysts have discovered threat actors being enabled by mainstream cloud providers, including Amazon Web Services (AWS) and Microsoft Azure.

Both Amazon and Microsoft have essentially been fighting an uphill battle, clearly banning IPs being used by the FUNNULL CDN, yet new IPs are still showing up every few weeks. New details uncovered in the course of this reporting indicate that FUNNULL is likely using fraudulent or stolen accounts to acquire these IPs to map to their CNAMEs, and providers we have spoken to claim this wasn’t caught in real time due to visibility holes from the technical complexity of their DNS architecture.

Sign Up for a Free Silent Push Community Account

Register now for our free Community Edition to use all of the tools and queries mentioned in this blog.

Sign Up Here

Background

The concept of infrastructure laundering is relatively new in cybersecurity and cybercrime discussions and circles. However, the underlying idea—that intermediaries provide a layer of obfuscation for illicit activities—has been previously discussed in the contexts of “bulletproof hosting” and “cybercrime-as-a-service.” These services perform a similar function: offering cybercriminals a high level of anonymity and protection.

One core difference between infrastructure laundering and a bulletproof host (BPH) is that with infrastructure laundering, takedowns are expected. We’ve come to realize that the persistence of infrastructure laundering is due primarily to the aggressive efforts used to acquire fresh hosting accounts – essentially, the threat actors moving more rapidly than cloud hosts can react.

Taking obfuscation a step further, infrastructure laundering specifically highlights a distinct process wherein intermediaries (such as the FUNNULL CDN, outlined in our Triad Nexus blog) launder their infrastructure by hosting it within large, legitimate cloud platforms (such as AWS or Azure) in order to further mask its origins and criminal intent.

Infrastructure laundering also helps to keep the websites fast for global audiences by mapping the infrastructure to countless IPs located in different areas of the world—and having IPs in the U.S. is useful for a network like FUNNULL, which hosts scams targeting U.S. brands and consumers.

The similarity here to the term “money laundering” is not accidental. Whereas money laundering enables the proceeds of crimes to be used on the open market and appear to have come from a reputable source, infrastructure laundering legitimizes the sale of internet hosting services via CNAME mapping and other classical DNS techniques to map their mostly criminal client websites to IP addresses owned by credible, Western hosts, thus creating the illusion of legitimacy for unsuspecting visitors and defenders.

The criminals’ advantage when it comes to infrastructure laundering, over and above bulletproof hosting, is that the underlying hosting provider also hosts other, valid businesses on a large scale, so it is difficult for defenders to block traffic received from that cloud provider without also adversely blocking legitimate web traffic for their users. As opposed to when criminals are restricted to using bulletproof hosting services, their infrastructure can then be easily blocked without the risk of causing accidental service disruption to the defending companies’ business operations.

Exploring Infrastructure Laundering Practices 

Here’s how the concept of infrastructure laundering is evolving in discussions:

Bulletproof Hosting

The practice of bulletproof hosting is described as a service provided by an internet hosting operator that is resistant to takedown efforts and is usually located in jurisdictions with more lenient regulations and/or countries where law enforcement has fewer resources to monitor and control. Hosting service providers involved in BPH support all types of unwanted activities, including but not limited to the abuse of copywritten materials, hosting of malware and botnet command and control (C2) servers, support to hate speech and misinformation, illegal gambling, pornography, and spam.

For years, bulletproof hosting providers have offered safe havens for cybercriminals by refusing or resisting takedown requests and allowing illicit activity to flourish. In traditional bulletproof hosting, the entire infrastructure is often controlled by a criminal enterprise or purpose-built for resilience against law enforcement while ever-so-coincidentally being located in countries with weak engagement with international law enforcement.

A key differentiator between BPH and infrastructure laundering is that legitimate hosts being abused to support infrastructure laundering can and do take actions to stop it. However, infrastructure laundering appears to rely on gaps between when a threat actor can use a new account to acquire another IP and the time it takes for a cloud provider to realize that IP is being used illicitly.

Layered Transactions Create Tracking Challenges

Services within the cybercrime-as-a-service (CaaS) ecosystem (such as ransomware as a service (RaaS) or phishing kits) often provide resources that criminals can lease or buy directly from other threat actors.

In infrastructure laundering, however, the key difference lies in a layered financial transaction where the primary cloud providers may not see a singular entity renting the IPs but instead have numerous “IP mules” who set up or acquire accounts and purchase IPs without transparency about who they are doing it for.

In fact, beyond shared payment methods, contact details, or other insights from internal tooling we are unaware of, the only way a cloud provider could know that FUNNULL was renting these IPs would be if they had tracked all three of the random domains FUNNULL uses for CNAME chains (funnull[.]vip, funnull01[.]vip, fn03[.]vip), and created a system to monitor newly-rented IPs being mapped to any of these CNAMEs.

Methods like this represent a unique tracking challenge, creating opportunities for threat actors to remain unseen but also allowing defenders to react in real time – provided they are aware of it.

Emerging Regulatory Concerns

Cybersecurity experts and regulators have only recently started to examine the financial and technical blind spots created by third-party intermediaries more closely. The idea that cloud hosting providers could be unwitting victims while also potentially missing opportunities to stop corporate threat actors from abusing these systems creates challenges that don’t have any easy answers.

Key Connections

Silent Push’s investigation into the FUNNULL CDN on our Triad Nexus blog revealed a large cluster of malicious infrastructure and its pivotal role in facilitating extensive cybercriminal activities, many of which are orchestrated by Chinese Triad groups. This aligns with the United Nations Office on Drugs and Crime (UNODC) 2024 Report that discusses Transnational Organized Crime, or “TOC,” and its findings on the convergence of cyber-enabled fraud, underground banking, and technological innovation in Southeast Asia.

In our FUNNULL research, Silent Push Threat Analysts discovered this network of investment and retail scam websites, along with money laundering websites, are actually hosted on a combination of numerous Western IP addresses owned by prominent hosting U.S. companies and prominent Asian hosting providers. This blending of hosting between the U.S. and Asia is significant as this could be an effort to host in locations that don’t regularly collaborate on cyber threats. The crime group also targets victims in both jurisdictions, so having hosting in those locations would improve the speed and potentially the perceived legitimacy of the websites.

