Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains.

October 17, 2022/in Blog/by Silent Push Threat Team

Our Threat Intelligence Team was on the lookout for PayPal typosquatting domains, when one particular domain (paypalsec[.]us) led them to a far larger discovery – an entire network of threat activity, masquerading as numerous global brand names and infecting machines with a malicious file disguised as a remote monitoring tool – WinDesk.Client.exe.

The initial discovery

We found the domain (registered through NameSilo on 2022-08-18) using the Silent Push Live Unsanctioned Assets query – an A record search by qanswer, netmask and various other network parameters.

The domain had some text and images that mimicked Paypal’s actual website, but most of the content populated as unrelated placeholders, which suggested that the site had been built using a multi-purpose template, rather than coded from scratch.

Threat actors aren’t in the business of coding individual websites for hundreds of malicious domains, and sometimes rely on communal site builders to put together phishing websites that target different brands.

The ‘Cancel Now’ button on this particular domain prompted a download of an executable file – WinDesk.Client.exe – that we offer further analysis of below.

The delivery method

Once we’d confirmed the identity of the domain, we analyzed WHOIS, IP and PADNS data in an attempt to find out what other activity it was linked to, leading us to another domain connected to the same Paypal phishing website – help01[.]us (also registered through NameSilo on 2022-08-18).

We repeated the process for the IP address associated with help01[.]us, and discovered 30 other domains connected to similar phishing websites, impersonating big name brands such as Amazon, Microsoft, Geek Squad, and Paypal, using the same basic phishing techniques with some subtle differences (see IoC list at the bottom of this article).

Instead of a ‘Cancel Now’ button, these websites featured an ‘Enter Code’ field.

After a few attempts, we entered a code that was accepted as valid, which started the download of WinDesk.Client.exe.

Analysing the trojan

WinDeskClient.Exe actively tries to stop itself from being run in a sandbox environment, using a combination of debugging restrictions and sleep timers, but our Threat Analysts were able to run it in a test environment in order to ascertain what the file actually does, and more importantly, where it sends information to.

Once run, WinDesk.Client.exe facilitates the install of a parent process – dfsvc.exe – with two further executables initiated from the level above:

> dfsvc.exe

> ScreenConnect.WindowsClient.exe

> screenconnect.clientservice.exe

In its legitimate guise, ScreenConnect.WindowsClient.exe is an executable file which belongs to the ScreenConnect platform (now known as ConnectWise Control), a widely-used remote access tool for customers of ConnectWise.

ScreenConnect.WindowsClient.exe does have the potential to record keystrokes, but its the final drop – screenconnect.clientservice.exe – that reveals the most information.

The service attemps to establish a connection with 104.168.5[.]29, which resolves to firsto[.]cc.

We weren’t able to ascertain precisely what data the client process is attempting to send, but the security implications are clear and obvious.

Links to Norton and GeekSupport scams

A passive DNS replication check shows that the server is linked to to another IP – 198.23.212[.]167 – which is connected to phishing sites that are actively impersonating brands such as Norton and GeekSupport:

firsto[.]top
firsto[.]cc
mslxt[.]xyz
ncareback[.]xyz
backup02[.]xyz
gkscare[.]com
geeksupportcare[.]com
xpchelps[.]us
support2norton[.]us
xpchelp[.]us

Network communication from screenconnect.clientservice.exe

The attack vector likely originates via email, with threat actors gaining the trust of users before fooling them into entering a code (usually via a telephone conversation) that prompts the download.

A few weeks ago, GeekSquad customers fell victim to a scam featuring a fake website, that asked them to contact a phone number to cancel a fake subscription. Norton customers experienced the same basic scam in June,

It’s safe to assume that the version of WinDeskClient.Exe we analysed, and where it’s attempting to send information to, was an integral part of both scams.

Further investigation uncovered over 350 domains hosted among 42 IP addresses over the last month, impersonating not just Norton and GeekSquad, but big names such as Amazon and MacAfee (see IoC list at the bottom of this article).

The majority of these domains had three things in common:

They were all registered on NameSilo;
The used *.dnsowl.com nameservers;
The were hosted on low-density IP addresses on AS-COLOCROSSING(30823)

Thankfully, this particular group of threat actors spent too much time playing fast and loose with legitimate websites, and failed to secure their own internal infrastructure, leading us to some interesting discoveries.

The front end operation

We’ve already blogged about open directories – they’re the ultimate quick win for anyone looking to secure entry into restricted file systems, without having to worry about phishing, social engineering or payloads.

Using the Silent Push Open Directory search, we quickly discovered an open index on 192.227.173.35, that contained a single compressed file – desk.zip.

The file contained a directory of website assets, including images, components, and, crucially, a database with username and password tables for accessing the control panel of the phishing page builder used to construct the malicious websites we’d already uncovered.

Unfortunately, we didn’t uncover anything further on the front end of the control panels, besides different variations of the phishing website and the domains used to download the malware (which we’d already uncovered), but nonetheless, it was an interesting insight into how threat actors put together their operation, and provided us with a significant amount of intel to pass on to our customers.

Follow us on LinkedIn and Twitter for weekly threat intelligence updates and research.

Indicators of Compromise

This list will not be updated after the initial blog post. For live tracking of malicious infrastructure subscribe to our enterprise service. Sign up for a trial.

