The Good, the Bad and the Ugly in Cybersecurity – Week 44

The Good | Global Alliance Looks to Curb Illicit Crypto Funds

This week Washington DC played host to the third annual International Counter-Ransomware Initiative summit, and delegates from 40 countries are pledging their support to prevent the payment of ransom demands to cybercriminals.

The news comes on the back of record numbers of ransomware attacks in September, with 514 incidents worldwide. Every month of 2023 has so far seen an increase in attacks compared to the same month last year, with the U.S. bearing the brunt of the surge, accounting for half of all ransomware incidents globally. New actors such as LostTrust and RansomedVC have significantly contributed to the 153% year-on-year increase.

In response, a U.S-led global initiative will seek to block cybercriminals from being paid and to seize illicit funds. Countries will share information on crypto wallets being used for ransomware payments and AI will be deployed to analyze blockchain transactions to identify criminal proceeds. Information will be shared across partner countries on two information sharing platforms, one set up by Lithuania and another jointly by Israel and the UAE.

Deputy National Security Adviser Anne Neuberger said that the problem of ransomware will only continue to grow until governments take action to stop the flow of money. Ransomware gangs work across national borders and the widespread use of cryptocurrency has fuelled the explosion in cybercrime. The most effective way to address the problem is to remove the ability for criminals to receive funds.

The Bad | SolarWinds Allegedly Defrauded Investors

Bad news for investors of Texas-based software outfit SolarWinds and its CISO, Timothy G. Brown, as concerning news broke this week that the SEC is charging both for fraud and internal control failures relating to cybersecurity vulnerabilities and risks.

SolarWinds was, of course, a primary target in the massive 2020 SUNBURST supply chain attack. The SEC alleges that for at least two years prior to that, SolarWinds knew of specific vulnerabilities and risks that were inconsistent with its public statements to investors. According to the complaint, SolarWinds knew that its remote access set-up was insecure and that an internal report said a threat actor could “do whatever without us detecting it until it’s too late”. Presentations by Brown in 2018 and 2019 stated that the company’s “current state of security leaves us in a very vulnerable state”, according to the SEC’s 68 page complaint.

In addition, subsequent to the cyber attack on SolarWinds, Brown allegedly wrote that “our backends are not that resilient”. Other company documents are said to have stated that the “the volume of security issues being identified over the last month” have “outstripped the capacity of Engineering teams to resolve”.

The SEC says that Brown and SolarWinds ignored repeated warnings about cyber risks and failed to address them, instead engaging in “a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

SolarWinds and Brown both deny the allegations, claiming that the company “maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since”.

The Ugly | Vendor Leaks PII of Identity Management Firm’s Employees

There is more troubling news concerning Okta this week as the company revealed that almost 5000 current and former employees had sensitive personal information exposed as a result of a third-party vendor breach.

According to Okta’s data breach notification, a data security incident at Rightway Healthcare, which managed healthcare provision for Okta employees between 2018 and 2020, led to the leak of personal information including names, SSNs and health or medical insurance plan numbers.

Rightway informed Okta last month that an unauthorized actor had gained access to the data likely in September 2023. At the present time, there is believed to be no evidence of the data being used against individuals, but the company has offered 2 years of free credit monitoring and fraud detection services to affected employees.

The breach notification comes in the wake of several cybersecurity incidents for Okta over the last two years. Just last month the company reported that a threat actor had gained access to files uploaded by some Okta customers, with a downstream impact on clients such as 1Password, BeyondTrust and Cloudflare, among others. Last year, hacking gang Lapsus$ gained access to confidential information and source code belonging to the company.

Due to its market position providing identity management services to thousands of organizations, Okta is a hugely attractive target for cybercriminals. In a statement today, the company apologized to its customers and said it is “deeply committed to providing up-to-date information” about cyber security incidents.

Welcoming Our New President & Chief Revenue Officer | Q&A with Michael Cremen 

Today, we are thrilled to welcome Michael Cremen to SentinelOne as our President and Chief Revenue Officer. Michael is an accomplished international executive with extensive GTM experience in scaling software and SaaS companies. He will be responsible for the planning, development and global execution of our GTM strategy as we continue to evolve our business and deliver industry-leading growth.

