Page 44 – Silent Push

Platform Enrichment page containing two line graphs, one tracking ASN Takedown Reputation History and one tracking ASN Reputation History

How to use Silent Push to enrich an ASN with contextual threat intelligence data

May 16, 2024/in Blog/by Silent Push

Data enrichment allows security teams to pinpoint the origin, function and risk level of a domain, IP address, or Autonomous System (AS).

ASN enrichment returns multiple categories and sub-categories that provide significantly greater context than standard DNS lookups and queries are able to achieve.

In this blog, we’ll explore the concept of ASN enrichment via Silent Push. We’ll take you through how to enrich an ASN using the Silent Push console, what data is returned, our risk scoring methodology and how to turn enriched ASN data into actionable intelligence.

What are Autonomous Systems?

Just like a post office manages the mail it receives and delivers, Autonomous Systems manage a specified set of IP addresses, using a routing policy that dictates how traffic moves to and from their IP space to enable the efficient exchange of information across the globe.

In a hierarchical sense, Autonomous Systems identify entire networks, while subnets are divisions within those networks, managed by the AS itself.

Autonomous System Numbers

An Autonomous System Number (ASN) is a unique numerical identifier (e.g. 5483), displayed as a 16 or 32 bit number, that allows networks to communicate with each other, and ensure that data packets are routed correctly.

Like a digital license plate, ASNs can be used by security analysts to attribute malicious activity to certain actors, or map relationships across an attack chain (i.e., between organizations, hosting providers and service providers).

What role do Autonomous Systems play in CTI?

ASN analysis features prominently throughout a range of threat hunting and cyber defense workflows.

Security teams search across ASN data to join the dots across the global IP space in a variety of ways, from establishing a geographical picture of where threats may be originating from, to behavioral analysis, internal scoring methodologies and general risk-based countermeasures.

These use cases, however, are not without their challanges. Analysts are faced with the obstacle of incomplete AS datasets that only provide a basic level of information, without the requisite categorization of risk levels, subnets and interval-based analysis that shine a light on malicious activity in amongst an ocean of irrelevant and distracting data.

Data independence

What if a security analyst was able to enrich ASN data to provide all of this this information one place, from ASN reputation scoring to the parameters of each subnet address associated with an AS?

Silent Push achieves this by using our own first-party intelligence data that’s collected, clustered, scored and delivered without third-party intervention.

This allows us to add an infinite amount of context to each ASN that we encounter, drill down into actionable data, and provide this information alongside other key observables via an integrated console, saving valuable time and resources for frontline security teams and researchers across a range of CTI workflows.

Accessing ASN Enrichment in Silent Push

There are two ways to enrich an ASN in Silent Push:

If you do NOT know the ASN

Enrich a domain or IP address and pivot into enrichment from the returned ASN.

If you DO know the ASN

Enter the ASN directly into the search bar, and click Enrich

ASN enrichment categories

1. Highlights

ASN Enrichment Highlights are shown at the top of the ASN Enrichment page.

These are a group of scores and numerical values that act as reliable indicators of an ASN’s risk level.

ASN enrichment Highlights include:

ASN Reputation
ASN Takedown Reputation
Active IPs
Active Subnets
AS Name
Average Density

2. ASN Information

The ASN Information category does does exactly what it says on the tin. It gives a basic overview of the enriched ASN, including its unique identifier number, size, provider name, density, maximum density, active IPs and active subnets.

2. WHOIS RDAP data

The WHOIS RDAP category returns administrative data pulled from WHOIS and RDAP registration lookups in one centralized location, presented alongside other key data types.

3. ASN Takedown reputation

ASN takedowns play a critical role in protecting the digital assets of an organization.

The ASN Takedown Reputation category details how efficiently malicious domains are being removed on the ASN.

ASN Allocation Age indicates the age of the ASN number in days, and the ASN Allocation Date indicates precisely when the Internet Assigned Numbers Authority (IANA) allocated the ASN.

