close
close

Senator says domain registration companies help spread Russian disinfo. • The Register

Posted on by Larry
Senator says domain registration companies help spread Russian disinfo. • The Register

in short Senate Intelligence Committee Chairman Mark Warner (D-VA) wants to know why, in the wake of the failure of a massive Russian disinformation operation, the names of six U.S.-based domain registrars seem to keep surfacing. dear, negligent enablers of election interference.

Warner sent letters to NameCheap, GoDaddy, Cloudflare, NewFold Digital, NameSilo and Versign last week after the Biden administration myocardial infarction of 32 domains used to spread pro-Russian propaganda, many of which masquerade as well-known Western news media.

The whole thing is part of a long-running Russian disinformation campaign known as “Doppelgänger,” which uses a vast network of fake news sites, fake social media mouthpieces and other tricks to deceive gullible Americans. support for Putin’s agenda. The whole affair was emphasized by Meta in 2023, the report of which also played a role in Warner’s reasoning.

The DOJ’s report on the seizure of those 32 domains last month included indicators that the six domain registrars mentioned above had sold websites to Doppelgänger operators, Warner noted, adding that the Meta report highlighted multiple ways in which the domain registration industry was doing poorly behavior made possible. These include withholding registrar information from good faith researchers, ignoring inaccuracies in registration information, failing to take care of domain names that are obvious attempts to crack, and the like.

Warner said information in the affidavit about the domain seizure suggested that Russian disinformation agents were using known techniques that, “against the backdrop of extensive open source literature on Doppelgänger’s practices, should have alerted (the companies) to the misuse of ( their) services. ”

This problem isn’t new either: Warner said that the abuse of domain name registration services is ongoing and that “the industry’s inattention to abuse has been well documented for years, allowing malicious activity… all possible because malicious actors use your use services.”

And then the gloves came off.

“Given your industry’s continued failure to address these abuses, I believe Congress may need to evaluate legislative solutions,” Warner threatened. “In the meantime, your companies must take immediate steps to address the continued misuse of your services for foreign covert influence.”

None of the registrars identified by Warner responded to requests for comment, except GoDaddy, which told us it has invested significant resources to address online abuse, in addition to other standard statements companies typically issue in the wake of such allegations.

Critical Vulnerabilities of the Week: A ScienceLogic CVE

You may remember last month that RackSpace’s monitoring tools were taken offline after a zero-day The Register learned was found in ScienceLogic SL1 software, but we didn’t have many details or a CVE at the time. Now it is, but the case is still mysterious.

CVE-2024-9537with a CVSS score of 9.3, was issued for the vulnerability, but the explanation does not contribute much to our understanding.

“ScienceLogic SL1 is affected by an unspecified vulnerability involving an unspecified third-party component,” NIST noted in its description of the vulnerability.

Patches are available and fixes have been released for older versions of SL1, so be sure to patch before you become the next victim.

It’s official: Change Healthcare is the largest data breach ever in healthcare

Even though it happened in February, we still had no idea how many people were affected by the ransomware attack and data breach. But now we know: somewhere close 100 million people almost a third of the American population was involved in the incident.

That makes the Change incident the largest healthcare data breach in US history.

We knew things were going to be bad when Change’s parent company UnitedHealth resigned in April said there was concern that the breach could involve data from “a substantial portion of the people in America,” but sheesh: in a country of about 346 million people, stealing 100 million pieces of data is a lot.

The content of the infringement are also destructive, with full names, email addresses, DoBs, phone numbers, and other PII stolen in addition to health information, banking information, claims data, and the like.

A new, meaner Qilin variant is created

Speaking of ransomware threats targeting the healthcare sector, says the group behind the attack on NHS systems in Great Britain is back this summer with a new version of the ransomware of the same name.

The new one Qilin.B variantsays ransomware defense company Halcyon, was recently spotted in the wild with improved encryption capabilities and an extra layer of defense on the keys to prevent decryption by anyone other than a paying victim.

Halcyon noted that Qilin.B now supports AES-256-CTR for AESNI-capable systems, while still retaining Chacha20 for other victims, and now also uses the RSA-4096 encryption with OAEP padding, “enabling file decryption is made impossible without the attacker’s private key or captured seed values.”

Of course, the same defense evasion, backup disruption, process termination, and other tricks that the older version of Qilin had are all still present, making this a nasty piece of work. As we noted in our previous coverage of Qilin’s activities, the supposedly Russian group relied on zero-day vulnerabilities to break into NHS systems, a common technique.

In other words, consider this your weekly reminder to patch your systems.

Maalox for Mallox: Decryptor now available for early variants

A coding flaw in the Mallox ransomware variant, also known as Fargohas allowed Avast researchers to develop a free decryptor with the catch: it only works for victims affected before March 2024.

In a blog post from Avast parent company Gen Digital, researchers say said that they found the cryptographic flaw in a version of Mallox circulating between January 2023 and February 2024, so anyone affected by the ransomware between those dates should be able to decrypt their data using the tool.

64 and 32 bit versions are available in the blog post linked above. This is Avast’s second decryption tool for the Mallox family.

“The Mallox ransomware was previously called TargetCompany ransomware, for which Avast released a decryptor in January 2022,” the company said. “Since then, the cryptographic scheme has evolved (but) the authors have made new mistakes.”

Hopefully they have created others so more decryptors will follow.

Investigation into Genesis Market leads to charges against suspected cybercriminal

The FBI continues to turn over information recovered from stolen data at Genesis Market closing it last year, and their continued digging has succeeded in indicting an allegedly corrupt cop.

Terrance Michael Ciszek, a detective with the Buffalo Police Department, was indicted last week for allegedly purchasing nearly 200 sets of stolen credentials between March and July 2020 and then lying about it to the FBI when they investigated the case. During the same period, he is also said to have been active on UniCC, a dark website used to exchange stolen credit card information.

Ciszek even made the genius move of recording a video telling other cybercriminals “how he anonymized his identity on the Internet while buying stolen credit cards,” while praising UniCC’s offering. Anyone who took his advice, presumably given under the pseudonym “DrMonster” under which the FBI accused him of operating, should reconsider its effectiveness.

That’s what the Buffalo police said The Register that Ciszek was suspended without pay.

Ciszek reportedly denied purchasing stolen credentials when questioned by the FBI, instead trying to pin the blame on his cousin – sounds like a great guy. ®