Hosting Malicious Infrastructure

FUNNULL CDN has been identified as hosting over 200,000 unique hostnames, of which approximately 95% are generated through Domain Generation Algorithms (DGAs). These domains are linked to illicit activities such as investment scams and fake trading applications. Moreover, these activities are directly associated with money laundering as a service on shell gambling websites that abuse the trademarks of a dozen popular casino brands and which are available online today.

BWIN Confirms Fake FUNNULL Gambling Sites – Strengthens Money Laundering Accusations

One organization whose trademarks are being abused within the FUNNULL network is the online gambling portal Bwin. Our research into Bwin’s connection revealed that its association with FUNNULL is due to an abuse of its brand name—they have no actual relationship. Approximately a dozen other major online gambling brands’ trademarks are also being abused across tens of thousands of shell gambling websites.

One of the active Bwin spoofed sites hosted on a Microsoft IP address via FUNNULL CDN in December 2024 can be seen here:

A fake site abusing the Bwin brand is hosted on Microsoft infrastructure.
b69885[.]com is hosted on 20.2.234[.]182, which is located on Microsoft infrastructure, AS8075

Dozens of the Bwin-impersonated sites were hosted on Microsoft’s infrastructure:

Silent Push Web Scanner results reveal Bwin sites hosted on Microsoft infrastructure.
Web Scanner results for Bwin sites on FUNNULL hosted on Microsoft’s infrastructure, AS8075

Chris Alfred, a spokesperson for Entain, Bwin’s parent company, told TechCrunch that Entain can confirm that the domain associated with FUNNULL is a fake website. Bwin does not own it and has nothing to do with it. The site owner appears to be infringing on the Bwin brand. Alfred has said they are taking action to resolve the issue and get the site removed.

Supply Chain Attacks

Earlier this year, FUNNULL’s acquisition of the popular JavaScript library polyfill[.]io led to a supply chain attack that impacted over 110,000 websites. This incident underscores the sophisticated methods these criminal networks employ to infiltrate legitimate systems, albeit sometimes for murky purposes.

Infographic showing the steps involved in the infrastructure laundering process.
Infographic showing the infrastructure laundering process

Cybersecurity Concerns

The likely collaboration between entities like FUNNULL CDN and organized crime groups like the Chinese Triads exemplifies the complex and evolving nature of TOC in Southeast Asia. The fusion of technological innovation with traditional criminal activities necessitates comprehensive and coordinated efforts across international law enforcement and regulatory bodies to effectively address and mitigate these threats. 

A key roadblock to stopping these cyber criminals, however, is that this large crime infrastructure uses mainstream cloud providers like AWS and Azure as part of its underlying setup and continues to rent IPs, even with apparent efforts to stop them.

The node map below shows the main entities involved in providing FUNNULL CDN with the underlying hosting services it uses. This is a very active network, even if major cloud hosts are regularly banning IPs that are mapped into their infrastructure.

Node map showing the main entities involved in providing underlying host services to FUNNULL CDN.
Node map showing the main entities involved in providing underlying host services to FUNNULL CDN

Mapping FUNNULL CDN Scams

At its peak in 2022, the investment scam infrastructure on FUNNULL CDN had thousands of active domains.

While more modest in 2024, this malicious cluster still had some active sites, including cmegrouphkpd[.]info, which has hosted a fake trading platform abusing CME Group’s brand and logo for the past two years. It only recently went offline after we published our Triad Nexus report on FUNNULL CDN. ​

Screenshot of web content previously hosted on cmegrouphkpd[.]info site.
Content previously hosted on cmegrouphkpd[.]info

Having been live for over two years, the domain cmegrouphkpd[.]info also helped our team map CNAME record changes across the FUNNULL CDN. ​

The domain had a CNAME record pointing to *.funnull[.]vip between February and March 2022, changing to *.funnull01[.]vip between March 2022 and June 2024, and which has since then switched to *.fn03[.]vip.​

Silent Push Web Scanner search results for CNAME records found for cmegrouphkpd[.]info.
CNAME records for cmegrouphkpd[.]info

In the first CNAME hop, FUNNULL maps client domains to a CNAME record such as *.fn03[.]vip

The second CNAME hop is from the *.fn03[.]vip record mapped to another CNAME at *.fnvip100[.]com

The third CNAME hop starts at the second CNAME, fnvip100[.]com, which is then mapped to rented IP addresses.

Silent Push Web Scanner results of a Forward CNAME lookup for 6ce0a6db.u.fn03[.]vip.
Screenshot of a Forward CNAME lookup for 6ce0a6db.u.fn03[.]vip

By having CNAME chains within FUNNULL’s CDN infrastructure, every time a DNS client requests the domain/hostname of a FUNNULL customer, the DNS resolver follows the resolution chain and answers with the IP address of its “Point of Presence” (PoP) with the fastest response: ​

Silent Push Web Scanner search results of a DNS Forward A lookup for 0e6de73d2.n.fnvip100[.]com.
DNS Forward A lookup for 0e6de73d2.n.fnvip100[.]com

​As a result, these CNAME chains can be used to map FUNNULL’s entire customer infrastructure on its CDN and obtain the IP addresses for its entire Point of Presence network.​

The three CNAME records that are needed to map rented IPs used within the FUNNULL CDN can be seen in the data flow map below, highlighted in a red box. If you conduct a forward A lookup on these CNAME records, you will get the list of rented IPs in the network.

Important Note: Listed below are the three specific CNAME records needed to map IPs currently in use within the FUNNULL CDN. Those records are:

  • fn301[.]vip
  • fnvip100[.]com
  • funnull100[.]com

A map of FUNNULL CNAME chains with the three CNAME records needed to map rented IPs within the CDN in a red box.
Map of FUNNULL CNAME Chains

Using this CNAME chain method of mapping both the hostnames and the IPs used in the FUNNULL CDN, Silent Push Threat Analysts identified over 200,000 unique hostnames being proxied through the FUNNULL network between late September and mid-October of 2024 – with more than 95% of the hostnames created with DGAs – and 1.5 million reverse CNAME records lookups have been collected since 2021.

