The senator claims that domain registration companies help spread disinformation in Russia • Registry

in short Senate Intelligence Committee Chairman Mark Warner (D-VA) is demanding an explanation as to why, in the wake of the fiasco of a massive Russian Internet disinformation operation, the names of six U.S. domain registrars appear to continue to appear when, at best, negligent facilitators of election interference.

Warner sent fiction to NameCheap, GoDaddy, Cloudflare, NewFold Digital, NameSilo and Versign last week in the wake of the Biden administration’s decision attack of 32 domains used to spread pro-Russian propaganda, many of which impersonate well-known Western news outlets.

The whole thing is part of a long-running Russian disinformation campaign known as “Doppelgänger,” which uses a vast network of fake news sites, fake social media spokespeople and other tricks to deceive gullible Americans supports Putin’s program. The whole thing was highlighted by Meta in 2023, a report of which also influenced Warner’s reasoning.

Warner noted that the Justice Department’s report on the seizure of these 32 domains last month included indicators that the six domain registrars mentioned above had sold websites to Doppelgänger operators, adding that Meta’s report highlighted the many ways in which the domain registration industry has enabled bad behavior. These include: withholding registrar information from bona fide researchers, ignoring inaccuracies in registration information, neglecting domain names that are clearly an attempt at squatting, and the like.

Warner said the information contained in the domain hijacking statement suggested that Russian disinformation agents were using well-known techniques that “in the context of the extensive open source literature on Doppelgänger practices should have alerted (companies) to the abuse of (their) services.” ”

This problem isn’t new either: Warner said that abuse of domain name registration services is ongoing and that “the industry’s inattention to abuse has been well documented for years, allowing malicious activity… and all of this is made possible by malicious actors using your services”.

And then the gloves came off.

“Given your industry’s continued failure to address these abuses, I believe Congress may need to evaluate legislative remedies,” Warner threatened. “In the meantime, your company(s) must take immediate steps to address the continued misuse of your services to obtain covert foreign influence.”

None of the registrars named by Warner responded to requests for comment, except for GoDaddy, which told us it has invested significant resources in fighting online abuse, as well as other standard statements companies typically issue after such allegations.

Critical Vulnerabilities of the Week: CVE ScienceLogic

You may recall that last month, RackSpace’s monitoring tools were disabled after a zero day occurred Register scholar was found in ScienceLogic SL1, but we didn’t have much detail or CVE at the time. Now it is, but the matter still remains mysterious.

CVE-2024-9537with a CVSS rating of 9.3, was released for this vulnerability, but the explanation doesn’t allow us to understand much.

“ScienceLogic SL1 is affected by an unspecified vulnerability involving an unspecified third-party component,” NIST noted in its description of the vulnerability.

Patches are available and fixes have been released for older versions of SL1, so install the patch before you become the next victim.

It’s official: Change Healthcare is the largest healthcare data breach in history

Even though it happened in February, we still had no idea how many people were affected by the ransomware attack and data breach – but now we know: Somewhere around 100 million people were implicated in this incident, almost one-third of the US population.

This makes the switching incident the largest healthcare data breach in US history.

We knew it was going to be bad when Change’s parent company, UnitedHealth, in April he said there was concern that the breach might affect data relating to “a significant portion of people in America,” but hey: in a country of about 346 million people, having 100 million records stolen is a lot.

The content of the violation are also damning because they contain full names, email addresses, DoB details, phone numbers and other personally identifiable information stolen along with health information, banking details, claims records and the like.

A new, nastier variant of the Qilin appears

Speaking about the threats of ransomware targeting the healthcare industry, the group behind attack on NHS systems in the UK returned in the summer with a new version of the eponymous ransomware.

New Qilin.B variantclaims Halcyon, an anti-ransomware company, has recently been spotted in the wild with improved encryption capabilities and an additional layer of key protection to prevent decryption by anyone other than the paying victim.

Halcyon noted that Qilin.B now supports AES-256-CTR for systems with AESNI capabilities while retaining Chacha20 for other victims, and also now uses an RSA-4096 cipher with OAEP padding, “making files decrypted without the private key or impossible to intercept.” seed value.”

Of course, the same methods of evading defenses, disrupting backups, terminating processes, and other tricks that the older version of Qilin used still exist, which makes it a nasty job. As we’ve seen in previous coverage of Qilin’s activities, the Russian group is alleged to have exploited zero-day vulnerabilities to breach NHS systems, a common technique.

In other words, think of it as a weekly reminder to patch your systems.

Maalox for Mallox: Decryptor is now available for early variants

Encryption vulnerability in Mallox ransomware variant, also known as Fargoallowed Avast researchers to develop a free decryption tool with a catch: it will only work for victims hit before March 2024.

In a blog post by Avast’s parent company, Gen Digital, researchers he said that they discovered a cryptographic vulnerability in a version of Mallox circulating between January 2023 and February 2024, so anyone affected by ransomware during this period should be able to decrypt their data using this tool.

64-bit and 32-bit versions are available in the blog post linked above. This is Avast’s second decryption tool for the Mallox family.

“Mallox ransomware was previously called TargetCompany ransomware, for which Avast released a decryption tool in January 2022.” – the company said. “Since then, the cryptographic scheme has evolved (but) the authors have made new mistakes.”

I hope they have created others so more decryptors will appear.

The Genesis Market investigation leads to an indictment against a police officer suspected of cybercrime

After that, the feds continue to upload information recovered from the stolen Genesis Market closing it last year, and their further search led to the indictment of an allegedly dishonest police officer.

Terrance Michael Ciszek, a detective with the Buffalo Police Department, was accused last week for allegedly purchasing nearly 200 sets of stolen credentials between March and July 2020 and then lying to the FBI about it during its investigation. During the same period, he was also allegedly active on UniCC, a dark website used to exchange stolen credit card information.

Ciszek even made a brilliant move by recording a video in which he tells other cybercriminals “how he anonymized his identity online while purchasing stolen credit cards,” while praising UniCC’s offer. Anyone who took his advice, probably given under the pseudonym “DrMonster” that the FBI accused him of operating, should reconsider its effectiveness.

Buffalo police said Register that Ciszek was suspended without pay.

Ciszek reportedly denied purchasing the stolen credentials when questioned by the FBI and instead tried to shift the blame to his nephew – he seems like a really great guy. ®