We’ve added plenty of new functionality to our data enrichment feature – you can now enrich an ASN and an IPv6 address. We’ve also provided Enterprise users the ability to drill-down into IOFA Feed data with a dedicated space for curated IOFA Feeds, and an all-new ‘Feed Analytics’ screen.
New IOFA Feeds
A new IOFA Feeds page has been introduced under Data Marketplace.
The curated feeds contain intelligence on a range of specific threat actors, C2 infrastructure, threat campaigns and attack vectors.
You can also view detailed feed metrics including:
Geographic data
ASN count
Historical IOFA count
TLD and ASN distribution
Featured registrars and nameservers
Indicators of Future Attack (IOFA) Feeds page
ASN Enrichment Page
There is now a dedicated ASN Enrichment page which outputs ASN data similar to our existing domain and IP enrichment pages. Users can now access:
Basic ASN information
WHOIS RDAP data
ASN reputation data, including takedown reputation and graphical representations of 30-day scoring metrics
Active subnets, including each subnet’s range, size, density and the number of active IPs
The page also includes a graphical representation of ASN Takedown Reputation History and ASN Reputation History using 30-day scoring metrics.
ASN Enrichment page
IPv6 Enrichment Page
Users can now enrich an IPv6 address and view all of our available intelligence across 12 categories and sub-categories. Users are able to view:
Enrichment highlights, including risk and reputation scores
Basic information
DNS records
Associated ASN information, including reputation and takedown scores
Users can conveniently pivot to this page from anywhere within the platform where IPv6 addresses are displayed.
IPv6 Enrichment page
Additional resources
Visit the Silent Push Knowledge Base to view detailed guides and information regarding the platform and our latest releases.
Get in touch
Have any questions about the new release, or would like to learn more about our Community and Enterprise Editions? Get in touch today and we’ll get back to you shortly.
We’re honored to have recently been granted the 2024 Cybersecurity Excellence Award in the Threat Intelligence category. The past two years have seen significant growth, not only of our platform, but also our team and subsequent expertise. We’d like to thank our users, partners, and investors who have supported us along our journey.
The Cybersecurity Excellence Awards recognize and celebrate companies, products, and professionals that demonstrate excellence, innovation, and leadership in information security.
“We congratulate Silent Push on being recognized as an award winner in the Threat Intelligence category of the 2024 Cybersecurity Excellence Awards,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the 600,000-member Information Security Community on LinkedIn, which organizes the 9th annual Cybersecurity Excellence Awards. “With over 600 entries across more than 300 categories, the awards are highly competitive. Silent Push’s achievement reflects outstanding commitment to the core principles of excellence, innovation, and leadership in cybersecurity.”
Since the beginning, our mission has remained the same: to help organizations move away from post-breach data and IOCs contained within most threat feeds and consoles, and operate more effectively with a set of security practices that place an emphasis on intelligence data that’s pre-evaluated and easy to ingest.
“Organizations are desperately trying to better detect and block emerging attacker activity prior to an attack launching. Timely, Accurate and Complete first-party data sets Silent Push apart from legacy threat intel providers, exposing Indicators of Future Attack (IOFA) that allow customers to act before a breach occurs.” – Ken Bagnall, Silent Push CEO
We can’t wait to see what the future holds for us and look forward to sharing new platform features and functions, continuing our efforts to detect threats before they’re weaponized.
We’re excited to announce that we have released both an inbound and outbound integration with ThreatConnect. The integration allows users of both platforms to perform 23 actions via a Playbook App across Silent Push enrichment, DNS, and threat intelligence data features.
About ThreatConnect
ThreatConnect is a cybersecurity platform which combines threat intelligence analysis with management, automation, orchestration, knowledge capture, and cyber risk quantification to help security teams operate more efficiently. Threat intelligence operations, also known as TI Ops, enables ThreatConnect customers to easily prioritize and take action on the most dangerous risks to their business.
About the integration
This integration is both inbound and outbound, meaning it can be accessed via a Playbook App on ThreatConnect or via Silent Push by ingesting a custom feed.