Silent Push identified close to 500 of FUNNULL’s IPs being actively used by threat actors in live campaigns, and, as we expected, a large portion were located in Asian ASN ranges, such as AS152194 (China Telecom Global), AS45753 (NETSEC-HK Netsec Limited), and AS55933 (CLOUDIE-AS-AP Cloudie Limited).​

​Surprisingly, however, in December 2024, we discovered nearly 40% of the FUNNULL CDN’s IP addresses belonged to AS8075 (MICROSOFT) and AS16509 (AMAZON), two major U.S.-based cloud providers.

It’s important to appreciate that FUNNULL has rented over 1,200 IPs from Amazon, and nearly 200 IPs from Microsoft – and most of those IPs only last a few weeks at most before being taken down, some lasting only days. But there is a clear and consistent pattern – FUNNULL CDN wants to continue to acquire IPs from both Amazon and Microsoft and seems willing to use illicit methods to acquire them – and appears to be succeeding regularly in their efforts.

Silent Push search results of FUNNULL CDN infrastructure details with IP addresses from Amazon, Microsoft, and other sources.
FUNNULL CDN infrastructure details with IP addresses from Microsoft, Amazon, and other sources

Using Silent Push’s extensive PADNS data, we have confirmed that FUNNULL has been renting Microsoft’s IP space since at least 2021, with some of these rented IPs mapped to FUNNULL for significant periods of time.​

Silent Push Web Scanner results of FUNNULL renting Microsoft IP space since 2021.
FUNNULL has been renting Microsoft IP space since 2021.

Based on a snapshot from December, across 438 IPs in the FUNNULL CDN, the vast majority are hosted in Hong Kong, Japan, and Singapore. ​

20 IP addresses, however, are currently hosted in the U.S.​

And on any given day, even with IP takedowns and new IP addresses being added to the network regularly, it appears that FUNNULL always has some IP space in the U.S. and is constantly working to acquire more.

Silent Push IOFA Geo Location map of FUNNULL CDN IP addresses.
FUNNULL CDN IP addresses by geographic location

Retail Scams Find a Home in Infrastructure Laundering 

Digging deeper into the FUNNULL CDN, our threat researchers found a campaign targeting dozens of major brands, with what appeared to be a focus on luxury fashion companies, with phishing pages hosted on the Triad Nexus FUNNULL CDN infrastructure. The phishing pages targeted multiple brands, including:

Aldo, Asada, Bonanza, Cartier, Chanel, Coach, eBay, Etsy, Gilt Groupe, Inditex, Lotte Mart, LVMH, Macy’s, Michael Kors, Neiman Marcus, OnBuy[.]com, Rakuten, Saks Fifth Avenue, Tiffany & Co., and Valentino.

An Entire CNAME Dedicated to Criminal Phishing and Investment Scam Websites

Our team discovered approximately 650 unique domains hosted on one specific FUNNULL CNAME record. This intrigued our team, as it indicated intentional segmentation broken down by each criminal client.

We soon realized that a chunk of these domains were investment scam websites such as coroexchange[.]com, seen here:

Screenshot of content previously hosted on coroexchange[.]com.
Screenshot of content previously hosted on coroexchange[.]com

​Beyond the investment scam sites, the other websites hosted on this CNAME all appeared to be a new retail phishing campaign targeting major Western brands, with phishing login pages such as bonanza.jdfraa[.]com.​

Screenshot of content previously hosted on bonanza.jdfraa[.]com.
Screenshot of content previously hosted on bonanza.jdfraa[.]com

Our analysts also discovered another technical commonality between the phishing web pages – something that helped us find 80 separate retail phishing sites, all seemingly operated by the same threat actor. For operational security purposes, however, we’re only sharing that fingerprint with our enterprise clients and law enforcement officials to keep tabs on this network’s operations in the future.

Retail Phishing Hosted via Infrastructure Laundering on Amazon AWS and Microsoft Azure

Silent Push search results for FUNNULL CDN infrastructure details in the retail phishing campaign.
FUNNULL CDN infrastructure details for the retail phishing campaign

The retail phishing domains hosted on FUNNULL were seen across 9 ASNs​. From highest to lowest density, they included:​

  • CTGSERVERLIMITED-AS-AP CTG Server Limited, HK (152194)​
  • BCPL-SG BGPNET Global ASN SG (64050)​
  • AMAZON-02 US (16509)​
  • MICROSOFT-CORP-MSN-AS-BLOCK US (8075)
  • AMAZON-AES US (14618)​​
  • ALIBABA-CN-NET Alibaba US Technology Co. Ltd. CN (45102)​
  • SKYCLOUD-NET Skycloud Computing Co. Ltd. TW (7483)

Sample of FUNNULL IP Addresses and CNAME Mapping Details

If using Silent Push to investigate FUNNULL, you can conduct a forward A lookup on the three CNAME records they are mapping to rented IP addresses:

These searches are done via our “Explore Indicator DNS Data” tool, which you can see in the screenshot below:

Screenshot of Silent Push application showing results of a Forward A lookup of *funnull100[.]com.
Screenshot of a Forward A lookup of *funnull100[.]com using Silent Push

As mentioned extensively, it appears both Amazon and Microsoft are essentially “under attack” by FUNNULL due to efforts to use numerous accounts to acquire IP addresses. FUNNULL essentially has agents moving faster than both of the companies, but you can see the takedowns and any new IPs via the queries included above.

To facilitate ad hoc investigations for anyone who doesn’t have a Silent Push account, we’ve included a small sample in the table below of some recent IPs rented by the FUNNULL CDN, which were owned by Microsoft or Amazon.

Thanks to collaborative efforts with our research team, FUNNULL should be banned from all of these listed IPs by the time of publishing, and we would like to express our appreciation for the efforts of both Microsoft and Amazon for trying to stop this ongoing abuse of their networks.