The ASN Takedown Reputation Score is a Silent Push invention that measures the ability and willingness of a network’s service provider to take action to mitigate cyber threats associated with the network.

The score is calculated using a combination of attributes, including the service provider’s history of responding to abuse reports, and the time it takes to mitigate malicious activity associated with their network.

A high takedown reputation score indicates that network provider is more likely to take swift action in mitigating malicious activity associated with their network

A low takedown reputation score indicates the network provider is less likely to be responsive or effective at mitigating known threat activity.

4. ASN reputation

The ASN Reputation indicates the trustworthiness and legitimacy of the IPs associated a particular ASN. It’s calculated using the ratio of blacklisted IPs, taken from from the total number of IPs that have been observed as being active within an ASN, in the last 30 days.

A high score suggests that an ASN has a large amount of blacklisted IP addresses associated with its network.

A low score indicates the ASN has is a minimal amount of blacklisted IP addresses associated with its network, and that the ASN is likely trustworthy.

5. Active Subnets

This category highlights all active subnets associated with the ASN.

It details the size of the subnet, active IPs on the subnet, active density, max density and density standard deviation. This helps security teams map out the scope of an ASN’s subnets, and monitor for suspicious activity.

6. Graphical data

The ASN Takedown Reputation History and ASN Reputation History graphs provide a visual timeline that maps out the risk level associated with a specific ASN over a set period of time, providing further context for teams looking to asses the risk level associated with a given ASN.

Register for Community Edition

ASN Enrichment is available as part of Silent Push Community Edition – a free threat hunting and cyber defense tool used by security teams, threat analysts, and researchers that features 90+ data enrichment categories that you can use to track and monitor attacker activity across the global IPv4 space.

Click the button below to sign-up for a free account.

Release 4.2

May 16, 2024/in News, Press Releases/by Charlotte Pawson

Release 4.2 is now live!

We’ve added plenty of new functionality to our data enrichment feature – you can now enrich an ASN and an IPv6 address. We’ve also provided Enterprise users the ability to drill-down into IOFA Feed data with a dedicated space for curated IOFA Feeds, and an all-new ‘Feed Analytics’ screen.

New IOFA Feeds

A new IOFA Feeds page has been introduced under Data Marketplace.

The curated feeds contain intelligence on a range of specific threat actors, C2 infrastructure, threat campaigns and attack vectors.

You can also view detailed feed metrics including:

Geographic data
ASN count
Historical IOFA count
TLD and ASN distribution
Featured registrars and nameservers

*Indicators of Future Attack (IOFA) Feeds page*

ASN Enrichment Page

There is now a dedicated ASN Enrichment page which outputs ASN data similar to our existing domain and IP enrichment pages. Users can now access:

Basic ASN information
WHOIS RDAP data
ASN reputation data, including takedown reputation and graphical representations of 30-day scoring metrics
Active subnets, including each subnet’s range, size, density and the number of active IPs

The page also includes a graphical representation of ASN Takedown Reputation History and ASN Reputation History using 30-day scoring metrics.

IPv6 Enrichment Page

Users can now enrich an IPv6 address and view all of our available intelligence across 12 categories and sub-categories. Users are able to view:

Enrichment highlights, including risk and reputation scores
Basic information
DNS records
Associated ASN information, including reputation and takedown scores

Users can conveniently pivot to this page from anywhere within the platform where IPv6 addresses are displayed.

Additional resources

Visit the Silent Push Knowledge Base to view detailed guides and information regarding the platform and our latest releases.

Get in touch

Have any questions about the new release, or would like to learn more about our Community and Enterprise Editions? Get in touch today and we’ll get back to you shortly.

