- Company
Silent Push Inc. ©2025
Silent Push announces participation in the Microsoft Copilot for Security Partner Ecosystem
Image: Microsoft, 2024
We’re thrilled to announce our inclusion in the Microsoft Copilot for Security Partner Ecosystem.
The selection of Silent Push was based on our proven experience with Microsoft Security technologies, willingness to explore and provide feedback on cutting edge functionality, and close working relationship with Microsoft.
About Microsoft Copilot
Copilot for Security is the industry’s first generative AI solution that will help security and IT professionals catch what others miss, move faster, and strengthen team expertise. Copilot is informed by large-scale data and threat intelligence, including more than 78 trillion security signals processed by Microsoft each day, and coupled with large language models to deliver tailored insights and guide next steps. Copilot allows organizations to protect using the speed and scale of AI, and transform their security operations.
A note from Silent Push
Ken Bagnall, CEO of Silent Push, said: “Organizations are desperately trying to detect and block emerging attacker activity prior to an attack launching.
“Combining the power of our platform to expose Indicators of Future Attack (IOFA), with the ability to act through Copilot AI, allows customers to predict and block emerging threats before damage occurs.
Timely, accurate and complete first-party data is what sets Silent Push apart from legacy threat intel providers, and consuming data this via Copilot AI gives customers increased trust, accuracy, and speed, in detecting emerging threats”, Ken Bagnall said.
We’re working with Microsoft Product Teams to help shape Copilot for Security product development in several ways, including validation and refinement of new and upcoming scenarios, providing feedback on product development and operations to be incorporated into future product releases, and validation and feedback of APIs to assist with Copilot for Security extensibility.
A note from Microsoft
Vasu Jakkal, Corporate Vice President of Microsoft Security, said: “In the context of security, AI’s impact is likely to be profound, tilting the scales in favor of defenders and empowering organizations to defend at machine speed.
“At Microsoft, we are privileged to have a leading role in advancing AI innovation, and we are so grateful to our incredible ecosystem of partners, whose mission-driven work is critical to helping customers secure their organizations and confidently bring the many benefits of AI into their environments”, Vasu Jakkal said.
Silent Push uses content similarity scanning to map out Telegram phishing campaign targeting Eastern Europe and Central Asia
CyberHUB-AM, an Armenian cyber security organization supporting regional NGO’s and journalists, recently published research about a Telegram phishing campaign conducted throughout 2023 and 2024.
Silent Push Threat Analysts have used this information to identify and monitor phishing infrastructure targeting Armenian and Uzbekistani Telegram users, including live phishing domains and portal spoofing infrastructure.
Delivery Method
The attack chain begins with an Armenian Telegram message asking the user to cast a vote for the sender in a contest they claim to be participating in, and asking them to follow a link.
The link appears to resolve to the non-existent URL daxcearm[.]wve (there is no .wve top-level domain), but actually uses the cutt[.]ly URL shortener to send the user to a final malicious URL – https://dolbaebshesp[.]in/.
The final URL hosts a Telegram phishing page in the Uzbek language. 2023 phishing kits previously reported on by CyberHUB-AM used Armenian.
This recent campaign could indicate a unique threat actor, or an updated campaign using the wrong language on the landing page. Although it is unclear why a message in Armenian would link to an Uzbek phishing page, these kinds of mistakes are fairly commonplace in regional cybercrime.
Tracking the Telegram phishing pages
Threat actors deploy their infrastructure to a set of definable (and searchable) parameters.
Our analysts were able to isolate the phishing infrastructure involved in the campaign using proprietary fingerprinting that maps out malicious domains, using a combination of content similarity checks, and the Silent Push Live Scan feature.
Using these methods, we discovered 26 phishing domains, three of which are still live at the point of investigation: uzgolos[.]shop, uzvvots[.]shop, and vote-uzbekistan48[.]top.