Payload download domains

win01[.]xyz

win02[.]xyz

win03[.]xyz

win04[.]xyz

IP addresses

45.153.242[.]179

107.172.73[.]169

23.94.159[.]191

107.172.75[.]132

192.3.122[.]191

192.3.13[.]36

192.3.122[.]146

107.173.229[.]163

107.173.143[.]41

192.227.173[.]35

192.3.247[.]180

107.173.229[.]143

192.210.149[.]241

107.174.138[.]194

172.245.27[.]14

23.95.34[.]123

198.46.132[.]181

198.12.89[.]38

192.3.239[.]7

198.12.89[.]4

198.12.89[.]36

104.168.33[.]58

23.94.174[.]165

107.172.13[.]160

172.245.27[.]38

172.245.119[.]64

104.168.32[.]32

198.23.213[.]50

192.227.173[.]103

45.147.231[.]233

23.95.85[.]185

104.168.33[.]61

107.173.143[.]27

198.23.207[.]31

23.95.85[.]181

198.12.84[.]71

198.23.145[.]147

192.3.22[.]14

198.12.107[.]216

192.3.141[.]133

192.210.219[.]54

198.23.174[.]109

198.23.212[.]164

198.23.212[.]193

104.168.5[.]29

Phishing domains

firsto[.]top

firsto[.]cc

mslxt[.]xyz

ncareback[.]xyz

backup02[.]xyz

gkscare[.]com

geeksupportcare[.]com

xpchelps[.]us

support2norton[.]us

xpchelp[.]us

1001[.]to

247bestbuy[.]cc

247bestbuy[.]info

247gscare[.]info

247help[.]live

247support[.]cc

247support[.]live

247supportme[.]live

247supportme[.]us

9115[.]to

91158[.]to

9190[.]us

9199[.]us

9220[.]us

acare[.]cc

acareme[.]cc

acaresupport[.]us

ahelp[.]care

ahelps[.]us

amaznhelp[.]us

amazonserver[.]us

amjhelp[.]cc

amzcare[.]cc

amzcare[.]info

amzcare[.]uk

amzhelp[.]cc

amzhelp[.]live

amzhelp[.]uk

amzhelps[.]us

amzndesk[.]info

amzndesk[.]us

amznsupport[.]me

amzsupport[.]cc

amzsupport[.]top

amzsupports[.]us

appsdesk[.]us

asecures[.]top

ask4support[.]cc

ask4support[.]us

asupport[.]care

asupport[.]me

asupport[.]services

asupports[.]cc

asupports[.]info

asupports[.]live

asupports[.]us

azhelpdesk[.]us

bankingcare[.]us

bbbrefund[.]live

bbbrefund[.]us

bbhelp[.]live

bbhelp[.]us

bcare[.]cc

bcares[.]us

bestbuyhelp[.]us

bhelp[.]cc

bhelp[.]info

billingform[.]info

billingsdept[.]us

billingteam[.]cc

billingteam[.]info

billingteam[.]online

billingteams[.]us

bsupport[.]live

bsupports[.]live

bteam[.]live

buggu[.]info

cancel1[.]us

cancel2[.]us

cancel3[.]cc

cancel786[.]us

cancelforms[.]live

cancell[.]cc

cancell[.]us

cancellationsupport[.]live

cancellationsupport[.]us

cancellationsupprts[.]live

cancelnow[.]live

cancels[.]services

cancels[.]support

carehelp[.]us

cform[.]live

cform[.]online

chelp[.]care

chelp[.]cc

cscare[.]live

cscare[.]us

csupport[.]cc

cxsupport[.]cc

cxsupports[.]us

dcare[.]live

deskcare[.]live

deskcareme[.]cc

deskcares[.]cc

deskcares[.]online

deskhelps[.]cc

desksupports[.]cc

desksupports[.]live

desksupports[.]net

desksupports[.]us

dsupport[.]info

dsupport[.]live

esupport[.]cc

fcare[.]cc

fcare[.]live

fhelp[.]cc

fhelps[.]live

formlive[.]cc

formlive[.]info

forms911[.]us

formslive[.]cc

formslive[.]info

formslive[.]online

fsupport[.]cc

fsupport[.]info

fsupport[.]live

fsupport[.]online

fsupports[.]live

gcare[.]cc

gcare[.]live

gcares[.]us

gchelps[.]live

gchelps[.]us

geekcancel[.]us

geekcare[.]cc

geekhelp[.]us

geekhelps[.]us

geekrefund[.]live

geekrefund[.]online

geeksqad[.]cc

getforms[.]live

getforms[.]us

gethelpdesks[.]live

gethelpsupport[.]us

getset[.]cc

getset[.]info

ghelp[.]cc

ghelp[.]info

grefund[.]live

grefund[.]us

gscare[.]info

gscare[.]live

gscare[.]us

gsrefund[.]us

gssquads[.]us

gsupport[.]live

help01[.]us

help4support[.]live

helpcares[.]support

helpcares[.]us

helpcenter[.]top

helpcenters[.]cc

helpcenters[.]live

helpdeskme[.]live

helpdeskme[.]us

helpdesksupport[.]live

helpline247[.]cc

helpline247[.]live

helpline247[.]us

helplive[.]cc

helplive[.]us

helplives[.]cc

helplives[.]us

helpme159[.]live

helpnortn[.]us

helpnorton[.]us

helpnsupport[.]us

helpsupports[.]live

helpsupports[.]us

helptechme[.]info

helptechme[.]live

helptechme[.]us

hservice[.]cc

hsupport[.]live

hsupports[.]live

ihelp[.]care

isupport[.]info

isupport247[.]cc

isupport247[.]us

isupports[.]live

itcares[.]info

itcares[.]live

itcares[.]us

itdesk[.]cc

itdesks[.]cc

itdesks[.]live

itdesks[.]online

itdesks[.]us

jcare[.]us

jsupport[.]us

khelp[.]live

ksupport[.]live

liveforms[.]us

login08[.]info

login08[.]top

mcare[.]live

mcfee247[.]cc

mcfee247[.]live

mcfhelp[.]us

mcfsupport[.]cc

mcfsupport[.]cloud

mcfsupport[.]live

mcfsupport[.]online

mcfsupport[.]us

mhelp[.]cc

mnsupport[.]info

mnsupports[.]live

mnsupports[.]us

mscare[.]me

mscare[.]online

mscares[.]cc

mscares[.]info

mscares[.]live

mscares[.]us

mshelp[.]cc

mshelp[.]me

mshelp[.]us

mshelpcare[.]cc

mshelpcare[.]info

mshelpcare[.]live

mshelpcare[.]us

mshelps[.]info

mshelps[.]live

mshelps[.]us

msjkp[.]top

msjkp[.]xyz

mskf[.]life

msn365[.]live

mssupport[.]cc

mssupports[.]live

mssupports[.]us

mstool[.]cc

mstool[.]info

mstool[.]live

msupport[.]cc

msupport[.]live

msupport[.]tech

msupports[.]info

msupports[.]live

msupports[.]online

msupports[.]us

myhelpcare[.]top

myhelpcares[.]info

myhelpcares[.]live

myhelpcares[.]us

myhelpdesk[.]cc

myhelpdeskme[.]us

myrefunds[.]live

mywebsecure[.]cc

mywebsecure[.]live

mywebsecure[.]us

ncares[.]online

nhelp[.]cc

nhelpcare[.]cc

nhelpcare[.]us

nllcancel[.]us

nortan[.]online

nortan360[.]us

nortancxs[.]us

nortanpro360[.]us

nortn[.]us

norton247[.]us

nortonpro[.]live

nortonpro[.]us

nrtsupport[.]online

nrtsupport[.]us

nsupport[.]cc

nsupport360[.]cc

nsupport360[.]us

nsupportme[.]us

ntcare[.]cc

ntcare[.]info

ntcare[.]live

ntcare[.]us

ntcares[.]live

onlinesupport[.]top

osupport[.]us

paycare[.]cc

paypalcare[.]cc

paypalcare[.]us

paypalhelp[.]cc

paypalhelp[.]live

paypalsec[.]us

paysupports[.]cc

paysupports[.]info

pcare[.]live

pchelps[.]cc

pchelps[.]live

pchelps[.]vip

pcservers[.]us

pcsupport[.]cc

phelp[.]info

primesupports[.]live

prsupport[.]cc

prsupport[.]live

pserver[.]cc

pserver[.]live

pserver[.]us

psupport[.]live

qhelp[.]cc

qhelp[.]live

qhelps[.]info

qhelps[.]live

qhelps[.]us

qsupport[.]live

refundassists[.]us

refundform[.]info

refundforms[.]us

refundhelp[.]us

refundscare[.]us

refundsnow[.]us

refundteam[.]us

rfundcare[.]cc

rfundcare[.]live

rfundcare[.]us

rhelp[.]live

securesupport[.]live

service247[.]us

support247[.]live

support99[.]cc

support99[.]live

support99[.]us

supportcancel[.]info

supportcancel[.]live

supportcancels[.]us

supportcare[.]cc

supportcares[.]cc

supportcares[.]live

supportcares[.]us

supportclients[.]cc

supportclients[.]top

supportcx[.]info

supportdesks[.]live

supportdesks[.]us

supporthelp[.]info

supportlive[.]cc

supportme11[.]live

supportme247[.]live

supportme247[.]us

supportpay[.]live

supports[.]win

supports[.]work

supports247[.]us

supports24x7[.]us

supportshelp[.]cc

supportslive[.]us

supportsx[.]info

supportsx[.]live

supportteams[.]live

supportus[.]us

supportusa[.]cc

suvfix[.]cc

suvfix[.]info

techamerica[.]live

techcare[.]live

techcares[.]cc

techcares[.]live

techhelps[.]live

techhelps[.]support

techhelps[.]win

techhelpsme[.]cc

techhelpsme[.]live

techhelpsme[.]online

techhelpsme[.]us

test01[.]cloud

testapp101[.]xyz

tservers[.]live

tservers[.]top

tsupport[.]cc

uscybersquad[.]live

vfix[.]info

vsupport[.]cc

waso[.]cc

waso[.]info

windesk[.]live

windowsupport[.]cc

windowsupport[.]info

winsupport[.]live

wnsupport[.]us

wservice[.]live

wsupport[.]cc

wsupport[.]us

ysupport[.]us

zsupport[.]cc

zsupport[.]info

zsupport[.]live

IPFS - What is it, and should you block it on your corporate network?

September 29, 2022/in Blog/by Silent Push

What is IPFS?

Created in May 2014 and released a year later, The InterPlanetary File System (IPFS) protocol is a method of storing and sharing files via the Internet that bypasses traditional methods of client-server connections, that uses distributed hash tables (DHTs) to identify and deliver files to you over a global peer-to-peer (P2P) network.

All that’s needed to retrieve data is a hostname and the file’s content identifier:

        https://<gateway>/ipfs/<CID>

Sound familiar? It should do. IPFS architecture is closely linked to that other darling of the decentralised web – Bittorrent. The similarities are there for all to see – they’re both decentralised, they both operate on P2P networks and they’re both content based – there are, however, a few subtle but important differences.

IPFS vs. Bittorrent

First of all, IPFS has the potential to replace the way that the world accesses and ‘remembers’ the Internet – the protocol can be used to host entire websites, not just distribute files, as with torrenting, and founder Jean Benet has vocalised his intent to create a fully-archived ‘permanent web’ that the Wayback Machine can only dream of.

There’s also the ‘trust’ element. IPFS doesn’t need you to download a torrent file that may or may not point to the correct data. All that’s required is an IPFS hash, and you can pretty much guarantee that you’ll be receiving the correct file.

There’s lots of other technical factors to consider – from the way IPFS manages duplicate files, to how it eliminates the ability of nodes and peers to ‘go dark’, thereby creating a far more accessible and transparent data community – but the long and short is that despite Bittorrent being around over two decades, and still commanding a significant portion of global upload traffic (as high as 10%), IPFS is proving hugely popular with tech firms and organisations that require decentralised storage (either via files or apps).

IPFS vs. centralised storage

Before you start to think about ditching your trusty file server, it’s important to note that IPFS isn’t an out-of-the-box replacement for a standard secure corporate file system, no more than torrenting is an alternate solution for accessing company HR records. It takes time, energy, resources and a fair bit of savvy to recreate the practicalities of a client-server environment within IPFS, and quite frankly, the client technology doesn’t seem to be there yet.