Silent Push wins 2024 Cybersecurity Excellence Award in Threat Intelligence category

May 14, 2024/in News, Press Releases/by Charlotte Pawson

We’re honored to have recently been granted the 2024 Cybersecurity Excellence Award in the Threat Intelligence category. The past two years have seen significant growth, not only of our platform, but also our team and subsequent expertise. We’d like to thank our users, partners, and investors who have supported us along our journey.

The Cybersecurity Excellence Awards recognize and celebrate companies, products, and professionals that demonstrate excellence, innovation, and leadership in information security.

“We congratulate Silent Push on being recognized as an award winner in the Threat Intelligence category of the 2024 Cybersecurity Excellence Awards,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the 600,000-member Information Security Community on LinkedIn, which organizes the 9th annual Cybersecurity Excellence Awards. “With over 600 entries across more than 300 categories, the awards are highly competitive. Silent Push’s achievement reflects outstanding commitment to the core principles of excellence, innovation, and leadership in cybersecurity.”

Since the beginning, our mission has remained the same: to help organizations move away from post-breach data and IOCs contained within most threat feeds and consoles, and operate more effectively with a set of security practices that place an emphasis on intelligence data that’s pre-evaluated and easy to ingest.

“Organizations are desperately trying to better detect and block emerging attacker activity prior to an attack launching. Timely, Accurate and Complete first-party data sets Silent Push apart from legacy threat intel providers, exposing Indicators of Future Attack (IOFA) that allow customers to act before a breach occurs.” – Ken Bagnall, Silent Push CEO

We can’t wait to see what the future holds for us and look forward to sharing new platform features and functions, continuing our efforts to detect threats before they’re weaponized.

Silent Push teams up with ThreatConnect to deliver powerful inbound and outbound integration

May 7, 2024/in News, Press Releases/by Charlotte Pawson

We’re excited to announce that we have released both an inbound and outbound integration with ThreatConnect. The integration allows users of both platforms to perform 23 actions via a Playbook App across Silent Push enrichment, DNS, and threat intelligence data features.

About ThreatConnect

ThreatConnect is a cybersecurity platform which combines threat intelligence analysis with management, automation, orchestration, knowledge capture, and cyber risk quantification to help security teams operate more efficiently. Threat intelligence operations, also known as TI Ops, enables ThreatConnect customers to easily prioritize and take action on the most dangerous risks to their business.

About the integration

This integration is both inbound and outbound, meaning it can be accessed via a Playbook App on ThreatConnect or via Silent Push by ingesting a custom feed.

Via ThreatConnect

We have partnered with our colleagues at ThreatConnect to produce a Playbook App that provides ThreatConnect users access to Indicators of Future Attack: domain, IP and URL data that explains the relationship between billions of observable data points across the internet. Users are now able to access 23 available actions across several core components of the Silent Push platform, including risk and reputation scoring, PADNS lookup functions, and bulk data feeds. A full list of available actions can be viewed at the bottom of this post.

Via Silent Push

Users of the Silent Push platform can now ingest a feed of indicators from ThreatConnect, by using the ‘Create feed from URL‘ function and entering in your authentication details.

How to get started

We’ve created a short Knowledge Base guide to show you how to install this integration via ThreatConnect or Silent Push. The document also includes a more thorough Installation and Configuration Guide provided by ThreatConnect.

Use Silent Push x ThreatConnect integration

Available actions include:

Domain Enrichment
Domain Search
Domain Typosquatting Search
Forward PADNS Lookup
Get ASN Reputation
Get ASN Reputation History
Get ASN Takedown Reputation
Get ASN Takedown Reputation History
Get Bulk Domain Information
Get Bulk Domain Risk Score
Get Bulk IPv4 History Information
Get Bulk IPv4 Information
Get Bulk IPv4 Risk Score
Get Cousin Domains
Get Nameserver Reputation
Get Nameserver Reputation History
Get Sibling Domains
Get Subnet Reputation
Get Subnet Reputation History
IPv4 Enrichment
Multicondition PADNS Lookup
Reverse PADNS Lookup
Advanced Request

Glowing red beetle on a hexagon block, signifying a cyber bug, next to other hexagon blocks fit together like a puzzle

Silent Push maps 5000+ domains and IPs affected by CrushFTP zero day exploit (CVE-2024-4040).