![Screenshot of vote-uzbekistan48[.]top using the Silent Push 'Live Scan' screenshot feature.](https://www.silentpush.com/wp-content/uploads/image-20240423-120846.png)
We confirmed the domains were actively phishing for Telegram login codes by accessing the URL in a browser, entering a phone number linked to a Telegram account, after which a code was sent to that account:
Though the three live URLs, and other domain names in the campaign, suggest that Uzbekistan is the geographic region that’s being targeted, we also discovered older URLs from August and September 2023 that can be reasonably linked to the same campaign.
These domain names, including tajikistan-vote[.]site, arm-vote[.]space, and ukr-vote[.]site, and the likely related http://uz-golos[.]shop/, suggest active targeting of other countries too.
Here’s a list of the domains involved:
- amnezisep[.]org
- animraov[.]cc
- beriishovoz[.]space
- berishovoz[.]pw
- dismashep[.]in
- dolbaebshesp[.]in
- dubproduction[.]org
- hilupfoxs[.]ru
- ihavdick[.]lol
- losntinster[.]lol
- mudkoskonkine[.]in
- osding-mosting[.]in
- ovber[.]pro
- ovoz-berish[.]co
- ovozberishuz[.]space
- ovoziberish[.]lol
- rahmatgolos[.]cc
- sudoko-inline[.]org
- tables-mite[.]info
- uzbek1voits3[.]lol
- uzbgolos[.]co
- uzgolos[.]shop
- uzsimkarta[.]space
- uzvvots[.]shop
- vinorozoavos[.]in
- vote-uzbekistan48[.]top
Telegram phishing mitigation with Silent Push
The domains that are currently live have been added to a threat feed that is available to Silent Push Enterprise users – Phishing – Telegram Phishing Targeting Eastern Europe and Central Asia.
New domains that match the signature will be automatically added to the feed.
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push ‘Web Scanner’ and ‘Live Scan’ that we used to track the phishing campaign in this blog.
Click here to sign-up for a free Community Edition account.
How to use Silent Push to enrich an ASN with contextual threat intelligence data
Data enrichment allows security teams to pinpoint the origin, function and risk level of a domain, IP address, or Autonomous System (AS).
ASN enrichment returns multiple categories and sub-categories that provide significantly greater context than standard DNS lookups and queries are able to achieve.
In this blog, we’ll explore the concept of ASN enrichment via Silent Push. We’ll take you through how to enrich an ASN using the Silent Push console, what data is returned, our risk scoring methodology and how to turn enriched ASN data into actionable intelligence.
What are Autonomous Systems?
Just like a post office manages the mail it receives and delivers, Autonomous Systems manage a specified set of IP addresses, using a routing policy that dictates how traffic moves to and from their IP space to enable the efficient exchange of information across the globe.
In a hierarchical sense, Autonomous Systems identify entire networks, while subnets are divisions within those networks, managed by the AS itself.
Autonomous System Numbers
An Autonomous System Number (ASN) is a unique numerical identifier (e.g. 5483), displayed as a 16 or 32 bit number, that allows networks to communicate with each other, and ensure that data packets are routed correctly.
Like a digital license plate, ASNs can be used by security analysts to attribute malicious activity to certain actors, or map relationships across an attack chain (i.e., between organizations, hosting providers and service providers).
What role do Autonomous Systems play in CTI?
ASN analysis features prominently throughout a range of threat hunting and cyber defense workflows.
Security teams search across ASN data to join the dots across the global IP space in a variety of ways, from establishing a geographical picture of where threats may be originating from, to behavioral analysis, internal scoring methodologies and general risk-based countermeasures.
These use cases, however, are not without their challanges. Analysts are faced with the obstacle of incomplete AS datasets that only provide a basic level of information, without the requisite categorization of risk levels, subnets and interval-based analysis that shine a light on malicious activity in amongst an ocean of irrelevant and distracting data.