Via ThreatConnect
We have partnered with our colleagues at ThreatConnect to produce a Playbook App that provides ThreatConnect users access to Indicators of Future Attack: domain, IP and URL data that explains the relationship between billions of observable data points across the internet. Users are now able to access 23 available actions across several core components of the Silent Push platform, including risk and reputation scoring, PADNS lookup functions, and bulk data feeds. A full list of available actions can be viewed at the bottom of this post.
Via Silent Push
Users of the Silent Push platform can now ingest a feed of indicators from ThreatConnect, by using the ‘Create feed from URL‘ function and entering in your authentication details.
How to get started
We’ve created a short Knowledge Base guide to show you how to install this integration via ThreatConnect or Silent Push. The document also includes a more thorough Installation and Configuration Guide provided by ThreatConnect.
CrushFTP has advised users to immediately upgrade to a secure version, even if they are operating a Demilitarized Zone (DMZ) in front of their CrushFTP instance.
Silent Push Threat Analysts used our first-party dataset to track all vulnerable Crush FTP instances, and populate two Bulk Data Feeds with domains and IPs that are hosting vulnerable instances of the popular file transfer service.
We’re also in the process of creating an Early Detection Feed, filled with infrastructure that is actively attempting to exploit CVE-2024-4040.
Tracking vulnerable CVE-2024-4040 web portals
Silent Push scans the clearnet and dark web every day and categorizes the data using SPQL – our custom free-form query language – and makes it available for our customers to locate associated infrastructure and web content.
Using the information we have on CVE-2024-4040, we executed a query that locates exploitable CrushFTP web interfaces exposed to the Internet, and clustered the returned domains and IPs together in two Bulk Data Feeds that our Enterprise customers can use to locate and analyze vulnerable infrastructure:
To help potential victims and the wider security community visualize the extent of the problem, we’ve created this map that displays the global distribution of vulnerable CrushFTP interfaces:
Global distribution of CrushFTP web interfaces
The majority of affected servers are located in the United States, Canada, and continental Europe, with the rest spread out fairly evenly across South America, Russia, Asia and Australia.
Mitigating the effects of CVE-2024-4040
As well as a raw data download, Enterprise users are able to export the Bulk Data Feeds as an API endpoint, containing all the domains and IP addresses of vulnerable CrushFTP instances.
Security teams can use this information to identify internal infrastructure that may be vulnerable, and inform any scoring systems they have in place that evaluate the risk level of external domains and IPs.
We’re also constructing an Early Detection Feed that’s tracking intrusion attempts in realtime, and logging the infrastructure involved for automatic blocking. We’ll be publishing further details on this in the coming days.
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push ‘Web Scanner’ and ‘Live Scan’.
Click here to sign-up for a free Community Edition account.
We recently added three core ad tech standards – ads.txt, app-ads.txt and sellers.json – to the data we collect on public websites, via our custom query language SPQL.
These files contain what’s known as ad accountIDs – a unique identifier assigned to an advertising vendor that collects website visitor data.
Using this data, Silent Push analysts have discovered 18 UK public organizations that use a controversial Chinese adtech vendor – Yeahmobi – to serve ads on .gov domains.
Our research points to a Chinese ad vendor, linked to questionable practices, profiting from UK public sector organizations, and collecting unknown amounts of data from visitors to government websites.
Example of banner advertising seen on the “Public Health” page of https://lancashire.gov.uk/
How ad exchanges works
Before we delve into our research, let’s explore the concept of ad data sharing.
Ad bidding is a complex process. In a nutshell, on these sites user data is ingested via Google advertising endpoints. The visitors’ IP address (or partial IP address), user agent device (i.e. device type), and browser details then are shared with ad exchange partners via server-side data sharing.
Ad platforms such as Yeahmobi – along with any intermediaries – get an opportunity to submit bids in an ad auction. The winner then serves ads to the visitors of the given website.
The winner also gets the opportunity to sync data through selected adtech partners, with further data being shared if a user clicks on the ad and visits the destination webpage.