April 25, 2024/in Blog/by Gareth Howells

Executive Summary

On April 19th, CrushFTP released a public security advisory (since categorized as CVE-2024-4040, with a severity score of 9.8) that warned users about a zero-day bug in all versions prior to 10.7.1 and 11.1.0.

The exploit allows unauthenticated attackers to escape a user’s Virtual File System (VFS) via the WebInterface port, obtain administrative access, and execute remote code on the server.

CrushFTP has advised users to immediately upgrade to a secure version, even if they are operating a Demilitarized Zone (DMZ) in front of their CrushFTP instance.

Silent Push Threat Analysts used our first-party dataset to track all vulnerable Crush FTP instances, and populate two Bulk Data Feeds with domains and IPs that are hosting vulnerable instances of the popular file transfer service.

We’re also in the process of creating an Early Detection Feed, filled with infrastructure that is actively attempting to exploit CVE-2024-4040.

Tracking vulnerable CVE-2024-4040 web portals

Silent Push scans the clearnet and dark web every day and categorizes the data using SPQL – our custom free-form query language – and makes it available for our customers to locate associated infrastructure and web content.

Using the information we have on CVE-2024-4040, we executed a query that locates exploitable CrushFTP web interfaces exposed to the Internet, and clustered the returned domains and IPs together in two Bulk Data Feeds that our Enterprise customers can use to locate and analyze vulnerable infrastructure:

CrushFTP Vulnerable Domains
CrushFTP Vulnerable IPs

Geographic spread of vulnerable servers

SPQL allows users to analyze DNS datasets across 90+ individual categories.

To help potential victims and the wider security community visualize the extent of the problem, we’ve created this map that displays the global distribution of vulnerable CrushFTP interfaces:

The majority of affected servers are located in the United States, Canada, and continental Europe, with the rest spread out fairly evenly across South America, Russia, Asia and Australia.

Mitigating the effects of CVE-2024-4040

As well as a raw data download, Enterprise users are able to export the Bulk Data Feeds as an API endpoint, containing all the domains and IP addresses of vulnerable CrushFTP instances.

Security teams can use this information to identify internal infrastructure that may be vulnerable, and inform any scoring systems they have in place that evaluate the risk level of external domains and IPs.

We’re also constructing an Early Detection Feed that’s tracking intrusion attempts in realtime, and logging the infrastructure involved for automatic blocking. We’ll be publishing further details on this in the coming days.

Register for Community Edition

Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push ‘Web Scanner’ and ‘Live Scan’.

Click here to sign-up for a free Community Edition account.

Person in a dark room wearing glasses with hand over their mouth to obscure face; reflected on their glasses is the China flag displayed on a laptop

Silent Push discovers UK.gov websites sending user data to controversial Chinese adtech vendor

April 24, 2024/in Blog/by Silent Push Threat Team

We recently added three core ad tech standards – ads.txt, app-ads.txt and sellers.json – to the data we collect on public websites, via our custom query language SPQL.

These files contain what’s known as ad accountIDs – a unique identifier assigned to an advertising vendor that collects website visitor data.

Using this data, Silent Push analysts have discovered 18 UK public organizations that use a controversial Chinese adtech vendor – Yeahmobi – to serve ads on .gov domains.

Yeahmobi have previously had their SDK blacklisted as “malicious” by Google, following an investigation into ad fraud and attribution abuse.

Our research points to a Chinese ad vendor, linked to questionable practices, profiting from UK public sector organizations, and collecting unknown amounts of data from visitors to government websites.

*Example of banner advertising seen on the “Public Health” page of https://lancashire.gov.uk/*

How ad exchanges works

Before we delve into our research, let’s explore the concept of ad data sharing.