  • AS8075 (MICROSOFT)
  • AS16509 (AMAZON)

ASNIP Address
807520.197.231[.]47
807520.255.59[.]117
807520.198.57[.]52
8075104.214.176[.]22
807520.189.72[.]50
807520.244.100[.]21
80754.242.33[.]86
807520.255.249[.]158
807523.102.230[.]2
80754.240.77[.]234
807552.231.111[.]19
807520.201.125[.]114
807520.244.107[.]99
807520.255.50[.]154
80754.186.60[.]206
807520.205.30[.]219
807520.255.50[.]152
807552.247.251[.]209
807598.70.33[.]48
80754.240.75[.]72
807520.205.24[.]187
807520.187.147[.]2
1650918.162.61[.]241
1650918.163.117[.]178
1650943.198.139[.]94
1650918.166.63[.]180
1650943.199.45[.]50
1650918.162.151[.]226
1650918.163.62[.]136
1650916.163.103[.]39
1650943.198.71[.]66
1650935.78.66[.]160
1650918.162.126[.]85
1650918.163.8[.]163
1650935.78.207[.]138
1650918.162.151[.]167
1650918.163.105[.]72
1650918.163.183[.]181
1650913.201.230[.]164
1650943.199.134[.]208
1650915.220.86[.]254
1650918.162.146[.]57
1650943.199.135[.]180
1650918.182.24[.]73
1650918.166.74[.]138
1650918.163.189[.]59
1650918.183.220[.]150
1650918.163.55[.]222
1650918.162.155[.]216
1650918.167.96[.]56
1650918.167.84[.]151
1650943.198.31[.]47
1650918.167.167[.]242
1650918.166.78[.]43
1650918.163.102[.]152
1650918.166.74[.]182
1650918.163.5[.]170
1650918.163.8[.]154
1650913.245.28[.]4
1650913.247.101[.]138
1650918.163.190[.]206
1650943.198.21[.]215
1650918.167.120[.]251
1650918.166.77[.]70
1650918.163.187[.]139
1650918.166.67[.]99
1650943.198.74[.]22
1650918.167.12[.]32
1650913.250.46[.]202
1650918.166.51[.]9
1650918.162.125[.]133
1650918.166.74[.]48
1650918.162.148[.]112
1650918.163.5[.]121
1650943.198.137[.]209
1650918.167.68[.]76
1650943.198.137[.]11
1650918.163.50[.]251
1650918.163.190[.]57
1650913.202.94[.]191
1650943.198.23[.]224
1650915.220.83[.]92
1650918.167.96[.]97
1650918.166.74[.]44
1650918.162.55[.]167
1650918.162.134[.]4
1650918.163.185[.]209
1650918.167.103[.]17
1650943.207.138[.]181
1650918.162.148[.]219
1650918.179.5[.]144
1650918.167.103[.]205
1650952.66.216[.]105
1650918.166.58[.]42
1650918.163.101[.]77
1650918.163.129[.]197
1650943.199.148[.]179
1650918.166.55[.]111
1650918.163.111[.]84
1650918.167.116[.]54
1650918.183.150[.]32
1650943.199.135[.]111
1650943.199.147[.]105
1650918.163.105[.]202
1650954.250.15[.]187
1650918.163.190[.]230
1650943.198.137[.]198
1650952.198.10[.]138
1650943.198.76[.]0
1650918.167.96[.]137
1650954.249.86[.]54
1650918.166.58[.]36
1650918.166.54[.]42
1650918.166.65[.]147
1650943.206.105[.]218
1650918.166.65[.]127
1650943.199.148[.]15
1650918.166.51[.]252
1650918.166.67[.]208
1650943.199.146[.]85
1650943.207.190[.]7
1650954.255.167[.]157
1650943.198.73[.]27
1650943.198.77[.]99
1650943.206.222[.]92
1650943.199.136[.]74
1650943.198.78[.]80
1650918.162.151[.]254
1650918.163.127[.]237
1650935.78.73[.]152
165093.113.19[.]235
1650943.198.71[.]199
1650943.198.72[.]209
1650943.198.78[.]18
1650918.163.105[.]140
1650918.166.55[.]109
1650918.163.50[.]113
1650918.167.85[.]174
1650918.163.190[.]4

Looking Ahead, Bigger Questions Loom

As we noted previously, it is much easier for enterprises to defend against this type of crime if the services of mainstream providers are made unavailable to large criminal networks like FUNNULL.

And, while we can appreciate the challenges that cloud hosts are facing from a network that is using illicit means to acquire IPs, we believe the CNAME chain mapping techniques used by FUNNULL shine a bright light on all the IPs they have secretly rented

Several Questions Remain

  • If the network is so clearly visible to us as cyber threat professionals, then why are cloud providers not able to take action in near real-time?
  • Is this CNAME chain to illicit IP rental strategy an architecture that should be effective at keeping websites online?
  • And finally, do cloud hosts have an obligation to conduct these types of investigations themselves so that networks like FUNNULL can’t host criminal schemes for years while the cloud hosts merely play whack-a-mole with IP rental takedowns?

Amazon’s Public Statement on the Matter

“Prior to receiving a draft of this report, AWS was already aware of the activity and were suspending the fraudulently-acquired accounts that we now know were linked to the activity described by the researcher. After we received a copy of the report, we continued our investigations and suspended additional accounts. All accounts known to be linked to the activity are suspended. We can confirm that there is no current risk from this activity, and no customer action is required.

The report claims that AWS in some way enables or at least turns a blind eye to this kind of activity, and profits from it. Those claims are false. The actor involved in this activity uses fraudulent methods to temporarily acquire infrastructure, for which it never actually pays. Thus, AWS incurs damages as a result of the abusive activity.

The report promotes a new ‘infrastructure laundering’ concept, but the concept doesn’t involve laundering, a process in which something illicit or “dirty” becomes legitimate or “clean.” By using that phrase, the report insinuates that AWS is the intermediary to make the abusive activity appear legitimate and thereby harder to detect or block. That’s incorrect. Detecting the abuse of and/or blocking public IP addresses of cloud infrastructure is no more difficult than with any other public IP addresses.