Data independence
What if a security analyst was able to enrich ASN data to provide all of this this information one place, from ASN reputation scoring to the parameters of each subnet address associated with an AS?
Silent Push achieves this by using our own first-party intelligence data that’s collected, clustered, scored and delivered without third-party intervention.
This allows us to add an infinite amount of context to each ASN that we encounter, drill down into actionable data, and provide this information alongside other key observables via an integrated console, saving valuable time and resources for frontline security teams and researchers across a range of CTI workflows.
Accessing ASN Enrichment in Silent Push
There are two ways to enrich an ASN in Silent Push:
If you do NOT know the ASN
Enrich a domain or IP address and pivot into enrichment from the returned ASN.
If you DO know the ASN
Enter the ASN directly into the search bar, and click Enrich
ASN enrichment categories
1. Highlights
ASN Enrichment Highlights are shown at the top of the ASN Enrichment page.
These are a group of scores and numerical values that act as reliable indicators of an ASN’s risk level.
ASN enrichment Highlights include:
- ASN Reputation
- ASN Takedown Reputation
- Active IPs
- Active Subnets
- AS Name
- Average Density
2. ASN Information
The ASN Information category does does exactly what it says on the tin. It gives a basic overview of the enriched ASN, including its unique identifier number, size, provider name, density, maximum density, active IPs and active subnets.
2. WHOIS RDAP data
The WHOIS RDAP category returns administrative data pulled from WHOIS and RDAP registration lookups in one centralized location, presented alongside other key data types.
3. ASN Takedown reputation
ASN takedowns play a critical role in protecting the digital assets of an organization.
The ASN Takedown Reputation category details how efficiently malicious domains are being removed on the ASN.
ASN Allocation Age indicates the age of the ASN number in days, and the ASN Allocation Date indicates precisely when the Internet Assigned Numbers Authority (IANA) allocated the ASN.
The ASN Takedown Reputation Score is a Silent Push invention that measures the ability and willingness of a network’s service provider to take action to mitigate cyber threats associated with the network.
The score is calculated using a combination of attributes, including the service provider’s history of responding to abuse reports, and the time it takes to mitigate malicious activity associated with their network.
- A high takedown reputation score indicates that network provider is more likely to take swift action in mitigating malicious activity associated with their network
- A low takedown reputation score indicates the network provider is less likely to be responsive or effective at mitigating known threat activity.
4. ASN reputation
The ASN Reputation indicates the trustworthiness and legitimacy of the IPs associated a particular ASN. It’s calculated using the ratio of blacklisted IPs, taken from from the total number of IPs that have been observed as being active within an ASN, in the last 30 days.
- A high score suggests that an ASN has a large amount of blacklisted IP addresses associated with its network.
- A low score indicates the ASN has is a minimal amount of blacklisted IP addresses associated with its network, and that the ASN is likely trustworthy.
5. Active Subnets
This category highlights all active subnets associated with the ASN.
It details the size of the subnet, active IPs on the subnet, active density, max density and density standard deviation. This helps security teams map out the scope of an ASN’s subnets, and monitor for suspicious activity.
6. Graphical data
The ASN Takedown Reputation History and ASN Reputation History graphs provide a visual timeline that maps out the risk level associated with a specific ASN over a set period of time, providing further context for teams looking to asses the risk level associated with a given ASN.
Register for Community Edition
ASN Enrichment is available as part of Silent Push Community Edition – a free threat hunting and cyber defense tool used by security teams, threat analysts, and researchers that features 90+ data enrichment categories that you can use to track and monitor attacker activity across the global IPv4 space.
Click the button below to sign-up for a free account.
Release 4.2
Release 4.2 is now live!
We’ve added plenty of new functionality to our data enrichment feature – you can now enrich an ASN and an IPv6 address. We’ve also provided Enterprise users the ability to drill-down into IOFA Feed data with a dedicated space for curated IOFA Feeds, and an all-new ‘Feed Analytics’ screen.