Ad bidding is a complex process. In a nutshell, on these sites user data is ingested via Google advertising endpoints. The visitors’ IP address (or partial IP address), user agent device (i.e. device type), and browser details then are shared with ad exchange partners via server-side data sharing.

Data is shared with ad accountIDs listed in the ads.txt file unless the publisher opts-out of the process, which is rare.

Ad auctions

Ad platforms such as Yeahmobi – along with any intermediaries – get an opportunity to submit bids in an ad auction. The winner then serves ads to the visitors of the given website.

The winner also gets the opportunity to sync data through selected adtech partners, with further data being shared if a user clicks on the ad and visits the destination webpage.

Methodology

Silent Push scans every clearnet and darkweb URL and categorizes the data using SPQL – a free-form query language that can be used to locate matching infrastructure within our proprietary threat intelligence datasets.

Scanned data is grouped into 6 separate repositories, known as a ‘data source’. The ‘webscan’ data source contains web data from the public IPv4 and IPv6 ranges.

We used a combination of 6 ‘webscan’ data types and an experimental API query to identify .gov sites that featured digital ads, using the following SPQL fields:

Field name	Description	Type
adtech.ads_txt	Domain has /ads.txt	Boolean
adtech.ads_txt_sha256	sha256 hash of /ads.txt	String
adtech.app_ads_txt	Domain has /app-ads.txt	Boolean
adtech.app-ads_txt_sha256	sha256 hash of /app-ads.txt	String
adtech.sellers_json	Domain has /sellers.json	Boolean
adtech.sellers_json_sha256	sha256 of /sellers.json	String

Affected .gov websites

U.S. domains

In the United States, adtech rules are clear cut. The Cybersecurity Infrastructure and Security Agency (CISA) – via the Registry Team – specifically prohibits .gov websites being used for any commercial purposes that benefits private individuals or entities, including online advertising.

We looked into any .gov U.S. government domains with the ability to host programmatic ads, and found 4 domains with an ads.txt file that are potentially be in violation of CISA rules:

mcdowellcountywv.gov/ads.txt
fortdeposital.gov/ads.txt
cohassetpolicema.gov/ads.txt
sports.celina-tx.gov/ads.txt

The first three domains list only one vendor in their ads.txt file – Google.

sports.celina-tx.gov has dozens of partners listed in their ads.txt file, doesn’t have ads on any public pages but appears to be managed by a vendor called SportsEngine[.]com, based on details in the footer.

UK domains

Our scans identified 18 UK public sector organizations that are either actively running ads or have the capability to, featuring Yeahmobi in the ads.txt file:

Organization name	URL	Ad Vendor Details
Transport for London	https://tfl.gov[.]uk	Yeahmobi
Derbyshire Dales District Council	https://www.derbyshiredales.gov[.]uk	Yeahmobi
Walsall Council	https://go.walsall.gov[.]uk	Yeahmobi
Sheffield City Council	https://www.sheffield.gov[.]uk	Yeahmobi
Milton Keynes City Council	https://www.milton-keynes.gov[.]uk	Yeahmobi
Lancashire County Council	https://lancashire.gov[.]uk	Yeahmobi
London Borough of Redbridge	https://www.redbridge.gov[.]uk	Yeahmobi
Monmouthshire County Council	https://www.monmouthshire.gov[.]uk	Yeahmobi
Torbay Council	https://www.torbay.gov[.]uk	Yeahmobi
Wandsworth Council	https://wandsworth.gov[.]uk	Yeahmobi
East Hampshire District Council	https://www.easthants.gov[.]uk	Yeahmobi
Havering London Borough	https://havering.gov[.]uk	Yeahmobi
Newcastle City Council	https://newcastle.gov[.]uk	Yeahmobi
Tameside Metropolitan Borough	https://tameside.gov[.]uk	Yeahmobi
Cheltenham Borough Council	https://cheltenham.gov[.]uk	Yeahmobi
Havant Borough Council	https://havant.gov[.]uk	Yeahmobi
Met Office	https://www.metoffice.gov.uk	Yeahmobi
South Gloucestershire Council	https://southglos.gov.uk	Yeahmobi

*Example of banner advertising seen at the bottom of the homepage @ https://lancashire.gov.uk/*

All of these domains except one (tfl[.]gov.uk) are local council websites.