Michael joins us from Elastic, a data search, observability and security company, where he was responsible for the global sales organization and field operations. Prior to joining Elastic, Michael was the Chief Revenue Officer at Cohesity and also served at Veritas Technologies and Hitachi, Ltd. in executive leadership roles.

We sat down with Michael to learn more about his decision to join SentinelOne and get his early thoughts on our rapidly growing business, industry-leading tech, stellar customer portfolio and award-winning culture.

Why SentinelOne?

When I consider joining an organization, I look at five key factors, and SentinelOne scored off the charts in each of these categories:

  • Product/Market fit
  • Long-term Vision of the CEO
  • Continuous Innovation and R&D
  • Market Reputation and Partnerships
  • People and Culture

SentinelOne is a company of firsts, driven by a unique vision and amazing technology. We were first to incorporate generative AI into cybersecurity, and we continue to bring innovations to market that help our customers see the future and secure it today. We are the global leader in AI security. This kind of innovation is the foundation of our market reputation, and that’s an early source of pride for me.

We were recently named the Best AI-Based CyberSecurity Solution Provider by the CyberSecurity Breakthrough Awards. And we are a top choice among customers, with 96 percent of end users who participated in the latest Gartner Peer Insights Customer Choice for Endpoint Protection Platforms report saying they would recommend us.

We are growing at a rapid pace, faster than any other public security company, and we are committed to scaling our business to support this growth. All of this was very compelling to me. But what really sealed the deal was the culture. During my interview process, I asked those I met what they loved most about SentinelOne, and the answer was the same – the People. I needed to be a part of that.

What are your first impressions of our Business and our Sentinels?

For me, it’s a perfect fit! Our Business is progressive and proactive. We are constantly evolving to better protect our customers against the evolving threat landscape. And our Sentinels are second-to-none when it comes to customer focus, relentlessness, diligence and dedication to our mission.

What do you see happening in the market?

We are seeing a proliferation of cyber incidents, new software vulnerabilities and an uptick in the use of AI-based attack methods – all of which have exposed the shortcomings of many cybersecurity vendors.

The opportunity in the cloud security market is enormous, and it’s constantly evolving. There’s a massive data explosion, and no one is better prepared to harness and secure enterprise data better than SentinelOne. The value of one comprehensive platform allows for consolidation of products and improved business continuity. And the future is bright – AI is foundational for SentinelOne, and as the leader in this space, we will continue to define the future of cybersecurity.

What opportunity do you see in the cloud security market?

In the cloud security market, we see a significant opportunity. While it’s currently fragmented, our strong presence in workload security positions us as a clear leader. What excites me is our product roadmap, which will continue to differentiate our platform and cloud solutions from the standalone CSPM solutions we see today. Our platform-centric approach will offer a unique solution to cloud security, reducing complexity, increasing protection and reducing risk. Customers and partners can expect us to deliver mature, innovative, and complete cloud security solutions, setting a new industry standard and leading the way in this vital cybersecurity arena.

What can our customers and partners expect of you?

They can expect visibility and engagement from me – around the world and across the industry. Everything I do as a GTM leader has a partner-centric approach. I will operate as their champion within SentinelOne and with our partners. I will make investments across each aspect of our GTM business and strengthen alignment with our Product and Engineering teams. Finally, I will ask for and look forward to constant feedback so that I can ensure our teams are supporting our customers and partners in the most optimal way possible.

What is your vision for the future of SentinelOne under your leadership?

My vision is to solidify SentinelOne as the undisputed leader in AI-driven cybersecurity. I want us to continue expanding our global reach, empowering organizations of all sizes to protect their organizations from endpoint to cloud with confidence. We’ll achieve this through strategic partnerships, cutting-edge technology, and a relentless commitment to customer success.

So, State-Sponsored Attackers Are Targeting Your Mobile Device. Now What?