New IOFA Feeds
A new IOFA Feeds page has been introduced under Data Marketplace.
The curated feeds contain intelligence on a range of specific threat actors, C2 infrastructure, threat campaigns and attack vectors.
You can also view detailed feed metrics including:
- Geographic data
- ASN count
- Historical IOFA count
- TLD and ASN distribution
- Featured registrars and nameservers
ASN Enrichment Page
There is now a dedicated ASN Enrichment page which outputs ASN data similar to our existing domain and IP enrichment pages. Users can now access:
- Basic ASN information
- WHOIS RDAP data
- ASN reputation data, including takedown reputation and graphical representations of 30-day scoring metrics
- Active subnets, including each subnet’s range, size, density and the number of active IPs
The page also includes a graphical representation of ASN Takedown Reputation History and ASN Reputation History using 30-day scoring metrics.
IPv6 Enrichment Page
Users can now enrich an IPv6 address and view all of our available intelligence across 12 categories and sub-categories. Users are able to view:
- Enrichment highlights, including risk and reputation scores
- Basic information
- DNS records
- Associated ASN information, including reputation and takedown scores
Users can conveniently pivot to this page from anywhere within the platform where IPv6 addresses are displayed.
Additional resources
Visit the Silent Push Knowledge Base to view detailed guides and information regarding the platform and our latest releases.
Get in touch
Have any questions about the new release, or would like to learn more about our Community and Enterprise Editions? Get in touch today and we’ll get back to you shortly.
Silent Push wins 2024 Cybersecurity Excellence Award in Threat Intelligence category
We’re honored to have recently been granted the 2024 Cybersecurity Excellence Award in the Threat Intelligence category. The past two years have seen significant growth, not only of our platform, but also our team and subsequent expertise. We’d like to thank our users, partners, and investors who have supported us along our journey.
The Cybersecurity Excellence Awards recognize and celebrate companies, products, and professionals that demonstrate excellence, innovation, and leadership in information security.
“We congratulate Silent Push on being recognized as an award winner in the Threat Intelligence category of the 2024 Cybersecurity Excellence Awards,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the 600,000-member Information Security Community on LinkedIn, which organizes the 9th annual Cybersecurity Excellence Awards. “With over 600 entries across more than 300 categories, the awards are highly competitive. Silent Push’s achievement reflects outstanding commitment to the core principles of excellence, innovation, and leadership in cybersecurity.”
Since the beginning, our mission has remained the same: to help organizations move away from post-breach data and IOCs contained within most threat feeds and consoles, and operate more effectively with a set of security practices that place an emphasis on intelligence data that’s pre-evaluated and easy to ingest.
“Organizations are desperately trying to better detect and block emerging attacker activity prior to an attack launching. Timely, Accurate and Complete first-party data sets Silent Push apart from legacy threat intel providers, exposing Indicators of Future Attack (IOFA) that allow customers to act before a breach occurs.” – Ken Bagnall, Silent Push CEO
We can’t wait to see what the future holds for us and look forward to sharing new platform features and functions, continuing our efforts to detect threats before they’re weaponized.
Silent Push teams up with ThreatConnect to deliver powerful inbound and outbound integration
We’re excited to announce that we have released both an inbound and outbound integration with ThreatConnect. The integration allows users of both platforms to perform 23 actions via a Playbook App across Silent Push enrichment, DNS, and threat intelligence data features.
About ThreatConnect
ThreatConnect is a cybersecurity platform which combines threat intelligence analysis with management, automation, orchestration, knowledge capture, and cyber risk quantification to help security teams operate more efficiently. Threat intelligence operations, also known as TI Ops, enables ThreatConnect customers to easily prioritize and take action on the most dangerous risks to their business.
About the integration
This integration is both inbound and outbound, meaning it can be accessed via a Playbook App on ThreatConnect or via Silent Push by ingesting a custom feed.