Whilst programmatic advertising is not prohibited on UK council websites, allowing a Chinese ad vendor with a questionable past to collect data on visitors to UK public sector websites is problematic for reasons that are self evident.

Council Advertising Network (CAN) involvement

The Council Advertising Network (CAN) is a UK organization that “generates income for local authorities across the UK by running digital premium and programmatic advertising on council websites”.

CAN manages the ads.txt files of all of the UK domains listed above. Within these files are accountIDs that prove that Yeahmobi is authorised to serve ads, and access visitor data from the domain.

Silent Push has contacted CAN for an explanation, but is yet to receive a reply.

Example ads.txt file

https://www.derbyshiredales.gov.uk/ads.txt
MANAGERDOMAIN=can-digital.net
yeahmobi.com, 113772, RESELLER

Addendum

After this blog was published and distributed in the media, Mark Gardner, Director of CAN Digital Solutions, which provides ads.txt files to various .gov.uk websites, told tech news outlet The Register that references to Yeahmobi will be deleted, and had the following to say:

“We take these matters very seriously, and after looking into this in some detail with the team, we have never had any ad quality issues with Yeahmobi in the past, nor are we aware of any Chinese links, but as a precaution we are in the process of removing them from all our publisher ads.txt files until further notice.

“We have also reached out to the native advertising partner working with them to ask for more insight into these claims and are more than happy to provide their feedback when we have it.”

Register for Community Edition

Silent Push Community Edition is a free threat hunting and cyber defense tool used by security teams and researchers across the globe to proactively locate attacker infrastructure, and stop threats before they’re launched.

Community Edition also enables users to search for adtech-related data across the Silent Push web content database, using a custom query language (SPQL) and an intuitive console.

Community users can also use the Live Scan feature to get a realtime snapshot of clearnet and darkweb URLs, across 70+ data categories.

Sign-up free

Open lock in glowing red circuit board, surrounded by skulls and alert messages

Silent Push maps 2000+ vulnerable IPs linked to GlobalProtect CVE-2024-3400. Active attacker IOFAs caught in PAN-OS honeypot.

April 23, 2024/in Blog/by Silent Push Threat Team

Executive summary

On April 12, Palo Alto Networks published an advisory on CVE 2024-3400 – a file creation vulnerability in the GlobalProtect feature of PAN-OS, the software that runs all Palo Alto Networks’ next-generation firewalls.

The vulnerability (with a severity score of 10) enables an unauthenticated attacker to execute arbitrary code, with root privileges, on PAN-OS firewalls.

In this blog we’ll explore how Silent Push Threat Analysts were able to pinpoint 2000+ PAN-OS firewalls open to exploit, identify Indicators of Future Attack (IOFA) targeting affected firewall instances, and cluster all associated CVE-2024-3400 data into three distinct threat feeds that highlight attacker infrastructure and vulnerable IP addresses.

Tracking vulnerable PAN-OS firewalls

Palo Alto Networks have confirmed that the vulnerability is only applicable to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway, or GlobalProtect portal (or both).