IPFS, as a protocol, is used for three main reasons:

to download publicly available files – large or small, common and rare (although lesser-used files have a tendency not to survive within a global namespace);
blockchain storage;
as a storage method for decentralised apps (dApps) on the Ethereum blockchain (here’s a simple example).

What are the security implications of using IPFS

First of all, IPFS doesn’t require an open door onto your server architecture or workstations. Various third-party services exist that provide custom IPFS domains, separate to your standard public DNS infrastructure, that exist solely for the purpose of distributing data via IPFS. However, as we’ll go on to discuss, these services aren’t without their problems.

You also don’t need to worry about data being changed to contain malicious files once you’ve started interacting with it. IPFS uses encrypted hashes to manage content on the namespace. If any piece of data is amended, the entire address changes with it.

Organisations should, however, be on their guard. As with any emerging protocol, threat actors have started to ramp up their efforts to discover and propagate exploits across the entire IPFS network that have the potential to wreak havoc on corporate IT systems.

Two cybersecurity researchers from Piraeus University – Constantinos Patsakis & Fran Casino – have recently uncovered numerous ways through which IPFS can be used to host malicious files – or even entire botnets – without any reasonable expectation of detection, and describe how such methods can be transposed to other distributed storage systems.

Unfortunately, the concept of using IPFS for nefarious purposes is nothing new. Back in 2018, threat actors hijacked Cloudflare’s IPFS gateway (see above) to replicate an Azure Blob Storage exploit that fooled users into handing over information via what appeared to be a secure SSL site.

IPFS phishing

It may not be time to hit the panic button just yet, but the warning signs are starting to emerge. IPFS is actively being described by prominent threat intelligence brands as a ‘hotbed’ for phishing attacks, across the entire Internet, not just limited to filesharing within a global namespace.

Services from Google Weblight (an official Google service that speeds up Android browsing), to prominent cloud-based storage platforms such as Filebase, NFT repositories and the aforementioned Microsoft platforms have all been subject to IPFS-specific exploits that trick unsuspecting users into handing over information and feature the tried-and-tested techniques of URL redirection, and reputation masking.

Should I disable IPFS on my corporate network?

As with any emerging technology, it was more or less inevitable that threat levels were going to rise in direct proportion with its uptake. IPFS is experiencing a surge in popularity related to its efficacy when working with blockchain technology or decentralised file storage methodologies.

Whilst this can be interpreted as a democratisation of file distribution technology that puts even more flexibility, choice and useability in the hands of standard users, it also means that threat actors – ever on the hunt for low-hanging fruit – have a new technological landscape to explore, and more attack vectors to develop. This, coupled with the fact that the tech is still in its infancy next to established P2P methods and client-server configurations, means that we’re still getting to grips with IPFS – both as a concept, and an operational reality.

CISOs and CTOs need to make an informed decision on whether or not their organisation absolutely needs to exploit the benefits of IPFS, whilst taking on its associated risks as an emerging technology. Follow Silent Push and other trusted industry voices. Educate yourself on how IPFS is evolving, both in practical terms, and as a security risk.

What companies should definitely avoid is adoption for adoption’s sake. It’s easy to get caught up in the limitless wonderland of decentralised file storage, dApps and blockchain technology, but the question remains – is unsafe commercial traffic worth the cool factor? The answer is a resounding no.

How can Silent Push assist you in using IPFS?

We’re currently updating our a p p so that IPFS gateways are flagged and published in our customers’ threat intel feeds – just like we do with Tor exit nodes and other gateway infrastructure.

It’s not up to us to make a judgement on whether or not IPFS is suitable for your organization, but we’re committed to providing our customers with the most amount of information possible, gathered from our daily IPv4 and IPv6 scans of the entire Internet, so that they can make an informed choice on how their networks operate.

For more information on IPFS and the Silent Push app, book a demo today.

Take advantage of Silent Push’s vast array of threat defense tools by signing up for our free Community Edition.

Get started now

Early Analysis of the Twilio phishing attack

August 13, 2022/in Blog/by Silent Push Threat Team

What happened?

On August 4th, threat actors gained illicit access to customer information on the Twilio platform – a global UCaaS service with nearly 8,000 employees – following an SMS-based social engineering attack that fooled staff into providing login credentials, through a malicious access portal.

The attack vector was simple – employees received a text message asking them to renew their company credentials via what appeared to be at first glance a legitimate URL:

Staff members followed the link – believing it to be genuine – and inputted their credentials, which enabled threat actors to harvest numerous sets of authentication details, providing them access to restricted customer records.

Twilio’s response was admirable – they immediately consulted with similarly affected firms, cell carriers and the security community to mitigate any further damage – but threat actors resumed their assault by sending messages over alternate carriers, and used different hosting providers to facilitate access to compromised login portals.

Analysis of the attack

In any phishing attack, supplemental domain analysis is the key to both unlocking the attack vector, and protecting against further intrusions originating from the same IoC.

We analysed the DNS information of twilio-sso[.]com, and identified a subdomain of orderlyfashions[.]com, hosted on the same IP address as the original IoC.

The domain populates a website that displays a customised Dolibarr login page – an open source ERP and CRM platform:

Upon further analysis, we uncovered several phishing domains targeting Twilio, all of which redirected to the same Dolibarr login page.

It is possible that threat actors were using a communal login portal – redirected from multiple domains – the purpose of which is unclear, but possibly as a central administration portal. The control panel could just be a skin to hide their phishing control panel or it may be that they used a vulnerability in the control panel to take over the infrastructure and launch their campaign from there. A number of things lead us to believe the former is the more likely scenario.

Wherever we found the login page, once we’d analysed the IP addresses which used to host it, we found even more SSO phishing pages.

Here’s a few domains that we uncovered by following an IP chain that originated with the Dolibarr panel:

It didn’t stop there. Once we’d set about mapping out the threat actors DNS infrastructure, we discovered numerous other websites with the same portal attached to them:

-sso and -okta domains targeting other companies

Threat actors cast their nets far and wide. Social engineering is a numbers game – the more users they can get in front of, the more chance they have of harvesting authentication data.

This particular threat actor also created phishing targeting other companies – Accenture, Microsoft, Manpowergroup, Sykes, Telus, TTEC, iQor, and Rogers Communication.

After we’d consolidated our results, a pattern started to emerge – all of the above organisations provide some sort of communication service (UCaaS, VOIP, messaging etc.) and most of them facilitate a service that allows companies to communicate with their customer base, and vice versa.

This particular group of threat actors clearly think that online SSO portals are less likely to be questioned than other forms of cloud-based authentication, and for good reason – information is a commodity, and SSO login information commands top dollar.

Some of the malicious -sso and -okta domains we discovered were hosted on infrastructure also used by the ACTINIUM group within the same time frame – threat actors that the Ukrainian Government have publicly linked to the Russian Federal Security Service.

Time overlap of campaign with Actinium group on the same infarstructure.

With the right security tools and search methodologies in place, threat sources aren’t particularly difficult to uncover. As an example sykes-sso[.]com is hosted on 155.138.240[.]251. The same IP that contains several subdomains of lotorgas[.]ru – a well-known part of ACTINIUM’s DNS infrastructure.

lotorgas[.]ru – part of the ACTINIUM threat feed

Twilio was just one of many targeted organizations. There are numerous mini campaigns here targeting different types of organization. Each category of target gives the attacker potential access to many other organizations. For example, one set of targets are Business Process Outsourcing companies like Arise. Another is transactional email companies like Sendgrid and Mailchimp.

We reveal some of the IOCs associated with these campaigns below. We are still tracking more of this infrastructure in different categories of targeted organization. For a comprehensive live feed, subscribe to the service.

How Silent Push helps companies prevent phishing attacks

Silent Push’s proprietary scanning software maps out the Internet’s entire IPv4 infrastructure, every day – all 4,294,967,296 addresses – allowing us to provide an up-to-date assessment of risk levels and malicious activity at any given time. We also re-resollve all DNS every day and make behavior attributes from the changes.

We have the most complete view of the entire internet every day and its changes.

Public DNS infrastructure gives you your first insight into all manner of attack vectors – not just SMS phishing and SSO spoofing.

Organizations need to monitor the larger extended attack surface for infrastructure targeting them and take up-front blocking action on it to prevent attackers finding ways in.

Our platform features a detection-focused analytics engine that provides organizations with a top-down view of changes to their infrastructure, any domains of interest and critical DNS variables – including NS and AS records – that keeps them one step ahead of threat actors, and ensures they don’t end up on the wrong end of a global news report.

We will provide you with daily threats that are targeting your organization.