Via ThreatConnect
We have partnered with our colleagues at ThreatConnect to produce a Playbook App that provides ThreatConnect users access to Indicators of Future Attack: domain, IP and URL data that explains the relationship between billions of observable data points across the internet. Users are now able to access 23 available actions across several core components of the Silent Push platform, including risk and reputation scoring, PADNS lookup functions, and bulk data feeds. A full list of available actions can be viewed at the bottom of this post.
Via Silent Push
Users of the Silent Push platform can now ingest a feed of indicators from ThreatConnect, by using the ‘Create feed from URL‘ function and entering in your authentication details.
How to get started
We’ve created a short Knowledge Base guide to show you how to install this integration via ThreatConnect or Silent Push. The document also includes a more thorough Installation and Configuration Guide provided by ThreatConnect.
Available actions include:
- Domain Enrichment
- Domain Search
- Domain Typosquatting Search
- Forward PADNS Lookup
- Get ASN Reputation
- Get ASN Reputation History
- Get ASN Takedown Reputation
- Get ASN Takedown Reputation History
- Get Bulk Domain Information
- Get Bulk Domain Risk Score
- Get Bulk IPv4 History Information
- Get Bulk IPv4 Information
- Get Bulk IPv4 Risk Score
- Get Cousin Domains
- Get Nameserver Reputation
- Get Nameserver Reputation History
- Get Sibling Domains
- Get Subnet Reputation
- Get Subnet Reputation History
- IPv4 Enrichment
- Multicondition PADNS Lookup
- Reverse PADNS Lookup
- Advanced Request
Silent Push maps 5000+ domains and IPs affected by CrushFTP zero day exploit (CVE-2024-4040).
Executive Summary
On April 19th, CrushFTP released a public security advisory (since categorized as CVE-2024-4040, with a severity score of 9.8) that warned users about a zero-day bug in all versions prior to 10.7.1 and 11.1.0.
The exploit allows unauthenticated attackers to escape a user’s Virtual File System (VFS) via the WebInterface port, obtain administrative access, and execute remote code on the server.
CrushFTP has advised users to immediately upgrade to a secure version, even if they are operating a Demilitarized Zone (DMZ) in front of their CrushFTP instance.
Silent Push Threat Analysts used our first-party dataset to track all vulnerable Crush FTP instances, and populate two Bulk Data Feeds with domains and IPs that are hosting vulnerable instances of the popular file transfer service.
We’re also in the process of creating an Early Detection Feed, filled with infrastructure that is actively attempting to exploit CVE-2024-4040.
Tracking vulnerable CVE-2024-4040 web portals
Silent Push scans the clearnet and dark web every day and categorizes the data using SPQL – our custom free-form query language – and makes it available for our customers to locate associated infrastructure and web content.
Using the information we have on CVE-2024-4040, we executed a query that locates exploitable CrushFTP web interfaces exposed to the Internet, and clustered the returned domains and IPs together in two Bulk Data Feeds that our Enterprise customers can use to locate and analyze vulnerable infrastructure:
- CrushFTP Vulnerable Domains
- CrushFTP Vulnerable IPs
Geographic spread of vulnerable servers
SPQL allows users to analyze DNS datasets across 90+ individual categories.
To help potential victims and the wider security community visualize the extent of the problem, we’ve created this map that displays the global distribution of vulnerable CrushFTP interfaces:
The majority of affected servers are located in the United States, Canada, and continental Europe, with the rest spread out fairly evenly across South America, Russia, Asia and Australia.
Mitigating the effects of CVE-2024-4040
As well as a raw data download, Enterprise users are able to export the Bulk Data Feeds as an API endpoint, containing all the domains and IP addresses of vulnerable CrushFTP instances.
Security teams can use this information to identify internal infrastructure that may be vulnerable, and inform any scoring systems they have in place that evaluate the risk level of external domains and IPs.