When AWS’s automated or manual systems detect potential abuse, or when we receive reports of potential abuse, we act quickly to investigate and take action to stop any prohibited activity. In the event anyone suspects that AWS resources are being used for abusive activity, we encourage them to report it to AWS Trust & Safety using the report abuse form at https://support.aws.amazon.com/#/contacts/report-abuse

In this case, the authors of the report never notified AWS of the findings of their research via our easy-to-find security and abuse reporting channels. Instead, AWS first learned of their research from a journalist to whom the researchers had provided a draft. AWS had to contact the researchers proactively to obtain a draft of the report before publication.”

— End Public Statement —

Silent Push appreciates Amazon’s willingness to engage in constructive discourse on this matter. Our platform and data provide us with an excellent vantage point from which to track and monitor this type of activity at scale, as we have done for the last few years. In terms of AWS infrastructure utilized by FUNNULL, we have been tracking this threat’s use of Amazon IPs for nearly two years – during which Amazon has certainly put effort into identifying and taking down the instances their teams have uncovered.

We want to recognize that effort and share that we understand the difficulties inherent to mapping CNAME connections at this kind of scale. Particularly when new examples show up all the time, such as http[:]//43[.]198[.]25[.]172, which is actively hosted on AWS, displays the FUNNULL error page (as of this writing), and is mapped to the fn03.vip CNAME. We know it can be challenging for security teams to keep pace with the rapid emergence of new threats, but appreciate everyone’s efforts to stay informed on how criminals are attempting to obscure their activity by hiding among legitimately hosted cloud traffic.

Silent Push shines in this area, and we look forward to working with AWS on this matter in the future — from sharing our expertise in tracking criminal actors engaged in infrastructure laundering with defenders to illuminating these threats with public discussion.

Continuing to Track Infrastructure Laundering

Our team continues to track infrastructure laundering in all of its ever-evolving forms. We will report our findings to the security community as we identify new developments and other threat actors taking advantage of the practice.

We will also continue to share our research on threats we discover with law enforcement. If you happen to have any tips about threat actors participating in infrastructure laundering or engaging in other types of crime obfuscation activities, our team would love to hear from you.

Mitigation

Silent Push believes all domains associated with infrastructure laundering present some level of risk.

Our analysts construct Silent Push IOFA™ Feeds that provide a growing list of Indicators of Future Attack™ data focused on scams supported by this technique.

Silent Push Indicators of Future Attack™ (IOFA™) Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA™ Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.

Register for Community Edition

Silent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types.

Click here to sign up for a free account.

ClouDNS Hostnames Discovered Accidentally Pointing to a Prolific Puma IP Address

/in /by

Key Findings

Silent Push Threat Analysts recently discovered two hostnames, api2.cloudns[.]net and web2.cloudns[.]net, belonging to ClouDNS, that pointed to an IP address managed by threat actor Prolific Puma.

ClouDNS is a hosting company based in Bulgaria that appears to work with numerous enterprise organizations like Hostway, KIA, Der Spiegel, Houston Community College, and more. When we contacted them, ClouDNS quickly updated the DNS records for the affected hostnames.

While we were not able to detect malicious activity around this discovery, we want to make our community aware of potential vulnerabilities:

  • Legitimate hostnames pointing to maliciously owned infrastructure can be used to bypass security products.
  • They can be misused to directly target a company, using familiar-looking links to trick employees and users into believing malicious links are legitimate.
  • They can be used to conduct cookie-based attacks on authentication providers and to set up sophisticated phishing kits.
  • They can also be used to show ownership, at least of the subdomain, and to generate SSL certificates.

Mitigation

We encourage organizations to regularly check their DNS settings for hostnames pointing to IP addresses they don’t control or might not be using. Silent Push makes this process simple, enabling users to easily check DNS settings of interest by using our free Silent Push Community Edition account.

While the nature of this public-facing blog is to make our community aware of vulnerabilities associated with forgotten domains, Silent Push believes all domains associated with Prolific Puma offer some level of risk.

Our analysts have constructed a Silent Push IOFA™ Feed that provides a list of Prolific Puma Indicators of Future Attack™ (IOFA™). Silent Push threat researchers continuously track over a thousand active domains for Prolific Puma as we observe and monitor changes to this actor’s infrastructure. New discoveries, campaigns, and TTP changes will be immediately reflected in our feeds.

For operational security reasons, we are unable to publicly share the exact details of how we are tracking Prolific Puma infrastructure.

Silent Push IOFA™ Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA™ Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.

Register for Silent Push Community Edition

Silent Push Community Edition offers free access to our threat-hunting and cyber defense platform, featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including both the Silent Push Web Scanner and Live Scan.

Sign Up
Infographic showing the steps involved in using the Silent Push free Community Edition

How Silent Push Tracks Threat Actors

Watch our presentation at mWISE 2024 to learn more about how we track threat actors like Prolific Puma.

Get a Demo of Silent Push Preemptive Threat Intelligence

Silent Push is the first and only provider to reveal unique threat patterns of all attacker infrastructure existing on the clear net and dark web.

We go beyond Indicators of Compromise (IOCs) and expose IOFA™ through our proprietary behavioral threat modeling. This allows security teams to reveal attacker campaigns before they even start – neutralizing threats and preventing damage.

Request a demo today to see how your team can block threats before they become problematic.

Dark Web Scanning with Silent Push Community Edition

/in /by

In this blog, we’ll demonstrate how you can use Silent Push Community Edition to scan across the dark web using 50+ unique parameters, and obtain timestamped intelligence that reveals Tor infrastructure linked to activity on the public web.

Sign-up to Silent Push Community Edition.

Silent Push Community Edition is a free threat hunting and cyber defense tool featuring a range of advanced queries and lookups – built on a powerful first-party database of enriched DNS data – that allows users to locate known and hidden threat infrastructure on the public web and dark web.

Sign-up here

What is the dark web?

The dark web is a hidden corner of the internet that is not accessible through standard browsers and search engines.

Dark websites reside on the the deep web, which refers to all online content that is not indexed for search, such as private databases, online banking sites, and password-protected content.

Domains on the dark web are commonly referred to as “onion” sites, due to the the top-level domain “.onion” that’s used by websites on the Tor network – a specialized web browser used to navigate the dark web, that serves the vast majority of hidden websites.