Reference information

URLS with a compromised Dolibarr control panel

orderlyfashions[.]com

mail.getfoodz[.]com

lefmakeup[.]xyz

*.orderlyfashions[.]com

*.getfoodz[.]com

*.lefmakeup[.]xyz

Phishing domains related to the same control panel

twilio.okta-access[.]com

twilio.okta-teams[.]com

twilio.okta.com-helpdesk[.]id

twilio.okta.com-oauth2[.]id

twilio.okta.com-portal[.]id

twilio.okta.com-workspace[.]id

twilio.okta.com.globalchange[.]id

twilio.okta.com.online-procedure[.]id

twilio.okta.com.system-revamp[.]id

twilio.okta.system-revamp[.]id

twilio.oktaportals[.]com

twilio.oktaservice[.]com

twilio.oktasignin[.]com

twilio.oktaworkspace[.]com

www.twilio.okta.com-update[.]online

www.twilio.okta.com.globalchange[.]id

www.twilio.okta.com.online-procedure[.]id

www.twilio.okta.com.system-revamp[.]id

www.twilio.okta.system-revamp[.]id

Phishing domains targeting other companies

accenture-sso[.]com

arise-okta[.]com

att-sso[.]com

bandwith-okta[.]com

coin-base-okta[.]com

concentrix-sso[.]com

iqor-duo[.]com

iqor-duo[.]net

iqor-sso[.]net

mailchimp-help[.]com

manpowergroup-sso[.]com

microsoft-sso[.]net

rogers-sso[.]com

rogers-help[.]net

sitel-sso[.]com

sykes-sso[.]com

t-mobile-okta[.]net

t-mobile-okta[.]org

t-mobile-sso[.]net

teleperformance-ssovcom

telus-sso[.]com

tmo-sso[.]com

transcom-sso[.]com

ttec-sso[.]com

twiiio-okta[.]com

twiiio-sso[.]com

Linked IP addresses

143.198.156[.]234

146.190.42[.]89

146.190.44[.]66

147.182.201[.]149

149.248.62[.]54

155.138.240[.]251

161.35.119[.]80

164.92.122[.]3

167.172.131[.]89

167.99.221[.]10

45.32.212[.]77

45.32.66[.]165

45.63.39[.]151

45.76.80[.]199

66.42.91[.]138

66.42.90[.]140

185.173.37[.]140

77.232.40[.]101

185.244.181[.]186

64.52.80[.]26

45.61.136[.]168

185.173.38[.]46

It’s time to close the door on open directories

July 21, 2022/in Blog/by Silent Push

Search through indexed directories and files from open directories to help protect your organization.

Most people have listened to an elderly relative extolling the virtues of the ‘good old days’, including a semi-smug description of their front door being left open in the summer – usually justified by the fact that they didn’t have anything worth stealing.

Open directories are just that – an open door onto your fileserver which, unlike an average 1950s living room, contains information that is extremely valuable, for a variety of reasons.

In the world of global commerce, data is a highly lucrative and sought-after commodity. By using open directories, threat actors are able to seize vast amounts of commercially sensitive information in a matter of seconds, and they’re gone before you even know they were there.

Let’s take a look at the global problem of open directories, what the consequences are, and how you can find them using the Silent Push Open Directory Finder.

An example of an open directory- the full file structure of the server is browsable by anyone on the internet.

What are open directories?

Open directories are freely accessible links to files hosted on a webserver that’s connected to the Internet, and not subject to any authentication methods or external access rules.

There’s no software-based trickery involved. Open directories can be found using a simple Google search, tailored towards different categories of data. Once a threat actor has identified an open directory, they’re free to browse through an organization’s file structure without circumnavigating RBAC or permissions-based security measures.

Whilst it is undoubtedly immoral to access and/or download sensitive information that isn’t meant for prying eyes, the act of browsing through an open directory is a legal gray area. There’s no global consensus on how such scenarios should be legislated against, and sentiments vary from jurisdiction to jurisdiction.

How damaging can they be to your organization?

Very. Extremely. Catastrophically, in fact.

Malicious activity on open directories is nigh on impossible to detect. The first you’ll hear of it is either a phone call from a law enforcement/regulatory agency, an email from a hacker demanding money to keep quiet, or a very annoyed customer wondering why their data has been passed around the Internet for the last few years.

Then there’s the compliance and liability aspect. Cyber insurance policies don’t cover the commercial or operational consequences of an open directory exploit, so unless you have the working capital to deal with the fall-out, it could lead to untold reputational and financial damage and land you in pretty hot regulatory water.

Last, and by no means least, is the data itself. Take a moment to think about the data held on your organization’s webservers and fileservers, and what would happen if you exposed it to the world through an open directory.

By working with firms to improve their threat resilience, we’ve seen sensitive data held in open directories that would make a privacy protection lawyer spontaneously combust:

Full environment files.
Commercial application configs.
Cryptowallet logins.
VPN installers.
.xls and .docx files containing PII and GDPR/HIPAA-regulated data.

Once you start investigating open directories on the behalf of large organizations, the horror stories come thick and fast. We recently came across a fairly sizable prison in the USA that left the door open to tens of thousands of electronic prisoner and staff records, including legal information, social security numbers and conviction details.

How do you prevent them?

Like other forms of threat protection (such as stopping subdomain takeovers), securing your organization’s data by preventing open directories is done through a combination of vigilance and good housekeeping.

Anyone who’s ever browsed the Internet has, somewhere along the line, received the dreaded error 403 Forbidden or 404 File Not Found, instead of a web page. As an organization looking to protect its data, these errors are your friends, not your enemies – this is what users are faced with when a server has been configured to block access to directory content.

Methods vary from platform to platform (from simple login controls to modifying your .htaccess files and ensuring that IIS is configured correctly), but if you host ANY kind of sensitive data on a webserver, you need to make sure that it’s configured so that external and unauthenticated users aren’t able to view directory data.

Silent Push Open Directory Finder

Find open directories exposed on your infrastructure or search for your name across all open directories

The Silent Push Open Directory Finder searches the global IPv4 range (all 4,294,967,296 addresses) for open directories, to a granular set of parameters that can be configured to your organization’s unique requirements.

Our cloud-based platform provides search and filter options (with RE2 regex support) on all known open directories, including variables such as range, partial match and time window. Results can either be outputted in full, or to a file for further interrogation.

If you’re a large, multi-site, multi-jurisdictional organization with an extensive online presence, you’ll be presented with a realtime list of open directories within the specified range.

Enterprise-level threat monitoring (including open directory detection) doesn’t need to be resource hungry. With the right tools, it is quite literally as easy as clicking a few buttons, in order to shore up your commercial data and close the aforementioned door onto your network that leads to something considerably more valuable than your grandmother’s collection of faux-porcelain dogs.

Introducing the Silent Push plug-in for Splunk Enterprise Security

June 30, 2022/in Blog/by Silent Push

Now in Splunkbase version 2 of our add-on with enrichment for Splunk Enterprise

Log analyzers such as Splunk play a key role in enterprise-level cybersecurity operations by collecting large amounts of data across multiple threat environments, but deciding what to do with reams of traffic logs from different geographic locations can often be a daunting task.

The Silent Push plugin for Splunk Enterprise allows organizations to leverage the data collection and analysis capabilities of both platforms, and correlate information to produce actionable insights that vastly improve threat awareness, and general WAN security.

Let’s delve a little deeper into the front-end functionality, and take a look at how both platforms interact with one another.

Core functionality

Before you install the plug-in from Splunkbase, you’re going to need four things to get you started:

● An active Splunk Enterprise instance.

● Your Splunk Enterprise admin credentials.

● Your Splunkbase credentials.

● A Silent Push account, and an API key.

So, what does the plug-in actually do? On a basic level, the plug-in analyses data received by Splunk based on a group of parameters defined in Silent Push – also known as “filter profiles” – which is then stored within Splunk in a series of parameter-specific data dumps known as “indexes”.

The plug-in contextualizes suspect data as an “observable” (otherwise known as an IoC, or “indicator of compromise”), and aggregates a threat score based upon individual parameters within the observable.

Once the data has been collected, users are able to perform adaptive responses that trigger further actions within Splunk Enterprise, providing an end-to-end threat detection and management service.

Users are able to automatically correlate data between Splunk and Silent Push in the form of “notables”, that can be visually displayed in custom dashboards from within Splunk Enterprise.

Data enrichment and enhanced threat scoring

Enrich your alerts in Splunk Enterprise Security with Silent Push Risk Scores

When dealing with large amounts of data, visualization is key. Plug-in users are able to create custom search objects that query indexes for observables based on data reputation, severity, threat urgency and geographic location – all gathered from Silent Push.

Once Silent Push has provided additional context, and the data has been refined to a set of variables, users are able to mine indexes and perform two key actions (alongside standard actions such as NS lookups and ping), courtesy of the plug-in:

Enriching – Risk objects are subject to granular analysis by Silent Push, which outputs all manner of enriched data not previously displayed by Splunk Enterprise. This is where the plug-in comes into its own and goes over and above what is expected of an industry-standard log analyzer.
Scoring – The plug-in re-scores the risk object via a tailored algorithm. In order to prevent unnecessary actions, this only occurs when an object’s risk score is lower than the proposed Silent Push risk score.