Earlier this week, Apple notified a number of individuals that their iPhones had apparently been targeted by state-sponsored attackers. Around a dozen iPhone users, including journalists and politicians in India’s opposition parties, are said to have received the alerts. Apple began warning its users that they could be being targeted by sophisticated, nation-state hackers in 2021, after the discovery that Pegasus spyware was widely being used by governments and other entities to compromise mobile devices. Since then, individuals in over 150 countries have been notified of potential nation-state hacks against their Apple devices.

Receiving an alert, however, leaves users with little to no indication of how they are being targeted or by whom. The wording of the alert even suggests it might be a mistake, raising questions about how alarmed users should be and what they ought to do. In this post, we explain how threat notifications work, discuss the security threat to mobile devices, and offer guidelines for concerned users.

What Are Apple Threat Notifications?

In the wake of rising incidents of spyware attacks from private sector greyware vendors such as the now-sanctioned NSO, developers of Pegasus, Positive Technologies, Candiru and the Computer Security Initiative Consultancy, Apple began sending alerts to users whenever it discovers activity “consistent with a state-sponsored attack”.

The alerts contain only generic information about such attacks and give no indication of precisely what Apple found, nor who might be behind the attack. Recipients are warned that attackers may be able to remotely access the device’s camera, microphone, data and applications such as messaging software. Somewhat confusingly, Apple’s alert also tells users that this could be a false alarm, but that the recipient should “take this warning seriously”.

ALERT: State-sponsored attackers may be targeting your iPhone
ALERT: State-sponsored attackers may be targeting your iPhone

The alerts are sent to the email addresses and phone numbers associated with a targeted Apple ID via email and iMessage notifications. Apple also displays a banner notification on the users AppleID login page.

Source: Apple

Who Is Behind the Attacks?

While there is plenty of speculation about who might be behind the activity Apple has warned users about this week, the information provided to users means it is impossible to attribute specific state-sponsored attackers to a batch of threat notifications.

Apple says its alerts are based on “threat intelligence signals” that may be imperfect and incomplete, and the company says it withholds making those details public “as that may help state-sponsored attackers adapt their behavior to evade detection in the future”.

However, there are a number of well-known Private-Sector-Offensive-Actors (PSOAs) that specialize in developing and selling mobile device exploits to governments and other “security” agencies. PSOAs may be contracted by nation-states to help them avoid attribution, or they may provide “software as a service” that nation-state actors deploy in their campaigns.

The most commonly observed PSOA actor in this space is NSO and its Pegasus software, recently used in an iPhone zero-click zero day to compromise the mobile device of a Washington DC-based civil society organization. Following this recent attack, Apple has in recent weeks issued three separate security updates for iOS to patch a number of bugs it says may have been “actively exploited in the wild”.

What Are the Threats to Mobile Devices?

Although mobile malware is most widely associated with spyware for surveillance and data theft, it can and has been used to serve a broader range of sinister capabilities. There are known cases where it has been employed to fabricate evidence of a crime, a disturbing trend that has gained prominence in the digital age. Cybercriminals with malicious intent have deployed malware to plant false data or tamper with existing records, creating a virtual trail of incriminating information against unsuspecting victims.

Such deceptive tactics can be used to frame individuals or organizations for illicit activities, thereby tarnishing their reputation or even leading to legal consequences. One example of an attacker who repeatedly and consistently planted evidence is the ModifiedElephant APT, which we reported on early last year.

What Should You Do If You Receive an Apple Threat Notification?

Threat actors evolve quickly, and as long as they are able to avoid attribution and repercussions of their actions, we can expect their activity to recur. For those who receive a threat notification, or who operate in high-profile political, religious, business, or civil society communities, the following recommendations can help:

  1. Enable auto updates for your devices, including iPhones, Macs, and Windows PCs.
  2. Ensure multi-factor authentication is enabled on iCloud accounts, and all email accounts you own. We strongly recommend hardware-based tokens and not text-message (SMS) codes.
  3. Turn on iOS Lockdown Mode.
  4. Enable Advanced Data Protection for iCloud.
  5. Remove all unnecessary apps from your devices, and perform a Safety Check.
  6. Reboot / Force Restart mobile devices at least once a day.
  7. Backup your mobile device at least once per week.
  8. If applicable, avoid iOS jailbreaking. In general, jailbreaking may increase the risk of your device.
  9. For work devices, request your organization to provide a trusted mobile security solution.