Other dark web top-level domains do exist – such as .i2p on the Invisible Internet Project Network – but for the purposes of this blog, we’re going to focus on the Tor network.

Dark web anonymity

Onion sites use “hidden services” and encryption methods that rely on Tor’s built-in directory to locate and load a website, instead of the standard DNS resolution methods used to navigate the public web.

This complex routing scheme provides a high level of anonymity for anyone who uses the dark web, making it a digital haven for cybercriminals involved in all manner of threat activity – including the selling of confidential company data obtained during a security breach, typically as part of a ransomware attack

Dark web marketplaces

Stolen data is offered for sale on the dark web in exchange for cryptocurrency, on illegal marketplaces – such as the infamous Silk Road site that was shut down by the FBI and Europol in 2013 – along with drugs, counterfeit goods, access to illegal software, and other illicit services.

Dark web scanning and threat hunting

Due to the sheer volume of illegal activity it hosts, the dark web can be reliably called a “target rich environment”, but its architecture makes it incredibly difficult for law enforcement and security teams to proactively locate threat infrastructure on the Tor network as they would do on the public internet, and investigate Advanced Persistent Threat (APT) groups that take advantage of the dark web’s secretive and decentralized nature.

Scanning vs. Monitoring

Cybersecurity tools that monitor .onion sites for stolen data and authentication details are relatively commonplace, even within small scale IT support operations, but these utilities are limited to passive searches that don’t allow security teams to hunt for specific elements of dark web infrastructure linked to a set of identifiable Tactics, Techniques and Procedures.

Dark web scanning in Silent Push Community Edition

Dark web scanning in Silent Push is the process of proactively locating (rather than passively monitoring) Tor sites linked to threat activity that targets an organisation, brand, or supply chain, and allows teams to make attributable links between .onion sites and associated clear web activity, aiding in the public identification criminal behaviour.

Silent Push dark web scanning parameters

Silent Push Community Edition contains a dedicated dark web scanning utility that breaks .onion sites down into 50+ categories (including HTML body data, the favicon used, a real-time snapshot, and a range of JavaScript parameters) that mirror the parameters we use to collect data on standard public websites, which can be searched across within the same toolSilent Push Web Scanner.

Silent Push dark web scanner UI

This allows teams to create a behavioral fingerprint of attacker activity that can be used to search across historic and real-time clear web and Tor website datasets for matching content, using a single query, to facilitate the public unmasking of dark web threat activity.

Combined public and dark web scan

Let’s take a look at a few examples…

Dark web scanning example: Favicon unmasking

Here’s a .onion site selling illegal access to PayPal and eBay accounts.

First, we executed a Live Scan to gather a real-time screenshot, and capture additional on-page data to use in a pivot:

Dark web Live Scan

Once we’d established a dataset, we executed a Web Scanner query that cross-referenced the MD5 hash of the dark web favicon with our public web dataset, to find matching results, including an IP address linked to an Apache server:

Based on the distinctiveness of the hash – and the absence of any other IPs associated with this particular favicon – it’s possible that the public IP hosts the hidden Tor service in question.

We’ve used this Tor site and favicon as an example, but any piece of on-page data can be utilized.

Dark web scanning example: JavaScript unmasking

Unique JavaScript hashes are another effective pivot point.

Our aggregation engine generates a searchable hash value of all JavaScript files referenced on a dark web or public web page, allowing teams to systematically search across both datasets simultaneously for JavaScript elements shared by Tor sites and standard websites.

In this example, we’ve located a .onion site containing a unique JavaScript MD5 hash (using the “body_analysis.js_sha256” field), and executed a query that locates a public web site containing the exact same JavaScript code:

Dark web JavaScript scan

Historic dark web scanning at scale

Silent Push Community Edition dark web scanning provides timestamped results sets of all the .onion sites we collect data on, so that security teams can evaluate attacker behaviour over time, and analyze how threat infrastructure is being modified to avoid detection.

Here’s an example that includes multiple snapshots of a .onion site taken on the same day:

Timestamped results

Dark web scanning results sets can also be amended to include or exclude any number of specified data categories, to drill down into hidden infrastructure for identifiable content and make tangible links with public domains.

Fields can also be searched independently of other categories, for quicker access to critical intelligence.

Available data categories

Sign-up to Silent Push Community Edition.

Silent Push Community Edition is a free threat hunting and cyber defense tool featuring a range of advanced queries and lookups – built on a powerful first-party database of enriched DNS data – that allows users to locate known and hidden threat infrastructure on the public web and dark web.

Sign-up here

Araneida Scanner: Silent Push Discovers Cracked Acunetix Web App & API Scanner

/in /by

Key Findings

  • Silent Push Threat Analysts have discovered that the Araneida Scanner – which appears to be based in part on a cracked version of Acunetix, a popular web app vulnerability testing tool – is being used by threat actors for illegal purposes.
  • Beyond Araneida, our threat analysts found another cracked tool, with a login panel in Mandarin, that is likely also abusing a cracked version of Acunetix software for launching reconnaissance for future attacks.
  • Our investigation was prompted by one of our partners sharing information on a reconnaissance effort made against them.
  • Update 12.19.24: After Silent Push analysts shared our research with Brian Krebs of Krebs on Security, he published a report that connects the owner of Araneida to a software developer living in Ankara, Turkey. Read more at “Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm

Executive Summary

Silent Push Threat Analysts have discovered that the Araneida Scanner, which appears to be based in part on a cracked version of Acunetix, a popular web app vulnerability testing tool, is being used for illegal purposes, including conducting offensive reconnaissance on potential target sites, scraping user data, and finding vulnerabilities for exploitation.

Araneida was recently used in a reconnaissance effort against one of our partners, which is what initially prompted our investigation.

Additional investigation has indicated that third parties are promoting Araneida on platforms such as Telegram and selling hundreds of thousands of stolen credential sets.

The Telegram channel provides guidance on using the tool for malicious purposes. Some threat actors using the Araneida scanner boast of taking over thousands of websites, using funds obtained from malicious activities to buy luxury cars, and reveling in wreaking chaos on tech websites.