We’re also constructing an Early Detection Feed that’s tracking intrusion attempts in realtime, and logging the infrastructure involved for automatic blocking. We’ll be publishing further details on this in the coming days.
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push ‘Web Scanner’ and ‘Live Scan’.
Click here to sign-up for a free Community Edition account.
Silent Push discovers UK.gov websites sending user data to controversial Chinese adtech vendor
We recently added three core ad tech standards – ads.txt, app-ads.txt and sellers.json – to the data we collect on public websites, via our custom query language SPQL.
These files contain what’s known as ad accountIDs – a unique identifier assigned to an advertising vendor that collects website visitor data.
Using this data, Silent Push analysts have discovered 18 UK public organizations that use a controversial Chinese adtech vendor – Yeahmobi – to serve ads on .gov domains.
Yeahmobi have previously had their SDK blacklisted as “malicious” by Google, following an investigation into ad fraud and attribution abuse.
Our research points to a Chinese ad vendor, linked to questionable practices, profiting from UK public sector organizations, and collecting unknown amounts of data from visitors to government websites.
How ad exchanges works
Before we delve into our research, let’s explore the concept of ad data sharing.
Ad bidding is a complex process. In a nutshell, on these sites user data is ingested via Google advertising endpoints. The visitors’ IP address (or partial IP address), user agent device (i.e. device type), and browser details then are shared with ad exchange partners via server-side data sharing.
Data is shared with ad accountIDs listed in the ads.txt file unless the publisher opts-out of the process, which is rare.
Ad auctions
Ad platforms such as Yeahmobi – along with any intermediaries – get an opportunity to submit bids in an ad auction. The winner then serves ads to the visitors of the given website.
The winner also gets the opportunity to sync data through selected adtech partners, with further data being shared if a user clicks on the ad and visits the destination webpage.
Methodology
Silent Push scans every clearnet and darkweb URL and categorizes the data using SPQL – a free-form query language that can be used to locate matching infrastructure within our proprietary threat intelligence datasets.
Scanned data is grouped into 6 separate repositories, known as a ‘data source’. The ‘webscan’ data source contains web data from the public IPv4 and IPv6 ranges.
We used a combination of 6 ‘webscan’ data types and an experimental API query to identify .gov sites that featured digital ads, using the following SPQL fields:
| Field name | Description | Type |
| adtech.ads_txt | Domain has /ads.txt | Boolean |
| adtech.ads_txt_sha256 | sha256 hash of /ads.txt | String |
| adtech.app_ads_txt | Domain has /app-ads.txt | Boolean |
| adtech.app-ads_txt_sha256 | sha256 hash of /app-ads.txt | String |
| adtech.sellers_json | Domain has /sellers.json | Boolean |
| adtech.sellers_json_sha256 | sha256 of /sellers.json | String |
Affected .gov websites
U.S. domains
In the United States, adtech rules are clear cut. The Cybersecurity Infrastructure and Security Agency (CISA) – via the Registry Team – specifically prohibits .gov websites being used for any commercial purposes that benefits private individuals or entities, including online advertising.
We looked into any .gov U.S. government domains with the ability to host programmatic ads, and found 4 domains with an ads.txt file that are potentially be in violation of CISA rules:
- mcdowellcountywv.gov/ads.txt
- fortdeposital.gov/ads.txt
- cohassetpolicema.gov/ads.txt
- sports.celina-tx.gov/ads.txt
The first three domains list only one vendor in their ads.txt file – Google.
sports.celina-tx.gov has dozens of partners listed in their ads.txt file, doesn’t have ads on any public pages but appears to be managed by a vendor called SportsEngine[.]com, based on details in the footer.