Methodology
Silent Push scans every clearnet and darkweb URL and categorizes the data using SPQL – a free-form query language that can be used to locate matching infrastructure within our proprietary threat intelligence datasets.
Scanned data is grouped into 6 separate repositories, known as a ‘data source’. The ‘webscan’ data source contains web data from the public IPv4 and IPv6 ranges.
We used a combination of 6 ‘webscan’ data types and an experimental API query to identify .gov sites that featured digital ads, using the following SPQL fields:
We looked into any .gov U.S. government domains with the ability to host programmatic ads, and found 4 domains with an ads.txt file that are potentially be in violation of CISA rules:
mcdowellcountywv.gov/ads.txt
fortdeposital.gov/ads.txt
cohassetpolicema.gov/ads.txt
sports.celina-tx.gov/ads.txt
The first three domains list only one vendor in their ads.txt file – Google.
sports.celina-tx.gov has dozens of partners listed in their ads.txt file, doesn’t have ads on any public pages but appears to be managed by a vendor called SportsEngine[.]com, based on details in the footer.
UK domains
Our scans identified 18 UK public sector organizations that are either actively running ads or have the capability to, featuring Yeahmobi in the ads.txt file:
Organization name
URL
Ad Vendor Details
Transport for London
https://tfl.gov[.]uk
Yeahmobi
Derbyshire Dales District Council
https://www.derbyshiredales.gov[.]uk
Yeahmobi
Walsall Council
https://go.walsall.gov[.]uk
Yeahmobi
Sheffield City Council
https://www.sheffield.gov[.]uk
Yeahmobi
Milton Keynes City Council
https://www.milton-keynes.gov[.]uk
Yeahmobi
Lancashire County Council
https://lancashire.gov[.]uk
Yeahmobi
London Borough of Redbridge
https://www.redbridge.gov[.]uk
Yeahmobi
Monmouthshire County Council
https://www.monmouthshire.gov[.]uk
Yeahmobi
Torbay Council
https://www.torbay.gov[.]uk
Yeahmobi
Wandsworth Council
https://wandsworth.gov[.]uk
Yeahmobi
East Hampshire District Council
https://www.easthants.gov[.]uk
Yeahmobi
Havering London Borough
https://havering.gov[.]uk
Yeahmobi
Newcastle City Council
https://newcastle.gov[.]uk
Yeahmobi
Tameside Metropolitan Borough
https://tameside.gov[.]uk
Yeahmobi
Cheltenham Borough Council
https://cheltenham.gov[.]uk
Yeahmobi
Havant Borough Council
https://havant.gov[.]uk
Yeahmobi
Met Office
https://www.metoffice.gov.uk
Yeahmobi
South Gloucestershire Council
https://southglos.gov.uk
Yeahmobi
Example of banner advertising seen at the bottom of the homepage @ https://lancashire.gov.uk/
All of these domains except one (tfl[.]gov.uk) are local council websites.
Whilst programmatic advertising is not prohibited on UK council websites, allowing a Chinese ad vendor with a questionable past to collect data on visitors to UK public sector websites is problematic for reasons that are self evident.
CAN manages the ads.txt files of all of the UK domains listed above. Within these files are accountIDs that prove that Yeahmobi is authorised to serve ads, and access visitor data from the domain.
Silent Push has contacted CAN for an explanation, but is yet to receive a reply.
Example ads.txt file
https://www.derbyshiredales.gov.uk/ads.txt
MANAGERDOMAIN=can-digital.net
yeahmobi.com, 113772, RESELLER
Addendum
After this blog was published and distributed in the media, Mark Gardner, Director of CAN Digital Solutions, which provides ads.txt files to various .gov.uk websites, told tech news outlet The Register that references to Yeahmobi will be deleted, and had the following to say:
“We take these matters very seriously, and after looking into this in some detail with the team, we have never had any ad quality issues with Yeahmobi in the past, nor are we aware of any Chinese links, but as a precaution we are in the process of removing them from all our publisher ads.txt files until further notice.