Data enrichment is a key part of Silent Push’s offering, and contains a whole host of additional data, including granular ASN analysis, threat rankings, reputational data, subnet info and a lot more. Once the data has been enriched and scored, it’s passed through to an index within Splunk for further analysis, and for the user to do with it as they please.

Sticking with the trend of integration, data enrichment and scoring can be performed from within Splunk Enterprise’s Incident Review dashboard – a central hub for IM-related activities – and can either be carried out manually, or scheduled as a recurring task.

Key benefits

The Silent Push plug-in satisfies a pressing need for enterprise organizations to harness the power of multiple detection and analysis platforms to enhance their WAN security operation, without any added subscription costs or costly manual interventions.

In the global threat detection sphere, context is king. Physical and logical resources are at an all time high, and it’s simply not enough for threat analysts to be provided with vast amounts of data, without the facility to drill down into specific variables that enable organizations to tailor their cybersecurity operation to unique threat environments.

Take a closer look

To find out more about the Silent Push Splunk Enterprise plug-in, visit the info page on Splunkbase or take an in-depth look at its functionality in the accompanying knowledge base article.

“We need to talk about subdomain takeovers…”

June 24, 2022/in Blog/by Silent Push

Everything is linked, even if you’ve forgotten you linked them

Walk into most cybersecurity seminars, product demonstrations or corporate training sessions and you’d be forgiven for thinking that antimalware platforms are the savior of humanity.

LAN-based Security-as-a-Service is undoubtedly here to stay, but the most clear and present danger to corporate IT infrastructures across the globe can’t be solely combated with virus definitions, or all-singing-all-dancing gateway devices. If irreparable financial and reputational damage is the potential problem, the most pressing solution lies in the most unassuming of places – your public DNS records.

What are sub-domain takeovers?

On a basic level, subdomain takeovers occur when hackers gain unfettered access to one or more subdomains within an organization’s DNS records.

In technical terms, it’s usually a CNAME record (although NS, A records and even mail records are vulnerable) that’s no longer pointing to a valid source, and it can happen to anyone. A few years ago, researchers discovered no less than 670 Microsoft subdomains that were wide open to an attack.

Subdomain takeovers feature a number of different attack vectors that are usually a heady mix of opportunism and good old-fashioned bad housekeeping. Let’s take a look at two common intrusion methods.

Expired subdomains

When organizations allow a subdomain to expire, but forget to remove the DNS record associated with it in their main domain, what was once a legitimate subdomain prefix is now up for grabs to anyone who wants it, along with a ready-made backdoor onto an organization’s public DNS platform.

A domain taken over by us for safe keeping

Non-existent services

Even if you have your DNS records in relatively good order, you’re still not safe. If one of your subdomains is directed at an external service that has either been moved elsewhere, or removed entirely, a threat actor is able to establish a presence on said service with the invalid subdomain – also called a “dangling DNS attack” – and with a little CNAME magic, it’s theirs.

The trouble with cookies…

The consequences of a subdomain takeover are many and varied – from XSS attacks to email spoofing – but the one that organizations need to be most wary of are compromised session cookies, and again, it comes down to a lackadaisical approach to DNS security.

If your organization shares browser cookies across some or all of your subdomains, and one of those subdomains is hijacked, you run the risk of not only allowing a threat actor to utilize hashed credentials stored in the cookie and authenticating themselves as a user, but exposing your company-wide SSO service, and all that it provides access to.

A modern problem

As with most cybersecurity threats, subdomain takeovers’ risk level is directly proportional to how difficult it is to detect and combat, and grows exponentially with the size of the organization, and the amount of subdomains they operate with.

The explosion of SaaS-based commerce and cloud service platforms over the last decade has given rise to innumerable third-party platforms that require some form of DNS validation. This phenomenon – coupled with aggressive marketing tactics that often require companies to register numerous subdomains to validate landing pages and individual products and services – means that low-hanging DNS records, and the session cookies and hashed credentials they provide access to, are becoming more and more of a commodity for threat actors around the world.

It’s not just an issue with how modern domains are structured. Well-established security countermeasures are ill-equipped to deal with the kind of DNS oversights that lead to domain takeovers. PKI certificates – whilst always advisable on any network – aren’t much use with compromised cookies, and no amount of endpoint protection will prevent a threat actor from accessing your public DNS records, should they have the means to do so.

Common countermeasures

Fortunately though, it’s not all doom and gloom. There are a number of ways that organizations can operate with a secure set of DNS records and simultaneously improve WAN security across the board, not limited to close management of topic-specific factors such as wildcard certs that provide a threat actor with blanket access to any domain associated with them.

First and foremost, organizations need to treat their DNS records with the TLC that they deserve, and recognise that corporate cybersecurity doesn’t begin and end with

endpoint security. CTOs and CISOs need to keep a firm grip on every last subdomain, and maintain an understanding of what services are being used and whether they’re still in use – e.g. when formulating workflows for decommissioning services, be sure to add a line entry that specifies a CNAME removal

As well as internal governance, it pays to be skeptical. If your organization is thinking about using an external service that incorporates DNS functionality and subdomain registrations, don’t be afraid to ask their onboarding team about how they specifically protect against subdomain takeovers. If they’re good, they’ll be able to tell you about common countermeasures such as linked TXT entries, or banning re-registrations. If they seem unsure about what you’re asking, alarm bells should be ringing.

Looking ahead

Last year witnessed a 20% increase in apex and subdomain takeovers. Threat actors are constantly on the lookout for the next big thing, and they may just have found it. Data from our own threat protection platform has identified almost 3 million global DNS entries that are ripe for the picking as dangling records – 2.7 million CNAMES and over 300,000 NS records. There are also 3.9 million MX records dangling but less likely to be taken over.

The problem isn’t limited to small-time SaaS/PaaS/IaaS platforms with a laid-back approach to DNS security. This is an issue that affects the world’s largest cloud service providers – the very same providers who are supposed to operate with the most sophisticated threat models the industry has to offer. Our own data shows 70 expired services on Microsoft Azure’s content delivery network (azureedge.net) with an attached domain, that run the risk of being hijacked, and nearly 80 of the same across the global GitHub platform.

In the same way that law enforcement authorities need to focus more on the individuals that provide criminals with access to ransomware platforms, rather than the criminals themselves, the security community needs to evangelize less about malware as an existential cyber threat, and shout from the rooftops about subdomain takeovers and cookie hijacking as the next major development in enterprise-level threat protection.

Fake Trading Apps

May 23, 2022/in Blog/by Silent Push Threat Team

Fake trading apps are on the rise, and spreading to a wider a wider global victim base than ever before.

In crypto scams alone, in 2021, the figure was over $7billion. Let’s take a look at some common tactics, and tell-tale signs that’ll help you spot the fraud.

Fake trading app scams involve both mainstream regulated platforms, and new, unregulated crypto exchange start-ups.

Let’s take a look at standard a real-world example: a malicious app download from attacker-controlled infrastructure.

**Fake trading platform pretending to be the legitimate platform Epoch Financial**

Outline

Silent Push has uncovered a threat actor operating via several websites, Android and iOS applications with counterfeit versions of trading platforms on the traditional stock market, and across a variety of crypto exchanges.

Bespoke fake trading platforms mimic well-known financial organizations – including such as the Australian Securities Exchange (ASX), Coinbase, CoinSmart, eToro and Nasdaq – lure unsuspecting victims into trusting their services, only to steal their investments.

This particular group has scammed and stolen money from countless individuals worldwide. We’ve conducted a large investigation, collecting hundreds of Indicators of Compromise (IoCs), as well as reports from victims which allowed us to map their infrastructure and put together a pattern of events that revealed a common set of attack vectors.

**Image 1 – Example of a spoofed Nasdaq application download page**

Threat actor profile and history

Although we’re unable to pinpoint a date when this threat group began its activity, we can confirm that several active items of malicious infrastructure were deployed in early 2021.

We also have access to reports which describe several occurrences with similar characteristics to this group, around that time period.

Given that these victims were located in Asian countries and that we found a small number of websites written in Asian dialects, we can only assume that this threat actor is located in Asia.

After analyzing their current infrastructure, American and European organizations appear to be at the highest risk.

**Chinese version of a fake trading platform spoofing a well-known brand**

Platform design

A visual pattern is evident across the majority of the websites we investigated.

Despite having different branding, the pages are structured in the same way: there is an initial website similar to the one displayed below, which is used as a landing page to attract potential victims.

From this website, visitors are able to navigate to one of the following two pages:

– the app download page, similar to the one displayed in Image 1;
– the website login page, where users can register and login into an account.

We believe that this is a web alternative to the app, which allows the users to transact funds and analyze fake stock indexes, as is visible in Image 3.

This fits into the Crime-as-a-service model with the fraudulent platform being distributed by different affiliate providers.