UK domains
Our scans identified 18 UK public sector organizations that are either actively running ads or have the capability to, featuring Yeahmobi in the ads.txt file:
| Organization name | URL | Ad Vendor Details |
| Transport for London | https://tfl.gov[.]uk | Yeahmobi |
| Derbyshire Dales District Council | https://www.derbyshiredales.gov[.]uk | Yeahmobi |
| Walsall Council | https://go.walsall.gov[.]uk | Yeahmobi |
| Sheffield City Council | https://www.sheffield.gov[.]uk | Yeahmobi |
| Milton Keynes City Council | https://www.milton-keynes.gov[.]uk | Yeahmobi |
| Lancashire County Council | https://lancashire.gov[.]uk | Yeahmobi |
| London Borough of Redbridge | https://www.redbridge.gov[.]uk | Yeahmobi |
| Monmouthshire County Council | https://www.monmouthshire.gov[.]uk | Yeahmobi |
| Torbay Council | https://www.torbay.gov[.]uk | Yeahmobi |
| Wandsworth Council | https://wandsworth.gov[.]uk | Yeahmobi |
| East Hampshire District Council | https://www.easthants.gov[.]uk | Yeahmobi |
| Havering London Borough | https://havering.gov[.]uk | Yeahmobi |
| Newcastle City Council | https://newcastle.gov[.]uk | Yeahmobi |
| Tameside Metropolitan Borough | https://tameside.gov[.]uk | Yeahmobi |
| Cheltenham Borough Council | https://cheltenham.gov[.]uk | Yeahmobi |
| Havant Borough Council | https://havant.gov[.]uk | Yeahmobi |
| Met Office | https://www.metoffice.gov.uk | Yeahmobi |
| South Gloucestershire Council | https://southglos.gov.uk | Yeahmobi |
All of these domains except one (tfl[.]gov.uk) are local council websites.
Whilst programmatic advertising is not prohibited on UK council websites, allowing a Chinese ad vendor with a questionable past to collect data on visitors to UK public sector websites is problematic for reasons that are self evident.
Council Advertising Network (CAN) involvement
The Council Advertising Network (CAN) is a UK organization that “generates income for local authorities across the UK by running digital premium and programmatic advertising on council websites”.
CAN manages the ads.txt files of all of the UK domains listed above. Within these files are accountIDs that prove that Yeahmobi is authorised to serve ads, and access visitor data from the domain.
Silent Push has contacted CAN for an explanation, but is yet to receive a reply.
Example ads.txt file
- https://www.derbyshiredales.gov.uk/ads.txt
- MANAGERDOMAIN=can-digital.net
- yeahmobi.com, 113772, RESELLER
Addendum
After this blog was published and distributed in the media, Mark Gardner, Director of CAN Digital Solutions, which provides ads.txt files to various .gov.uk websites, told tech news outlet The Register that references to Yeahmobi will be deleted, and had the following to say:
“We take these matters very seriously, and after looking into this in some detail with the team, we have never had any ad quality issues with Yeahmobi in the past, nor are we aware of any Chinese links, but as a precaution we are in the process of removing them from all our publisher ads.txt files until further notice.
“We have also reached out to the native advertising partner working with them to ask for more insight into these claims and are more than happy to provide their feedback when we have it.”
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense tool used by security teams and researchers across the globe to proactively locate attacker infrastructure, and stop threats before they’re launched.
Community Edition also enables users to search for adtech-related data across the Silent Push web content database, using a custom query language (SPQL) and an intuitive console.
Community users can also use the Live Scan feature to get a realtime snapshot of clearnet and darkweb URLs, across 70+ data categories.
Silent Push maps 2000+ vulnerable IPs linked to GlobalProtect CVE-2024-3400. Active attacker IOFAs caught in PAN-OS honeypot.
Executive summary
On April 12, Palo Alto Networks published an advisory on CVE 2024-3400 – a file creation vulnerability in the GlobalProtect feature of PAN-OS, the software that runs all Palo Alto Networks’ next-generation firewalls.
The vulnerability (with a severity score of 10) enables an unauthenticated attacker to execute arbitrary code, with root privileges, on PAN-OS firewalls.