Silent Push Enterprise users have access to two dedicated IOFA Feeds containing all the true positive domains and IP addresses we have gathered during our research.

For operational security reasons, we are unable to share the exact specifics of each query and pivots utilized. Silent Push Enterprise customers have access to a dedicated Araneida Scanner TLP: Amber report, which contains the relevant data types and pivot points we used to track the infrastructure referenced in this blog.

Sign Up for a Free Silent Push Community Account

Register for our free Community Edition to use all of the tools and queries mentioned in this blog.

Sign Up Here

Background

Silent Push Threat Analysts received intelligence from a partner organization that identified an aggressive scanning effort on their website using an IP address previously associated with a FIN7 campaign. However, we didn’t have full confidence that FIN7 controlled the IP address at the time of the scanning. The IP address featured specific metadata, “Araneida Customer Panel,” which we quickly confirmed was a key to uncovering more unique IP addresses hosting this service.

Our team discovered that a scanning tool called “Araneida – WebApp Scanner” is being publicly sold and used by threat actors to conduct offensive reconnaissance on potential target websites, scrape user data, and find vulnerabilities for exploitation.

We also discovered another cracked tool that is owned by an entity that uses Mandarin on its login page and an HTML title in Mandarin. Silent Push Threat Analysts haven’t found a public sales process for this product yet, but the same Chinese-language panel has been hosted on 20 unique IP addresses, indicating some diversity in deployments.

Both appear to be based on cracked, unauthorized versions of Acunetix, a popular web app vulnerability testing tool.

Araneida was recently used in a reconnaissance effort against one of our partners, which initiated our current investigation. Both Araneida and the Chinese language panel using this cracked enterprise software could be used for reconnaissance prior to launching sophisticated offensive attacks.

Our team has executed granular content scans in the Silent Push Web Scanner to locate and traverse Indicators Of Future Attacks (IOFAs) related to the cracked Acunetix control panel infrastructure.

Araneida admins are also actively marketing the tool’s criminal capabilities on Telegram and selling hundreds of thousands of credential sets stolen through Araneida.

Both threat actors are using legacy Acunetix SSL certificates on active control panels, which provides a solid pivot for finding some of this infrastructure, particularly from the Chinese threat actors.

The Araneida Scanner has a unique setup that is important for defenders to understand in order to detect and block:

  • After acquiring the Araneida Scanner, a user is given the client as a Windows executable (.exe) file. ​
  • The user installs the executable file, logs into the Araneida client, and is directed to follow specific steps to set up the scanner.
  • ​Araneida is a noisy scanner. If the tool is being used against any of your hosts, you will see requests attempting to connect to various endpoints and making requests to random URLs associated with specific CMS/products:

Araneida Scanner requests attempting to connect to various endpoints
Araneida Scanner requests attempting to connect to various endpoints

Initial Intelligence: Suspicious Website Scanning

Based on the intelligence shared with us by a partner regarding the aggressive scanning effort, our team began researching an IP address that had hosted content and specific metadata.

We quickly confirmed the data and that additional websites were using this unique Araneida hosting service. Further investigation of these websites revealed they shared proprietary information associated with Acunetix.

Silent Push research found the websites in question shared information with Acunetix
Our research found the websites in question also shared information associated with Acunetix

The utility used to scan our partner’s network featured the name “Araneida” but also used information from Acunetix, suggesting the presence of cracked software.

After making this assumption, our team contacted the Invicti team, which owns the Acunetix product, and they quickly confirmed our suspicions.

The Invicti team confirmed that a cracked version of Acunetix was being sold. They also confirmed that there were no impacts on their clients—the integrity of data at Invicti was never at risk, and this is an isolated incident.

We appreciated the Invicti team’s quick and transparent confirmation and the additional details they provided.

First Public Mentions of Araneida & Acunetix in 2023

Several threat intelligence vendors and researchers discussed Araneida publicly on June 5, 2023, with FalconFeeds[.]io apparently being the first to share details:

Screenshot of FalconFeeds first to share details of Araneida Scanner
x[.]com/FalconFeedsio/status/1665690661377691649

On the same day, Chris Duggan of TLP R3D Intelligence was the first to connect Araneida to Acunetix:

Chris Duggan of TLP R3D was first to connect Araneida with Acunetix
x[.]com/TLP_R3D/status/1665777020767293447

Duggan was also the first to flag the domain that is still selling the Araneida Scanner: araneida[.]co

Duggan was also first to flag the domain still selling Araneida Scanner
x[.]com/TLP_R3D/status/1665778273639448580

Investigating Araneida

Our team was able to determine that the Araneida Scanner is still being sold in 2024 via araneida[.]co, which was a domain created in February 2023:

Silent Push Total View screen highlighting site still selling Araneida Scanner
Silent Push Total View highlight of araneida[.]co

Araneida acquisition screen
Araneida acquisition screen

Inside the scanner product, this is what the client looks like after login:

Example screen of client login to Araneida Scanner

This is a brief video showing the features in the Araneida Scanner:

The video clip above highlights features in the Araneida scanning product

Between September 2023 and March 2024, 36 unique IP addresses hosted a page referencing the “Araneida Customer Panel.” The fact that we hadn’t seen any results since March 2024 indicated that the network operators changed their deployment behaviors.

During the course of our research, we realized there was a second threat actor beyond Araneida likely using a cracked version of Acunetix.

Araneida Telegram Channel

The cracked software has nearly 500 members in their Telegram channel at t[.]me/araneida_official.

The Telegram channel provides guidance on how to use the tool for malicious purposes and boasts of having “taken over more than 30K websites in 6 months,” with operators using the funds obtained to buy “a Porsche from the dumps he sold,” and claims that “Tech websites, especially french ones aren’t happy because of Araneida :)

Telegram channel stating fun facts about Araneida Scanner
t[.]me/araneida_official

In July 2024, the Telegram channel admins also promoted a Selenium-based “Netflix Checker” tool, which scrapes cookies, payment information, and personal details from Netflix accounts:

Telegram example of Araneida Scanner Netflix scraper promo
t[.]me/araneida_official Netflix scraper promo

The Telegram channel operators also sell email and password dumps that are likely acquired using their tool, such as the example (below) with hundreds of thousands of login credentials obtained from a UK website:

Telegram example of Araneida credential sale
t[.]me/araneida_official credential sale

Chinese Portals Likely Using a Cracked Acunetix Scanner

Continuing our research soon led to the identification of a version of the hosts with the legacy Acunetix SSL, which used Mandarin on their login page.