**Image 3 – Example fake trading app content**

Victims’ reports

We found many complaints concerning this malicious agent surfacing on the internet. As suspected, the majority of them were written by scammed individuals but also by people who wish to take down this organization.

Initial interactions with the threat actors vary due to a possible affiliate scheme. We have seen varying reports from Romance Scams (hence Sophos referring to this as Cryptorom) to Forum recommendations.

Whatever the initial introduction and resulting conversation the victim eventually puts money into the fake account.

Unfortunately, once the victim tries to withdraw the money, they see themselves logged out of their account and unable to log in, while the threat actors keep their funds and plan the next target.

We found similar messages on various websites as well as announcements from some fintechs reporting this robbery scheme.

**Messages concerning the scam on the Forexpeacearmy website**

Installation process.

The primary target is mobile devices.

The threat actors encourage users to download a mobile app or a web app, with download links for both iOS, and Android.

It appears that the attackers exploit two main ways to get around the Apple approvals process:

The first one is done by creating a configuration profile, which is a .mobileconfig file that can be easily shared.
The second one is through Testflight, a tool created by Apple, that allows developers to test their applications and provide Beta versions of new apps without facing the severe verification protocols found on the Apple Store. TestFlight apps allow public downloads to up to 10,000 accounts.

When it comes to Android users, an .apk file with a tailored name matching the specific website gets downloaded.

Careful analysis reveals obfuscated information using a combination of StringFog, base 64 and a XOR operation to encrypt suspicious data.

Using Silent Push to combat malicious infrastructure

Taking everything into account, we are confident that this threat actor will continue to develop and distribute trading platforms, in order to exploit and steal funds.

The methods of delivery will vary, as expected with an affiliate program. We recommend blocking access to the underlying app download infrastructure and utilizing proactive threat intelligence to pinpoint malicious domains and DNS infrastructure.

With that in mind, we’ve collated an extensive list of IoC, available for paid Silent Push customers.

Paid users have access to pre-built customizable queries that allow them to identify malicious infrastructure before it becomes a problem, as well as access to granular WHOIS, server and DNS information, and curated risk scores.

IOCs of Fake Trading Apps

Subdomains

d.appk12036[.]xyz

d.appk56295[.]xyz

d.appkoi65y[.]xyz

d.appl8965[.]xyz

d.appl9035[.]xyz

d.appr6552[.]xyz

d.atfxwqe[.]xyz

d.avatradewqd[.]xyz

d.bbexsbcv[.]xyz

d.bitcudbf[.]xyz

h5.amcoinbhd.buzz

h5.ascifgm[.]top

h5.asxnvds[.]cc

h5.biupsdfe[.]cc

h5.blyg367[.]top

h5.bqsbkomh[.]net

h5.bsxkiso[.]cc

h5.cnfalwk[.]top

h5.coinbasekp.buzz

h5.coindealmip[.]cc

h5.dbag-prot[.]com

h5.dbagde[.].cc

h5.dcgbyre[.]shop

h5.dcgtbh[.]com

h5.eurexvky[.]cc

h5.fegeh42415[.]top

www.hifly01569[.]top

www.hifly22787[.]top

www.hifly22878[.]top

www.hifly27702[.]top

www.hifly38283[.]top

www.hifly56982[.]top

www.hifly76862[.]top

www.hifly85086[.]top

www.hiflyk47344[.]top

www.hiflyk87327[.]top

Android apk file download URLs:

hxxps://a.digitalsurgeno[.]top/apk/digitalsurge[.]apk

hxxps://a.edgecryptoge[.]top/apk/edgecrypto[.]apk

hxxps://a.etorodes[.]buzz/apk/etoro[.]apk

hxxps://a.exnessge[.]top/apk/exness[.]apk

hxxps://a.ftxano[.]top/apk/ftx[.]apk

hxxps://a.jubinok[.]top/apk/jubi[.]apk

hxxps://a.masteryptge[.]top/apk/masterypto[.]apk

hxxps://a.okcoinge[.]top/apk/opkcoin[.]apk

hxxps://a.olymptradeno[.]top/apk/olymptrade[.]apk

hxxps://a.opkcoinno[.]top/apk/opkcoin[.]apk

hxxps://a.parvestano[.]top/apk/parvesta[.]apk

hxxps://a.timexdes[.]buzz/apk/timex[.]apk

hxxps://a.tycoonsege[.]top/apk/tycoonse[.]apk

Apple Configuration profile download URLs:

hxxps://www.bfefe96b[.]top/files/ios-config/olymptrade[.]mobileconfig

hxxps://www.gniyfe35f[.]xyz/files/ios-config/opkcoinabc[.]mobileconfig

hxxps://www.grgrnt55y[.]top/files/ios-config/parvesta[.]mobileconfig

hxxps://www.hifly69972[.]xyz/files/ios-config/timex[.]mobileconfig

hxxps://www.hiflyf14255[.]top/files/ios-config/tycoonse[.]mobileconfig

hxxps://www.hiflyg41344[.]top/files/ios-config/exness[.]mobileconfig

hxxps://www.hiflyg66779[.]xyz/files/ios-config/etoro123[.]mobileconfig

hxxps://www.hutyfr688[.]top/files/ios-config/okcoin1[.]mobileconfig

hxxps://www.kod89h5[.]top/files/ios-config/ftx[.]mobileconfig

hxxps://www.lkqv215[.]xyz/files/ios-config/masterypto[.]mobileconfig

hxxps://www.niyfe35f[.]xyz/files/ios-config/opkcoinabc[.]mobileconfig

hxxps://www.pade00bg[.]top/files/ios-config/digitalsurge[.]mobileconfig

hxxps://www.pkofe675[.]top/files/ios-config/jubi[.]mobileconfig

hxxps://www.tvao183[.]xyz/files/ios-config/edgecrypto123[.]mobileconfig

If you have been affected by the Counterfeit Trading scams please share the details with us so we can keep trying to get them taken down as we find them. Contact us via [email protected].

Person walking on a tightrope between two cliff-faces

Subdomain Takeovers and 1.1 million “dangling” risks

May 3, 2022/in Blog/by Silent Push

Subdomain takeover proof of concept by Silent Push on an Azureedge.net target.

There have been an incredible number of very large scale data breaches lately that seemed to have unexplained entry points. Combining social engineering with “token” collection or stealing seems to be a more efficient way to gain access to customers who are heavy users of cloud based applications.

Let me begin with the most simple explanation of a subdomain takeover. Your organization owns a domain, lets say for example, it is israwords.com.

One day someone sets up a service using a third party, it could be anything, a wordpress site, a CDN, heroku, github. The thing is it needs you to point a subdomain at the service so it appears to be under your domain. In this case it is the Microsoft CDN which uses customername.azureedge.net .

So for this example the company put in place a CNAME record

2010.israwords.com. 800 IN CNAME 2010israwords.azureedge.net.

So far so good. The organization is using this service from Microsoft Azure and any traffic for 2010.israwords.com gets redirected to the Content Delivery Network provided by Azure. However, at some point the organization changes provider or gives up on the service. At some point Microsoft will deem 2010israwords to be an unused subdomain in Azureedge.net and someone else can use it. So we did this as a Proof Of Concept.

Then, we looked up the original subdomain to see if it had worked.

We would like to emphasize that we did not really take over anything for this to happen. We didn’t need to. The dangling CNAME just points at something we control. However, what are the potential consequences of that?

Potential Damage

We have found 1.1 million CNAME’s that are potentially vulnerable to a takeover.

We didn’t want to take the Proof Of Concept any further than that but the possibilities are large. A number of them are called out on Hacker One here https://www.hackerone.com/application-security/guide-subdomain-takeovers

Loss of control over the content of the subdomain – The party controlling the endpoint could post any content they wanted there. This could be insulting to the original domain owner or malicious.

Session Cookie Harvesting and OAuth Tokens– Becoming a valuable resource and one of the main vectors in modern hacking and access brokerage cookies and OAuth tokens are worth money immediately in hacker forums and can quickly escalate the access that they have.
Phishing campaigns – One of the main concerns resulting from subdomain take overs is Phishing campaigns targeting your staff or customers. Your staff will be very vulnerable to campaigns appearing to be on your own domain and at high risk of entering valid credentials in any forms. The reputational damage to customers would be very large if they are targeted as they will take some convincing that you didn’t have a breached network when they enter their details on a site that appears on your domain.
Further risks – Malicious sites might be used to escalate into other classic attacks such as XSS, CSRF, CORS bypass, and more.

How Can I Protect My Organization From Sub-Domain Takeover?

Fortunately, this is an easy answer.

We provide a free lookup tool in our Community Edition. From our Explore page, choose Query Builder.

Then from the bottom left in our Experimental section choose -PADNS search dangling records

Enter your domain, wildcards are accepted. If you wish you can also enter the target service. For example, if you are concerned about having a dangling domain pointed at some Azure service you can enter

This will give you the results you need. In the example below, I have just entered the target. This could be used by security researchers to look for soft targets.