In this blog we’ll explore how Silent Push Threat Analysts were able to pinpoint 2000+ PAN-OS firewalls open to exploit, identify Indicators of Future Attack (IOFA) targeting affected firewall instances, and cluster all associated CVE-2024-3400 data into three distinct threat feeds that highlight attacker infrastructure and vulnerable IP addresses.
Tracking vulnerable PAN-OS firewalls
Palo Alto Networks have confirmed that the vulnerability is only applicable to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway, or GlobalProtect portal (or both).
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 11.1 | < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 | >= 11.1.0-h3, >= 11.1.1-h1, >= 11.1.2-h3 |
| PAN-OS 11.0 | < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1 | >= 11.0.0-h3, >= 11.0.1-h4, >= 11.0.2-h4, >= 11.0.3-h10, >= 11.0.4-h1 |
| PAN-OS 10.2 | < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1 | >= 10.2.0-h3, >= 10.2.1-h2, >= 10.2.2-h5, >= 10.2.3-h13, >= 10.2.4-h16, >= 10.2.5-h6, >= 10.2.6-h3, >= 10.2.7-h8, >= 10.2.8-h3, >= 10.2.9-h1 |
Silent Push scans the global IPv4 range every day, and categorises the data using SPQL – a free-form query language our customers use to search for associated web content, HTML, SSL, and certificate data. Click here for a full list of searchable fields.
We used the above version information to construct a custom query that scans for exploitable PAN-OS instances exposed to the Internet, before collecting the domains and IPs together in two Bulk Data Feeds that Enterprise customers can use to improve their security posture:
- “PAN-OS Vulnerable Domains”
- “PAN-OS Vulnerable IPs”
As of writing our PAN-OS Bulk Data Feeds contain over 2000 vulnerable PAN-OS instances exposed to the Internet.
Tracking PAN-OS attacker infrastructure
Unit 42 – Palo Alto’s threat research team – has published guidance for all affected PAN-OS users on how to mitigate the threat of intrusion on affected devices.
To help minimize the global impact of CVE-2024-3400, Silent Push Threat Analysts have implemented an Early Detection Feed (“CVE Exploitation – PAN-OS”) containing the IP addresses of threat actors who are actively attempting to exploit vulnerable PAN-OS instances.
Scroll to the bottom of this blog for a sample of attacker IP addresses.
Note: An IP address is only placed in our PAN-OS feed if an attacker attempts to access the specific URL that triggers the vulnerability.
Mitigation
Silent Push provides users with bilateral view of infrastructure linked to CVE 2024-3400 – both vulnerable firewall instances, and the IPs involved in launching an attack.
Enterprise users are able to use the Silent Push API to ingest the PAN-OS attacker Early Detection Feed into their existing security stack, or download a list of all related CVE-2024-3400 IPs and domains from the Bulk Data Feeds mentioned for further analysis.
Enterprise users can also use the Silent Push console to quickly search across an enriched PAN-OS dataset using the ‘Threat Ranking’ screen, and correlate the data with other known threat activity to discover associated infrastructure.
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push ‘Web Scanner’ and ‘Live Scan’.
Click here to sign-up for a free Community Edition account.
IOFA Sample
117.136.111[.]85
107.155.55[.]118
154.90.49[.]108
107.155.55[.]111
187.130.181[.]29
18.143.129[.]154
104.28.157[.]195
104.28.160[.]182
121.28.181[.]90
146.190.114[.]191
165.227.44[.]48
128.199.45[.]40
68.183.227[.]9
202.103.95[.]217
106.104.162[.]35
35.234.3[.]5
8.222.152[.]55
8.208.112[.]87
103.29.68[.]12
103.29.68[.]126
172.233.56[.]195
212.64.28[.]57
193.43.104[.]199
176.97.73[.]198
38.180.29[.]229
165.154.205[.]202
23.94.158[.]73
221.216.117[.]106
172.245.240[.]166
111.204.180[.]253