And What About Android Devices?

Although threat notifications are an Apple-only service, users may possess other kinds of mobile and computing devices. Android devices, for example, can be hardened with the following measures:

  1. Enable automatic updates.
  2. Never install apps from a third-party app store.
  3. Understand the risks of rooting a device. Like jailbreaking, this generally introduces more security weaknesses.
  4. Consider enabling Android Lockdown Mode. Unlike iOS Lockdown Mode, the Android version disables all forms of biometric authentication to prevent non-consensual phone access.
  5. Enable device encryption.
  6. If your organization uses Android for Work, consider using a work profile to separate work and leisure activity and requesting a trusted mobile security solution.
  7. Consider a reputable Android security solution for non-work devices.

Personal computers, whether Windows, Mac or Linux, should also be protected by trusted security software. Note that OS vendor supplied security software is also regularly targeted by threat actors looking for exploitable bugs. Both Windows and macOS have received multiple patches this year alone for vulnerabilities “actively exploited in the wild”.

Conclusion

In a world where state-sponsored attackers are increasingly targeting mobile devices, vigilance is essential. The recent widespread notifications from Apple serve as a stark reminder that no one is immune to such threats. As we’ve discussed, the potential for mobile devices to be weaponized against individuals and organizations is not limited to surveillance; it extends to the disturbing use of malware to fabricate evidence of crimes.

In this rapidly evolving landscape, it’s crucial to take proactive steps to protect your digital life. Enabling automatic updates, implementing multi-factor authentication, and regularly backing up your devices are some fundamental measures.

While different devices have their unique security considerations, the overarching principle remains the same: prioritize your digital security and be prepared for evolving threats. As threat actors continue to adapt and evade attribution, these precautions become our best defense against their relentless activities.

Singularity Mobile
Combat the Rising Tide of Mobile Threats with On-Device, Adaptive, Real-Time Mobile Defense

Russian Reshipping Service ‘SWAT USA Drop’ Exposed

The login page for the criminal reshipping service SWAT USA Drop.

One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here’s a closer look at the Russia-based SWAT USA Drop Service, which currently employs more than 1,200 people across the United States who are knowingly or unwittingly involved in reshipping expensive consumer goods purchased with stolen credit cards.

Among the most common ways that thieves extract cash from stolen credit card accounts is through purchasing pricey consumer goods online and reselling them on the black market. Most online retailers grew wise to these scams years ago and stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia.

But such restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe to receive stolen goods and relay them to crooks living in the embargoed areas.

Services like SWAT are known as “Drops for stuff” on cybercrime forums. The “drops” are people who have responded to work-at-home package reshipping jobs advertised on craigslist.com and job search sites. Most reshipping scams promise employees a monthly salary and even cash bonuses. In reality, the crooks in charge almost always stop communicating with drops just before the first payday, usually about a month after the drop ships their first package.

The packages arrive with prepaid shipping labels that are paid for with stolen credit card numbers, or with hijacked online accounts at FedEx and the US Postal Service. Drops are responsible for inspecting and verifying the contents of shipments, attaching the correct shipping label to each package, and sending them off via the appropriate shipping company.

SWAT takes a percentage cut (up to 50 percent) where “stuffers” — thieves armed with stolen credit card numbers — pay a portion of each product’s retail value to SWAT as the reshipping fee. The stuffers use stolen cards to purchase high-value products from merchants and have the merchants ship the items to the drops’ address. Once the drops receive and successfully reship the stolen packages, the stuffers then sell the products on the local black market.