We have achieved this by marking all CNAME records where the target has no destination as a dangling record. We do the same for Name Servers.

https://youtube.com/watch?v=Hd_LUgUcLJ4%3Fwmode%3Dopaque%26enablejsapi%3D1

Next Steps

Now you need to delete all of these dangling DNS entries so they no longer leave you exposed.

Access

You can apply for access to the community edition of our service here

screenshot of a law enforcement social media page

Two men arrested for impersonating DHS employees. Lets unravel some infrastructure.

April 9, 2022/in Blog/by Silent Push Threat Team

Research by Silent Push research team

On Wednesday two men were arrested who are alleged to have been impersonating Federal agents. 5 witnesses have given evidence that the men pretended to work for several agencies, with the Department Of Homeland Security being one of them.

According to the affidavit that initially sounds bad but not on the very high end of what bad could be.

At this point one may mistakenly think these guys were just trying to sound sophisticated or a “Walter Mitty” type of episode that got out of hand. However the allegations quickly escalate into very concerning territory.

“Specifically, TAHERZADEH has provided members of the United States Secret Service (USSS) and an employee of DHS with, among other things, rent-free apartments (with a total yearly rent of over $40,000 per apartment), iPhones, surveillance systems, a drone, a flat screen television, a case for storing an assault rifle, a generator, and law enforcement paraphernalia. TAHERZADEH also offered these individuals use of, what TAHERZADEH represented to be “official government vehicles.” In addition, TAHERZADEH offered to purchase a $2,000 assault rifle for a United Secret Service Agent assigned to the First Lady’s protective detail. As of April 4, 2022, as a result of this conduct, four members of the Secret Service were placed on administrative leave pending further investigation.”

A harsh job interview

Then they are alleged to actually try to recruit someone to work for them under the guise of being deputized by the DHS. According to the affidavit “As part of the “recruitment process” TAHERZADEH and ALI required that the “applicant” be shot with an Airsoft rifle to evaluate their pain tolerance and reaction. Subsequent to being shot, the applicant was informed that their hiring was in process. The applicant was also assigned to conduct research on an individual that provided support to the Department of Defense and intelligence community.”

This ongoing sharade only got uncovered when a United States Postal Inspector was investigating an assault at the apartment complex where the suspects lived. They were witnesses to the assault but their questioning made the inspector suspicious and they called in the FBI.

The Set Up.

So what were they doing? Looking into the affidavit they were using an email address with the domain name ussp[.]us. Let’s use this as a starting point and map out their infrastructure and timings.

They have a corporate LInkedin page set up for this company.

And a Cruchbase profile

Their registered address is 949 1ST St SE APT 509 Washington, DC, 20003-4737 United States. Their website is no longer fully functional but we can still see the urls that were hosted there using archive.org.

Examples of the urls on the ussp[.]us website

Example of one of the web pages of ussp[.]us

Front

The court documents suggest they were providing apartments rent free to a number of people in the apartment building who have now been suspended from their public service jobs. The implication is that the suspects were taking advantage of these people for nefarious purposes such as espionage. If we look at their infrastructure is there anything we can tell.

Whois Records

We found a number of domains for this group. The first being ussp[.]us but also a number fo others on the same custom name server “a1.ussp.us”, “a2.ussp.us”.

For this primary domain the admin is listed as “INFORMATION SYSTEMS”

If we check out the other domains on these name servers.

The same organization had quite a few ‘special police’ themed domains on the go since 2020. The costs of this are beginning to mount up.

What are special police officers?

https://mpdc.dc.gov/service/security-snapshot-updates-security-personnel

This is perhaps the more interesting question about this story. The companies that these suspects had set up were branded as if they provide security contracting as special police officers for the District Of Columbia. These appear to be a special type of private security contractors who are licensed to make arrests within the area they cover. We don’t know if the people in question were licensed or not but all of these domains they were operating are around that theme. Is this a case of delusional security guards pretending they were something “cooler”, or is this something more nefarious as some people are suggesting.

Prior Behavior

The suspects in this case seem to have an ongoing track record of irresponsible behavior and would not seem to be ideal candidates for any real undercover work or espionage activity, but we’ll see what gets revealed in court.

https://www.dailymail.co.uk/news/article-10696133/How-fake-DHS-agents-spent-18-MONTHS-trying-infiltrate-Secret-Service-Jill-Bidens-detail.html?s=09

Why these Subdomains?

One question that would be good to have the answer to is why do certain subdomains exist for this organization. People are assuming the company is a complete front but what if it had contracts and what were they for?

www.downloads.ussp./us

TXT Records

We can tell from their TXT records that they had a logmein account as well as Google search console and Office 365 for the main domain ussp./us.

uspolice./us also had a verification TXT record for Microsoft. So this may also have been one of their email domains.

Certificates

The main domain had some certificates for cpanel and others.

date": 20220330,
        "domain": "ussp.us",
        "domains": [
          "a1.ussp.us",
          "cpanel.a1.ussp.us",
          "cpcalendars.a1.ussp.us",
          "cpcontacts.a1.ussp.us",
          "mail.a1.ussp.us",
          "webmail.a1.ussp.us",
          "whm.a1.ussp.us",
          "www.a1.ussp.us"

"host": "a1.ussp.us",
        "issuer": "cPanel, Inc. Certification Authority",
        "not_after": "2022-06-28T23:59:59",
        "not_before": "2022-03-30T00:00:00",

"cPanel, Inc. Certification Authority",
          "COMODO RSA Certification Authority"
        ],
        "date": 20211208,
        "domain": "ussp.us",
        "domains": [
          "cpanel.east.ussp.us",
          "cpcalendars.east.ussp.us",
          "cpcontacts.east.ussp.us",
          "east.ussp.us",
          "mail.east.ussp.us",
          "webmail.east.ussp.us",
          "whm.east.ussp.us",
          "www.east.ussp.us"

host": "cpanel.east.ussp.us",
        "issuer": "cPanel, Inc. Certification Authority",
        "not_after": "2022-03-08T23:59:59",
        "not_before": "2021-12-08T00:00:00",

Observed Infrastructure List (IOC would be an inappropriate term). All sourced from the Silent Push Platform

a1.ussp./us

a2.ussp./us

adfs.ussp./us

autodiscover.dcspecialpolice./com

autodiscover.specialpoliceunit./us

autodiscover.uspolice./us

autodiscover.ussp./us

cpanel.dcspecialpolice./com

cpanel.specialpoliceunit./us

cpanel.uspolice./us

cpanel.ussp./us

cpcalendars.uspolice./us

cpcontacts.uspolice./us

dc.ussp./us

dc1.ussp./us

dc3.ussp./us

dcspecialpolice./com

dhs.ussp./us

downloads.ussp./us

east.ussp./us

iris.ussp./us

mail.dcspecialpolice./com

mail.specialpoliceunit./us

mail.uspolice./us

mail.ussp./us

portal.ussp./us

siu.ussp./us

software.ussp./us

sou.ussp./us

specialpoliceunit./us

staging.ussp./us

t01.ussp./us

t25.ussp./us

uspolice./us

ussp./us

webdisk.dcspecialpolice./com

webdisk.specialpoliceunit./us

webdisk.uspolice./us

webdisk.ussp./us

webmail.dcspecialpolice./com

webmail.specialpoliceunit./us

webmail.uspolice./us

www.dcspecialpolice./com

www.dhs.ussp./us

www.downloads.ussp./us

www.software.ussp./us

www.specialpoliceunit./us

www.staging.ussp./us

www.uspolice./us

www.ussp./us

207.246.76./18

149.28.97./223

108.61.75./41

108.61.207./59

50.210.156./201

50.210.156./205

149.28.107./179

50.210.156./199

50.210.156./202

50.210.156./203

50.210.156./204

50.210.156./200

104.216.25./71

85.208.116./104

Lapsus$ Group - an emerging dark net threat actor leveraging insider threats-or was it?

March 17, 2022/in Blog/by Silent Push Threat Team

Research by the Silent Push Labs team.

Introduction:

Lapsus$ Group is an extortion group that gained public recognition in the last few weeks due to its attacks to NVIDIA and Samsung where they stole and leaked critical information from the companies.

Previously they had conducted:

– a ransomware attack to the Ministry of Health of Brazil back in December 2021;
– DNS spoofing attacks to Portuguese speaking companies such as Localiza, Submarino and Americanas during the months of January and February of the current year 2022;
– cyber attacks where they stole confidential information from a Portuguese media and information company-Impresa– and a Brazilian TV and Telecommunications company- Claro and Embratel.

This latter type of attack, where critical data is accessed and stolen without being encrypted or deleted, is the most common procedure of the group and it is the reason why to this date, this threat actor does not fall under the category of a ransomware group.