“We have also reached out to the native advertising partner working with them to ask for more insight into these claims and are more than happy to provide their feedback when we have it.”
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense tool used by security teams and researchers across the globe to proactively locate attacker infrastructure, and stop threats before they’re launched.
Community Edition also enables users to search for adtech-related data across the Silent Push web content database, using a custom query language (SPQL) and an intuitive console.
Community users can also use the Live Scan feature to get a realtime snapshot of clearnet and darkweb URLs, across 70+ data categories.
On April 12, Palo Alto Networks published an advisory on CVE 2024-3400 – a file creation vulnerability in the GlobalProtect feature of PAN-OS, the software that runs all Palo Alto Networks’ next-generation firewalls.
The vulnerability (with a severity score of 10) enables an unauthenticated attacker to execute arbitrary code, with root privileges, on PAN-OS firewalls.
In this blog we’ll explore how Silent Push Threat Analysts were able to pinpoint 2000+ PAN-OS firewalls open to exploit, identify Indicators of Future Attack (IOFA) targeting affected firewall instances, and cluster all associated CVE-2024-3400 data into three distinct threat feeds that highlight attacker infrastructure and vulnerable IP addresses.
Tracking vulnerable PAN-OS firewalls
Palo Alto Networks have confirmed that the vulnerability is only applicable to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway, or GlobalProtect portal (or both).
Silent Push scans the global IPv4 range every day, and categorises the data using SPQL – a free-form query language our customers use to search for associated web content, HTML, SSL, and certificate data. Click here for a full list of searchable fields.
We used the above version information to construct a custom query that scans for exploitable PAN-OS instances exposed to the Internet, before collecting the domains and IPs together in two Bulk Data Feeds that Enterprise customers can use to improve their security posture:
“PAN-OS Vulnerable Domains”
“PAN-OS Vulnerable IPs”
As of writing our PAN-OS Bulk Data Feeds contain over 2000 vulnerable PAN-OS instances exposed to the Internet.
PAN-OS Bulk Data Feeds
Tracking PAN-OS attacker infrastructure
Unit 42 – Palo Alto’s threat research team – has published guidance for all affected PAN-OS users on how to mitigate the threat of intrusion on affected devices.
To help minimize the global impact of CVE-2024-3400, Silent Push Threat Analysts have implemented an Early Detection Feed (“CVE Exploitation – PAN-OS”) containing the IP addresses of threat actors who are actively attempting to exploit vulnerable PAN-OS instances.
Scroll to the bottom of this blog for a sample of attacker IP addresses.
Note: An IP address is only placed in our PAN-OS feed if an attacker attempts to access the specific URL that triggers the vulnerability.
Feed tracking PAN-OS attacker IPs
Mitigation
Silent Push provides users with bilateral view of infrastructure linked to CVE 2024-3400 – both vulnerable firewall instances, and the IPs involved in launching an attack.
Enterprise users are able to use the Silent Push API to ingest the PAN-OS attacker Early Detection Feed into their existing security stack, or download a list of all related CVE-2024-3400 IPs and domains from the Bulk Data Feeds mentioned for further analysis.
Automated feed export
Enterprise users can also use the Silent Push console to quickly search across an enriched PAN-OS dataset using the ‘Threat Ranking’ screen, and correlate the data with other known threat activity to discover associated infrastructure.
Enriched threat data for PAN-OS attacker IP
Register for Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types, including Silent Push ‘Web Scanner’ and ‘Live Scan’.
Click here to sign-up for a free Community Edition account.
We’re excited to announce that we’ll be attending RSA Conference in San Francisco this May.
For three decades, RSA Conference has been a leading influence in the global cybersecurity community, serving as a hub to discuss new insights, create meaningful relationships, and dive deeper into practical threat intelligence.