Versions	Affected	Unaffected
PAN-OS 11.1	< 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3	>= 11.1.0-h3, >= 11.1.1-h1, >= 11.1.2-h3
PAN-OS 11.0	< 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1	>= 11.0.0-h3, >= 11.0.1-h4, >= 11.0.2-h4, >= 11.0.3-h10, >= 11.0.4-h1
PAN-OS 10.2	< 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1	>= 10.2.0-h3, >= 10.2.1-h2, >= 10.2.2-h5, >= 10.2.3-h13, >= 10.2.4-h16, >= 10.2.5-h6, >= 10.2.6-h3, >= 10.2.7-h8, >= 10.2.8-h3, >= 10.2.9-h1

Silent Push scans the global IPv4 range every day, and categorises the data using SPQL – a free-form query language our customers use to search for associated web content, HTML, SSL, and certificate data. Click here for a full list of searchable fields.

We used the above version information to construct a custom query that scans for exploitable PAN-OS instances exposed to the Internet, before collecting the domains and IPs together in two Bulk Data Feeds that Enterprise customers can use to improve their security posture:

“PAN-OS Vulnerable Domains”
“PAN-OS Vulnerable IPs”

As of writing our PAN-OS Bulk Data Feeds contain over 2000 vulnerable PAN-OS instances exposed to the Internet.

Tracking PAN-OS attacker infrastructure

Unit 42 – Palo Alto’s threat research team – has published guidance for all affected PAN-OS users on how to mitigate the threat of intrusion on affected devices.

To help minimize the global impact of CVE-2024-3400, Silent Push Threat Analysts have implemented an Early Detection Feed (“CVE Exploitation – PAN-OS”) containing the IP addresses of threat actors who are actively attempting to exploit vulnerable PAN-OS instances.

Scroll to the bottom of this blog for a sample of attacker IP addresses.

Note: An IP address is only placed in our PAN-OS feed if an attacker attempts to access the specific URL that triggers the vulnerability.

Mitigation

Silent Push provides users with bilateral view of infrastructure linked to CVE 2024-3400 – both vulnerable firewall instances, and the IPs involved in launching an attack.

Enterprise users are able to use the Silent Push API to ingest the PAN-OS attacker Early Detection Feed into their existing security stack, or download a list of all related CVE-2024-3400 IPs and domains from the Bulk Data Feeds mentioned for further analysis.

Enterprise users can also use the Silent Push console to quickly search across an enriched PAN-OS dataset using the ‘Threat Ranking’ screen, and correlate the data with other known threat activity to discover associated infrastructure.

*Enriched threat data for PAN-OS attacker IP*

Register for Community Edition

Click here to sign-up for a free Community Edition account.

IOFA Sample

117.136.111[.]85
107.155.55[.]118
154.90.49[.]108
107.155.55[.]111
187.130.181[.]29
18.143.129[.]154
104.28.157[.]195
104.28.160[.]182
121.28.181[.]90
146.190.114[.]191
165.227.44[.]48
128.199.45[.]40
68.183.227[.]9
202.103.95[.]217
106.104.162[.]35
35.234.3[.]5
8.222.152[.]55
8.208.112[.]87
103.29.68[.]12
103.29.68[.]126
172.233.56[.]195
212.64.28[.]57
193.43.104[.]199
176.97.73[.]198
38.180.29[.]229
165.154.205[.]202
23.94.158[.]73
221.216.117[.]106
172.245.240[.]166
111.204.180[.]253

Upcoming: RSA San Francisco 2024

April 23, 2024/in News/by Charlotte Pawson

We’re excited to announce that we’ll be attending RSA Conference in San Francisco this May.

For three decades, RSA Conference has been a leading influence in the global cybersecurity community, serving as a hub to discuss new insights, create meaningful relationships, and dive deeper into practical threat intelligence.

Our team will be hosting two nights of ‘Threat Intelligence on Tap’, a series of short sessions aimed at demonstrating how the Silent Push platform reveals adversary infrastructure, campaigns, and security problems by searching across the most timely, accurate and complete Proactive Threat Intelligence dataset. We’ll be covering topics such as:

Tracking Scattered Spider via favicon & html title reuse
Tracking SocGholish stage 1, 2, 3 payloads with fastflux techniques
Tracking Prolific Puma redirection domains via HTML ssdeepcontent hash

We’ll also be available throughout the conference to discuss our product and provide demos, so don’t hesitate to reach out and we’ll set up a time to meet.