The SWAT drop service has been around in various names and under different ownership for almost a decade. But in early October 2023, SWAT’s current co-owner — a Russian-speaking individual who uses the handle “Fearlless” — took to his favorite cybercrime forum to lodge a formal complaint against the owner of a competing reshipping service, alleging his rival had hacked SWAT and was trying to poach his stuffers and reshippers by emailing them directly.

Milwaukee-based security firm Hold Security shared recent screenshots of a working SWAT stuffer’s user panel, and those images show that SWAT currently lists more than 1,200 drops in the United States that are available for stuffers to rent. The contact information for Kareem, a young man from Maryland, was listed as an active drop. Contacted by KrebsOnSecurity, Kareem agreed to speak on condition that his full name not be used in this story.

A SWAT panel for stuffers/customers. This page lists the rules of the service, which do not reimburse stuffers for “acts of god,” i.e. authorities seizing stolen goods or arresting the drop.

Kareem said he’d been hired via an online job board to reship packages on behalf of a company calling itself CTSI, and that he’s been receiving and reshipping iPads and Apple watches for several weeks now. Kareem was less than thrilled to learn he would probably not be getting his salary on the promised payday, which was coming up in a few days.

Kareem said he was instructed to create an account at a website called portal-ctsi[.]com, where each day he was expected to log in and check for new messages about pending shipments. Anyone can sign up at this website as a potential reshipping mule, although doing so requires applicants to share a great deal of personal and financial information, as well as copies of an ID or passport matching the supplied name.

A SWAT panel for stuffers/customers, listing hundreds of drops in the United States by their status. “Going to die” are those who are about to be let go without promised payment, or who have quit on their own.

On a suspicion that the login page for portal-ctsi[.]com might be a custom coding job, KrebsOnSecurity selected “view source” from the homepage to expose the site’s HTML code. Grabbing a snippet of that code (e.g., “smarty/default/jui/js/jquery-ui-1.9.2.min.js”) and searching on it at publicwww.com reveals more than four dozen other websites running the same login panel. And all of those appear to be geared toward either stuffers or drops.

In fact, more than half of the domains that use this same login panel actually include the word “stuffer” in the login URL, according to publicwww. Each of the domains below that end in “/user/login.php” are sites for active and prospective drops, and each corresponds to a unique fake company that is responsible for managing its own stable of drops:

lvlup-store[.]com/stuffer/login.php
personalsp[.]com/user/login.php
destaf[.]com/stuffer/login.php
jaderaplus[.]com/stuffer/login.php
33cow[.]com/stuffer/login.php
panelka[.]net/stuffer/login.php
aaservice[.]net/stuffer/login.php
re-shipping[.]ru/stuffer/login.php
bashar[.]cc/stuffer/login.php
marketingyoursmall[.]biz/stuffer/login.php
hovard[.]xyz/stuffer/login.php
pullback[.]xyz/stuffer/login.php
telollevoexpress[.]com/stuffer/login.php
postme[.]today/stuffer/login.php
wint-job[.]com/stuffer/login.php
squadup[.]club/stuffer/login.php
mmmpack[.]pro/stuffer/login.php
yoursmartpanel[.]com/user/login.php
opt257[.]org/user/login.php
touchpad[.]online/stuffer/login.php
peresyloff[.]top/stuffer/login.php
ruzke[.]vodka/stuffer/login.php
staf-manager[.]net/stuffer/login.php
data-job[.]club/stuffer/login.php
logistics-services[.]org/user/login.php
swatship[.]club/stuffer/login.php
logistikmanager[.]online/user/login.php
endorphine[.]world/stuffer/login.php
burbon[.]club/stuffer/login.php
bigdropproject[.]com/stuffer/login.php
jobspaket[.]net/user/login.php
yourcontrolboard[.]com/stuffer/login.php
packmania[.]online/stuffer/login.php
shopping-bro[.]com/stuffer/login.php
dash-redtag[.]com/user/login.php
mnger[.]net/stuffer/login.php
begg[.]work/stuffer/login.php
dashboard-lime[.]com/user/login.php
control-logistic[.]xyz/user/login.php
povetru[.]biz/stuffer/login.php
dash-nitrologistics[.]com/user/login.php
cbpanel[.]top/stuffer/login.php
hrparidise[.]pro/stuffer/login.php
d-cctv[.]top/user/login.php
versandproject[.]com/user/login.php
packitdash[.]com/user/login.php
avissanti-dash[.]com/user/login.php
e-host[.]life/user/login.php
pacmania[.]club/stuffer/login.php