Our team will be hosting two nights of ‘Threat Intelligence on Tap’, a series of short sessions aimed at demonstrating how the Silent Push platform reveals adversary infrastructure, campaigns, and security problems by searching across the most timely, accurate and complete Proactive Threat Intelligence dataset. We’ll be covering topics such as:
Tracking Scattered Spider via favicon & html title reuse
Tracking SocGholish stage 1, 2, 3 payloads with fastflux techniques
Tracking Prolific Puma redirection domains via HTML ssdeepcontent hash
We’ll also be available throughout the conference to discuss our product and provide demos, so don’t hesitate to reach out and we’ll set up a time to meet.
Live Scan allows you to extract real-time data from a single URL on the clearnet or darkweb, across a range of categories, and view historical scan results for the specified URL.
You can use Live Scan datasets to perform additional DNS and hash-based pivots, map out attacker TTPs, pinpoint malicious infrastructure and gather intelligence on specific attack vectors and threat groups.
This blog will show you how to perform a Live Scan query, and how to work with the dataset to produce actionable intelligence.
‘Live Scan’ video tutorial
Before you read the blog, check out our tutorial video that covers off the basics:
Scanning a URL
Live Scan is available as part of a Silent Push Community or Enterprise subscription. There are two ways to execute a URL scan:
Input any public or .onion URL into the search box on the home page, and click ‘Live Scan’
Navigate to ‘Explore Web Data > Live Scan’
Viewing ‘Live Scan’ results
Scan results, including a live screenshot of the URL, are populated below the search box:
The ‘Query Results’ section contains the following data, with a range of use cases across the board:
HTML data: Establish site functionality and identify common phishing indicators.
Live screenshot: Preview how the site appears to users.
Favicon data, including hash values: Track hash values toidentify favicon spoofing or phishing attempts.
Redirect chain: Identify suspicious URL destinations and attack vectors across a full redirect chain.
Body data, including hash values: Detect similar page layouts across attacker infrastructure. Uncover phishing kits and forms attributed to specific threat actors.
Open directories: Pinpoint open directories and publicly exposed data.
SSL data: Verify the validity of SSL certificates, identify signs of an SSL stripping attack and and assess the encryption strength of a domain.
Risk score of the domain and IP: View risk scores for the destination domain and hosting IP.
You can also use any of the hash values returned to detect similar infrastructure.
Read our Knowledge Base for a full list of fuzzy and exact match hash values used within the platform, including body similarity hashes, favicon md5 and Murmur3 hashes, and proprietary script, certificate and header hash values.
Viewing historical scan results
Live Scan gives you the ability to view historical scan results related to your chosen URL, allowing you to gather all the data that’s ever been collected for a single URL.
The feature automatically executes a Web Scanner query for your chosen URL, including the relevant data source.
You can use the Web Scanner UI to adjust query parameters and narrow your search to produce targeted datasets:
Historical scan results
Working with the raw data
You can view scanned data in raw format, and copy it to the clipboard to feed into your existing security stack, or share with your team:
‘Basic Raw Data’ view
View risk scores for a URL
Risk scores help you to make operational judgements based on the likelihood of a URL being involved in malicious activity.
Risk scores are displayed for the destination URL and the hosting IP, immediately above the screenshot in the ‘Query Results’ section:
We’re thrilled to be invited to the upcoming PIVOTcon Malaga 2024 conference coming up in May.
PIVOTcon is a unique opportunity for us to experience an event run by threat analysts for threat analysts, where attendees have the opportunity to go beyond what is able to shared in public forums, blog posts and reports, strengthening connections between ourselves and other threat researchers from across Europe.
PIVOTcon takes a contemporary approach to industry events, with a focus on interpersonal connection and sharing of experiences, tradecrafts, successes and pitfalls. It is through these connections that we are able to dive deeper into emerging trends, common roadblocks within security teams, and discuss pioneering approaches to proactive cyber defense.
The three day conference will be packed with workshops and discussions focused on threat research and technical analysis, led by industry experts from diverse backgrounds including private sector researchers, government, law enforcement and military analysts, academics and investigative journalists.
We look to learning from new and old friends, and sharing our own experiences in showcasing Indicators of Future Attack to enterprise organizations across the globe.