The first results for this legacy Acunetix SSL on a page with Mandarin language appeared in 2023, and many of the websites are still live, hosting a login portal (as of December 2024):

The page translated into English:

Araneida translated page offers two files available for download
The login page offers two files available for download

On these login pages, there are two files available for download. One file appears to be a “plugin” labeled “UkeyService_pre” and the other is labeled “Customer End” with a .exe file called “FlkVPN

These hosts feature a self-signed SSL certificate issued by Acunetix three years ago, which appears to be different from the certificates used on the legitimate Acunetix corporate infrastructure:

Hosts feature a self-signed SSL certificate issued by Acunetix in 2021
These hosts feature a self-signed SSL certificate issued by Acunetix in 2021

Other Threat Actors Abusing Acunetix

Several instances of threat actors misusing Acunetix have been reported since as recently as 2020.

In November 2020, a joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) reported that an Iranian advanced persistent threat (APT) actor was using an Acunetix vulnerability scanner to target U.S. state and election websites to obtain voter registration data.

In March 2024, Lumen reported that the Faceless proxy service had one IP address being used as a relay to communicate with “Moon and/or Faceless C2s” and that it had an Acunetix web vulnerability scanner service running on two ports.

More recently, in May 2024, APT41, the Chinese Cyber threat actors, were highlighted by Natto Thoughts in using Acunetix in their offensive reconnaissance efforts. Natto Thoughts cited a U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) report, which lists Acunetix as the first “well-known security tool” used by APT41:

“APT41 also uses well-known security tools, such as Acunetix, Nmap, JexBoss, Sqlmap, a customized version of Cobalt Strike, and fofa[.]su, which is roughly a Chinese equivalent of the popular website Shodan.

To conduct reconnaissance, they are known to use the previously-mentioned Acunetix and Nmap, as well as Sqlmap, OneForAll, subdomain3, subDomainsBrute, and Sublist3r. They frequently use spear-phishing as an infection vector, but are also heavily reliant on SQL injections to initially penetrate a target organization.”

The Chinese organizations using a cracked version of Acunetix could be associated with APT41 but we currently have no additional details connecting the efforts.

Continuing to Track Cracked Acunetix / Araneida Scanner

Silent Push threat researchers will continue to observe and monitor changes to this actor’s infrastructure. New discoveries and TTP changes will be immediately reflected in our feeds.

We’ve also published a TLP: Amber report for Enterprise users that contains links to the specific queries we’ve used to identify and traverse the cracked Acunetix Scanner infrastructure—including proprietary queries and specific analysis that we have omitted from this blog.

Mitigation

Silent Push believes all cracked Acunetix Scanner hosts offer some level of risk.

Our analysts have constructed a Silent Push IOFA Feed that provides a list of Araneida Scanner Indicator of Future Attack domains focused on their scams, along with an IOFA Feed containing suspect Araneida Scanner IP addresses.

Silent Push IOFA Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.

Register for Community Edition

Silent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push Web Scanner and Live Scan.

Click here to sign up for a free account.

Sample Indicators of Future Attacks (IOFAs)

157.254.237[.]94

163.5.169[.]250

163.5.169[.]45

163.5.210[.]49

163.5.32[.]179

163.5.32[.]202

163.5.32[.]203

163.5.32[.]204

163.5.32[.]72

205.234.181[.]204

23.26.77[.]145

Machina Records Partnership with Silent Push

Machina Record Partners with Silent Push Offering a Preemptive Cyber Defense Solution to Stop Attacks and Prevent Damage

/in , /by

Attacker Behaviors are Identified Before They Strike Through Indicators of Future Attacks (IOFA) Data from Silent Push.

Tokyo, Japan, Dec 17, 2024. Machina Record Co. Ltd., a cyber threat intelligence consultancy, announced its partnership with Silent Push to offer early global threat detection services to its customers to block attacks and reduce the risk of reputational loss. 

Threat actors continue to advance their strategies leveraging GenAI to quickly form an attack. Without preemptive cyber defense, companies are exposed and vulnerable to hidden adversary infrastructure. Silent Push provides a complete view of emerging threat infrastructure in real-time, revealing cyber-attackers and malicious intent all within a single platform. 

Yusuke Gunji Machina Record CEO, stated, “Silent Push shares in our mission to make the world a safer and more secure society. Together we can enable our customers to stabilize and protect their organization by stopping attackers before they strike. Effective cyber intelligence goes beyond collecting and analyzing large amounts of information from the Internet. The unique approach from Silent Push is delivered with precision and speed to help you stay ahead of adversaries.”  

“Too often legacy solutions just rely on Indicators of Compromise (IOC) with limited visibility and missing data. We go beyond IOCs and expose Indicators of Future Attacks through our proprietary behavioral threat modeling; allowing security teams to identify detailed and unique patterns that reveal attacker campaigns before they even start—neutralizing threats and avoiding damage, said Ken Bagnall, Silent Push CEO. We welcome this partnership with Machina Record in Japan to help organizations quickly pinpoint malicious actors and disrupt their plans,” added Ken Bagnall. 

Machina Record encourages its customers to experience the power and effectiveness of the Silent Push platform through the free community edition. Learn more here. 

About Machina Record

Machina Record is a cyber threat intelligence consultancy. Its leading data aggregation platform collects and organizes vast amounts of publicly available data from across the internet, providing organizations with a comprehensive view of individuals, entities, and online activity. Machina Record partners with emerging and innovative partners to provide the most impactful solutions across the globe. For more information, visit www.MachinaRecord.com.

Ready to dive deeper into the world of preemptive threat intelligence? Begin your journey with the Silent Push free Community Edition today.

REGISTER FOR COMMUNITY EDITION

Silent Push Inc. ©2025