Why so many websites? In practice, all drops are cut loose within approximately 30 days of their first shipment — just before the promised paycheck is due. Because of this constant churn, each stuff shop operator must be constantly recruiting new drops. Also, with this distributed setup, even if one reshipping operation gets shut down (or exposed online), the rest can keep on pumping out dozens of packages a day.

A 2015 academic study (PDF) on criminal reshipping services found the average financial hit from a reshipping scheme per cardholder was $1,156.93. That study looked into the financial operations of several reshipping schemes, and estimated that approximately 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year.

It’s not hard to see how reshipping can be a profitable enterprise for card crooks. For example, a stuffer buys a stolen payment card off the black market for $10, and uses that card to purchase more than $1,100 worth of goods. After the reshipping service takes its cut (~$550), and the stuffer pays for his reshipping label (~$100), the stuffer receives the stolen goods and sells them on the black market in Russia for $1,400. He has just turned a $10 investment into more than $700. Rinse, wash, and repeat.

The breach at SWAT exposed not only the nicknames and contact information for all of its stuffers and drops, but also the group’s monthly earnings and payouts. SWAT apparently kept its books in a publicly accessible Google Sheets document, and that document reveals Fearlless and his business partner each routinely made more than $100,000 every month operating their various reshipping businesses.

The exposed SWAT financial records show this crime group has tens of thousands of dollars worth of expenses each month, including payments for the following recurring costs:

-advertising the service on crime forums and via spam;
-people hired to re-route packages, usually by voice over the phone;
-third-party services that sell hacked/stolen USPS/Fedex labels;
-“drops test” services, contractors who will test the honesty of drops by sending them fake jewelry;
-“documents,” e.g. sending drops to physically pick up legal documents for new phony front companies.

The spreadsheet also included the cryptocurrency account numbers that were to be credited each month with SWAT’s earnings. Unsurprisingly, a review of the blockchain activity tied to the bitcoin addresses listed in that document shows that many of them have a deep association with cybercrime, including ransomware activity and transactions at darknet sites that peddle stolen credit cards and residential proxy services.

The information leaked from SWAT also has exposed the real-life identity and financial dealings of its principal owner — Fearlless, a.k.a. “SwatVerified.” We’ll hear more about Fearlless in Part II of this story. Stay tuned.

.US Harbors Prolific Malicious Link Shortening Service

The top-level domain for the United States — .US — is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year.

Researchers at Infoblox say they’ve been tracking what appears to be a three-year-old link shortening service that is catering to phishers and malware purveyors. Infoblox found the domains involved are typically three to seven characters long, and hosted on bulletproof hosting providers that charge a premium to ignore any abuse or legal complaints. The short domains don’t host any content themselves, but are used to obfuscate the real address of landing pages that try to phish users or install malware.

A graphic describing the operations of a malicious link shortening service that Infoblox has dubbed “Prolific Puma.”

Infoblox says it’s unclear how the phishing and malware landing pages tied to this service are being initially promoted, although they suspect it is mainly through scams targeting people on their phones via SMS. A new report says the company mapped the contours of this link shortening service thanks in part to pseudo-random patterns in the short domains, which all appear on the surface to be a meaningless jumble of letters and numbers.

“This came to our attention because we have systems that detect registrations that use domain name generation algorithms,” said Renee Burton, head of threat intelligence at Infoblox. “We have not found any legitimate content served through their shorteners.”