Nevertheless, this threat actor is responsible for leaking important data and confidential information that compromises services and companies.

`lapsus-group[.]com` as of December 2021:

`lapsus-group[.]com` as of January 2022:

Methods

But how exactly does this threat actor infiltrate into its target systems?

The groups initial step appears to be to collect authentic credentials either by conducting phishing attacks or by advertising on the internet that they are looking to buy verified passwords from employees. However recent updates may suggest they had access through the customer’s OKTA accounts. More on the updated timeline below.

In this way, they can access the IT infrastructures with minimal detection, sometimes being in the system for weeks.
After either successfully having stolen enough data or being discovered, the subsequent step of the group is to actively advertise their actions on their public Telegram channel or by leaving a note on the compromised websites.
At last, the story unfolds as predicted: the gang threatens the victim to either contact them or the crucial information will be leaked.

Often, some bitcoin payment is demanded, but the requests vary. This backs up the hypothesis that this threat actor is not sponsored or politically motivated but purely looking for money and recognition.

We have reasons to believe that the attacks from this extortion group will continue and become more frequent, possibly targeting international companies and infrastructures.

For that reason, we’ll continuously monitor the activity of this threat actor, collecting information and Indicators of Compromise which will be available to the Silent Push customers under the tag ‘lapsus$’.

Ministry of Health of Brazil

On December 10th 2021, the threat actor conducted a ransomware attack on the websites of the Ministry of Health of Brazil, blocking access to COVID-19 vaccination certificates and other vital information of the public healthcare system.
A Portuguese written message was left on the compromised websites where the group claimed to have stolen and erased 50 TB of data.
Their contacts were also provided in order for negotiating the restoration of the stolen information.

Correios

On December 23rd 2021, the post office company Correios website was taken down.
The group immediately utilized their Telegram channel to take responsibility for the attack.
Unlike the attack conducted to the Ministry of Health of Brazil, no message was left on the compromised website and there is no evidence that any data was accessed or stolen.

Claro and Embratel Telecommunications

Lapsus$ announcing they have hacked Claro

On December 30th 2021 , the group posted a message on their Telegram claiming to having accessed Claro IT infrastructure and stolen almost 10000TB of confidential data.
A previous post on their channel shows that the group was looking to buy the access credentials of a Claro employee. This suggests it is possible that they were on the system for brief period since many users reported issues in the weeks prior to the attack.
With access to the cloud IT infrastructure and apparently undetected, the group claims to have collected sensitive data including customer information, legal documents, emails, source codes, confidential court orders and wiretapping recordings, and requested a monetary payment in order to stop the leakage of the information obtained.

Impresa

On January 2nd, a cyber attack conducted by this gang, took down several websites of Impresa, a Portuguese media and information company, for a brief number of days.
Additionally, the group accessed the twitter and email accounts of Expresso which they used to send tweets and emails sharing their Telegram account.
On the compromised websites, the group left their signature message, claiming to have gained access to the AWS servers of the company and requesting a monetary payment in order to stop the leakage of the information obtained.
It is believed that the group obtained valid credentials obtained via a fraudulent phishing campaign.

Localiza

On January 11th lapsus$ performed a DNS spoofing attack on Localiza, a Brazilian rent-a-car, redirecting their website to an adult media one.

Submarino and Americanas

NVIDIA

On march 1st 2022, NVIDIA confirmed they had suffered a cyber attack where employee credentials and confidential data had been stolen from their systems.
Shortly after this, the group posted a message on their telegram claiming responsibility and demanding a response from NVIDIA threatening to expose the data they had collected.
It appears that negotiations either did not occur or the results were not the expected by the gang, since they ended up leaking 20GB of the data they had stolen, which contained information about the components of the NVIDIA GPU Driver namely Falcon and LHR.

On another message, the gang claimed that NVIDIA was able to connect to their virtual machine and encrypted back the information. This affirmation has not been confirmed by NVIDIA.

Unfortunately, the group declared that they had made copies from the information stolen and keep threatening to release all the sensitive data obtained if their demands are not met. One of these demands that were recently made public by the gang concern the NVIDIA LHR limitations.
The group is asking for the company to remove all LHR limitations which would profit Bitcoin mining.

Samsung

On march 4th, the group leaked 190G of Samsung confidential data including:
– source code from every Trusted Applet installed on Samsung devices’s TrustZone;
– algorithms for all biometric unlock operations;
– Bootloader source code for all recent Samsung devices;
– Samsung activation servers source code;
– Samsung accounts full source code;
– among other highly sensitive data, what they claim to be source code from Qualcomm.
It is unclear if Samsung was contacted by the group before the leak or if some attempted extortion occurred. The company has already confirmed the breach.

Suspected Lapsus$ attacks:Vodafone Portugal, Mercado Livre and Ubisoft

Recently the group created a poll on their Telegram channel where they requested their followers to choose the content of the next data leak.

One of the companies in this list was Impresa, which the group had attacked in January and requested money in order to stop the leakage of the information obtained.
At the time, there was no evidence that the requested amount was payed but this recent publication suggests it was not.

Is this the official claim that Lapsus$ did attack Vodafone Portugal?

On the other hand, the group never confirmed their responsibility for the cyber attacks of Vodafone Portugal and MercadoLibre at the time of the events.
Is this publication an admission of their actions?
Moreover, a recent publication on their Telegram suggests that they could be behind the recent cyber attack to Ubisoft.

LG Data Dump

In a last minute rush of data dumps Lapsus$ on 22nd March 2022 suddenly dropped a lot of information quickly beginning with this dump of LG data from an alleged breach and claiming to have infrastructure information from their confluence which will be released soon. However, this was almost lost compared to what was to come.

Bing, Bing Maps and Cortana

This had been hinted at in previous days but the Telegram message was deleted. So at this point everyone is wondering how this group is getting access to all of these big brands. The previous posts looking for insiders makes it look like that could be the weakness across all of these organizations. However, what happens next changes the picture.

OKTA

One of the most well used tools across the security industry is OKTA. It completely changes the access management capabilities of a large organization. Instead of managing each users access to each corporate application they are all done through OKTA. The user logs in to OKTA and from there they just have to click on the application tile. It significantly reduces the password management risks from each individual user as well as many other benefits. But what if OKTA becomes the entry point for the attacker. Well that appears to be what happens next.

This is followed by many images backing up their claims including the user names of OKTA employees who appear to be Software Engineers in OKTA.

The date of these screenshots is visible as 21st January 2022

The next claim is strange, Lapsus$ then take pains to point out that they haven’t accessed any databases belonging to OKTA, they just are targeting their customers.

And that is the timeline so far. We’ll continue to update if there are any more developments. This group appears to be a young and inexperienced group who are struggling to actually receive any payments for all of this extortion work. We don’t know how they obtained this access to a Superuser(if there is such a thing) account in OKTA and it may never be revealed. It definitely reinforces the message that security is always about people. This group have gained a lot of notoriety and a following on social media, which may be an important factor for them. I imagine the lives of people working in the organizations that have been victims have been badly effected. Particularly for the employees mentioned in the images that were released.

Lapsus$ history:

It is difficult to pinpoint a date when this threat actor began its activity.
There is a clear severity and frequency increase of their attacks since December 2021.
Prior to this date, there can be found a few English written posts on web forums of what appears to be their first attack as group.
In this attack which took place in June 2021, the group claims to have stolen the source code from FIFA 21 from the Electronic Arts company.
The company acknowledged this event but failed to fulfill the requests from the group and the source code ended up being leaked on the dark web.

For the next few months there were some minor attacks that could be traced back to the group but these are irrelevant in comparison to their current spike of malicious activity.
The group also changed their communication channels by retracting from web forums and twitter to exclusively use Telegram.
Despite that they speak both Brazilian-Portuguese and English, little is known about the members of the gang.
Recently, a dox was leaked where it claimed that the head of this group was a 16 year old boy who lives in the United Kingdom and suffers from severe autism. He is known on the dark web as as SigmA (most recent), wh1te, Breachbase or Alexander Pavlov (Also an aliase).

This came to light after some disputes that took place when SigmA bought the website doxbin.com and tried to sell it back to previous owner afterward. It appears that negotiations didn’t go as planed and he ended up being exposed as Lapsus$ chief on the website that he once owned.

By using the PADNS features on the Silent Push app, we found some information that could back up this hypothesis: during the period that SigmA supposedly owned doxbin.com, this website was hosted on the same subnet as the main Lapsus$ website at the time.
Another thing that supports this claim are the messages posted by the group on their Telegram where they deny that SigmA was arrested and share his new Telegram account.

SilentPush IoC research:

Using the PADNS feature on the silent push app, we found domains that fitted the *lapsus*group*.* pattern and the IP addresses that hosted them.
Their registar is unavailable and they use *.cloudflare.com nameservers.

→IoC:

lapsus-group[.]com

lapsusgroup[.]tk

185.56.83[.]40

185.56.83[.]150