Learn more about RSA Conference 2024 here.

Starting SocGholish Research

April 19, 2024/in News/by Jaime Wong

Screenshot of Silent Push results on Live Scan

Extracting real-time URL data with Silent Push 'Live Scan'

April 11, 2024/in Blog/by Silent Push

Live Scan allows you to extract real-time data from a single URL on the clearnet or darkweb, across a range of categories, and view historical scan results for the specified URL.

You can use Live Scan datasets to perform additional DNS and hash-based pivots, map out attacker TTPs, pinpoint malicious infrastructure and gather intelligence on specific attack vectors and threat groups.

This blog will show you how to perform a Live Scan query, and how to work with the dataset to produce actionable intelligence.

‘Live Scan’ video tutorial

Before you read the blog, check out our tutorial video that covers off the basics:

Scanning a URL

Live Scan is available as part of a Silent Push Community or Enterprise subscription. There are two ways to execute a URL scan:

Input any public or .onion URL into the search box on the home page, and click ‘Live Scan’
Navigate to ‘Explore Web Data > Live Scan’

Viewing ‘Live Scan’ results

Scan results, including a live screenshot of the URL, are populated below the search box:

The ‘Query Results’ section contains the following data, with a range of use cases across the board:

HTML data: Establish site functionality and identify common phishing indicators.
Live screenshot: Preview how the site appears to users.
Favicon data, including hash values: Track hash values to identify favicon spoofing or phishing attempts.
Redirect chain: Identify suspicious URL destinations and attack vectors across a full redirect chain.
Body data, including hash values: Detect similar page layouts across attacker infrastructure. Uncover phishing kits and forms attributed to specific threat actors.
Open directories: Pinpoint open directories and publicly exposed data.
SSL data: Verify the validity of SSL certificates, identify signs of an SSL stripping attack and and assess the encryption strength of a domain.
Risk score of the domain and IP: View risk scores for the destination domain and hosting IP.

Pivoting across ‘Live Scan’ data

The ability to one-click pivot on domains and IPs returned in a set of Live Scan results allows you to fast-track your intelligence gathering operation and traverse attacker infrastructure quickly and more efficiently than running separate queries.

From the results screen, you can enrich any domain or IP highlighted in blue, and perform additional DNS queries using the passive DNS lookup function:

Hash-based pivots

You can also use any of the hash values returned to detect similar infrastructure.

Read our Knowledge Base for a full list of fuzzy and exact match hash values used within the platform, including body similarity hashes, favicon md5 and Murmur3 hashes, and proprietary script, certificate and header hash values.

Viewing historical scan results

Live Scan gives you the ability to view historical scan results related to your chosen URL, allowing you to gather all the data that’s ever been collected for a single URL.

The feature automatically executes a Web Scanner query for your chosen URL, including the relevant data source.

You can use the Web Scanner UI to adjust query parameters and narrow your search to produce targeted datasets:

Working with the raw data

You can view scanned data in raw format, and copy it to the clipboard to feed into your existing security stack, or share with your team:

View risk scores for a URL

Risk scores help you to make operational judgements based on the likelihood of a URL being involved in malicious activity.

Risk scores are displayed for the destination URL and the hosting IP, immediately above the screenshot in the ‘Query Results’ section:

Establish a redirect chain

On the left-hand side of the ‘Query Results’ section, you can view the full redirect chain involved in resolving a URL to help identify attacker infrastructure.

The redirect chain shows the origin URL through to the final URL displayed in the screenshot, where a redirect exists:

Register for Community Edition

Live Scan is available in both the Community and Enterprise editions of the Silent Push platform.

If you’d like to try out this feature and leverage our first-party database, sign up for the free Community edition using the link below.

Sign-up here