Infoblox determined that until May 2023, domains ending in .info accounted for the bulk of new registrations tied to the malicious link shortening service, which Infoblox has dubbed “Prolific Puma.” Since then, they found that whoever is responsible for running the service has used .US for approximately 55 percent of the total domains created, with several dozen new malicious .US domains registered daily.

.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. But Uncle Sam has long outsourced the management of .US to various private companies, which have gradually allowed the United States’s top-level domain to devolve into a cesspool of phishing activity.

Or so concludes The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content.

Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and identified approximately 30,000 .US phishing domains. Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target. Others were used to impersonate or attack U.S. government agencies.

Under NTIA regulations, domain registrars processing .US domain registrations must take certain steps (PDF) to verify that those customers actually reside in the United States, or else own organizations based in the U.S. However, if one registers a .US domain through GoDaddy — the largest domain registrar and the current administrator of the .US contract — the way one “proves” their U.S. nexus is simply by choosing from one of three pre-selected affirmative responses.

In an age when most domain registrars are automatically redacting customer information from publicly accessible registration records to avoid running afoul of European privacy laws, .US has remained something of an outlier because its charter specifies that all registration records be made public. However, Infoblox said it found more than 2,000 malicious link shortener domains ending in .US registered since October 2023 through NameSilo that have somehow subverted the transparency requirements for the usTLD and converted to private registrations.

“Through our own experience with NameSilo, it is not possible to select private registration for domains in the usTLD through their interface,” Infoblox wrote. “And yet, it was done. Of the total domains with private records, over 99% were registered with NameSilo. At this time, we are not able to explain this behavior.”

NameSilo CEO Kristaps Ronka said the company actively responds to reports about abusive domains, but that it hasn’t seen any abuse reports related to Infoblox’s findings.

“We take down hundreds to thousands of domains, lots of them proactively to combat abuse,” Ronka said. “Our current abuse rate on abuseIQ for example is currently at 0%. AbuseIQ receives reports from countless sources and we are yet to see these ‘Puma’ abuse reports.”

Experts who track domains associated with malware and phishing say even phony information supplied at registration is useful in identifying potentially malicious or phishous domains before they can be used for abuse.

For example, when it was registered through NameSilo in July 2023, the domain 1ox[.]us — like thousands of others — listed its registrant as “Leila Puma” at a street address in Poland, and the email address blackpumaoct33@ukr.net. But according to DomainTools.com, on Oct. 1, 2023 those records were redacted and hidden by NameSilo.

Infoblox notes that the username portion of the email address appears to be a reference to the song October 33 by the Black Pumas, an Austin, Texas based psychedelic soul band. The Black Pumas aren’t exactly a household name, but they did recently have a popular Youtube video that featured a cover of the Kinks song “Strangers,” which included an emotional visual narrative about Ukrainians seeking refuge from the Russian invasion, titled “Ukraine Strangers.” Also, Leila Puma’s email address is at a Ukrainian email provider.

DomainTools shows that hundreds of other malicious domains tied to Prolific Puma previously were registered through NameCheap to a “Josef Bakhovsky” at a different street address in Poland. According to ancestry.com, the anglicized version of this surname — Bakovski — is the traditional name for someone from Bakowce, which is now known as Bakivtsi and is in Ukraine.

This possible Polish and/or Ukrainian connection may or may not tell us something about the “who” behind this link shortening service, but those details are useful for identifying and grouping these malicious short domains. However, even this meager visibility into .US registration data is now under threat.

The NTIA recently published a proposal that would allow registrars to redact all registrant data from WHOIS registration records for .US domains. A broad array of industry groups have filed comments opposing the proposed changes, saying they threaten to remove the last vestiges of accountability for a top-level domain that is already overrun with cybercrime activity.

Infoblox’s Burton says Prolific Puma is remarkable because they’ve been able to facilitate malicious activities for years while going largely unnoticed by the security industry.

“This exposes how persistent the criminal economy can be at a supply chain level,” Burton said. “We’re always looking at the end malware or phishing page, but what we’re finding here is that there’s this middle layer of DNS threat actors persisting for years without notice.”

Infoblox’s full report on Prolific Puma is here.