Senator accuses sloppy domain registrars of aiding Russian disinfo campaigns

Also, Change Healthcare sets a record, cybercrime cop suspect indicted, a new Mallox decryptor, and more

in brief Senate intelligence committee chair Mark Warner (D-VA) is demanding to know why, in the wake of the bust-up of a massive online Russian disinformation operation, the names of six US-based domain registrars seem to keep popping up as, at best, negligent facilitators of election meddling. 

Warner sent letters to NameCheap, GoDaddy, Cloudflare, NewFold Digital, NameSilo, and Versign last week following the Biden administration's seizure of 32 domains used to spread pro-Russian propaganda, many masquerading as well-known Western news outlets. 

The whole thing is part of a long-running Russian disinformation campaign known as "Doppelgänger," which makes use of a huge network of fake news sites, phony social media mouthpieces, and other tricks to fool gullible Americans into supporting Putin's agenda. The whole affair was highlighted by Meta in 2023, the report of which also played into Warner's reasoning.

The DOJ's report on seizing those 32 domains last month included indicators that the six aforementioned domain registrars had sold websites to Doppelgänger operators, Warner noted, adding that the Meta report highlighted multiple ways in which the domain registration industry has enabled the bad behaviors. These include withholding registrar information from good-faith researchers, ignoring inaccuracies in registration information, failing to take care of domain names that are clear squatting attempts, and the like.

Warner said that information in the domain seizure affidavit suggested that Russian disinformation agents were using well-known techniques that, "against the backdrop of extensive open source literature on Doppelgänger's practices, should have alerted [the companies] to abuse of [their] services." 

This problem isn't new, either: Warner said abuse of domain name registration services is ongoing and "the industry's inattention to abuse has been well-documented for years, enabling malicious activity … all possible because of malicious actors using your services." 

And then the gloves came off.

"Given the continued lapses of your industry to address these abuses, I believe Congress may need to evaluate legislative remedies," Warner threatened. "In the interim, your compan[ies] must take immediate steps to address the continued abuse of your services for foreign covert influence."

None of the registrars Warner identified responded to requests for comment, except GoDaddy, which told us that it has invested significant resources to address online abuse, among other boilerplate statements companies typically issue after such allegations. 

Critical vulnerabilities of the week: A ScienceLogic CVE

You may recall last month that RackSpace monitoring tools were taken offline after being hit by a zero-day in what The Register learned was found in ScienceLogic SL1 software, but we didn't have a lot of details at the time, or a CVE. Now we do, but the matter is still mysterious. 

CVE-2024-9537, with a CVSS score of 9.3, was issued for the vulnerability, but the explanation doesn't lend much to our understanding. 

"ScienceLogic SL1 is affected by an unspecified vulnerability involving an unspecified third-party component," NIST noted in its description of the vulnerability. 

Patches are available, and remediations were issued for older versions of SL1, so get patching before you become the next victim.

It's official: Change Healthcare the largest-ever healthcare data breach

Despite it having happened in February, we still didn't have any idea how many people were affected by the ransomware attack and data breach - but now we know: Somewhere in the neighborhood of 100 million people were caught up in the incident, nearly a third of the US population. 

That makes the Change incident the largest healthcare data breach in US history.

We knew it was going to be bad when in April, Change's parent company UnitedHealth said it was worried the breach could involve records on "a substantial proportion of people in America," but sheesh: In a nation of around 346 million people, 100 million records being stolen is a lot. 

The contents of the breach are damning too, with full names, email addresses, DoBs, phone numbers, and other PII stolen alongside health information, banking data, claims records, and the like.

New, nastier Qilin variant emerges

Speaking of ransomware threats targeting the healthcare industry, the group behind the attack on NHS systems in the UK over the summer is back with a new version of its eponymous ransomware. 

The new Qilin.B variant, says ransomware defense company Halcyon, was recently spotted in the wild with enhanced encryption capabilities and an extra layer of defense on its keys to prevent decryption by anyone but a paying victim. 

Halcyon noted that Qilin.B now supports AES-256-CTR for systems with AESNI capabilities, while still retaining Chacha20 for other victims, and also now uses the RSA-4096 cipher with OAEP padding, "making file decryption without the attacker's private key or captured seed values impossible." 

Of course, the same defense evasion, backup disruption, process termination and other tricks the older version of Qilin had are all still there, making this one nasty piece of work. As we noted in our earlier coverage of Qilin's activities, the allegedly Russian group relied on zero-day vulnerabilities to break into NHS systems, a common technique. 

In other words, consider this your weekly reminder to patch your systems.

Maalox for Mallox: Decryptor now available for early variants

An encryption flaw in the Mallox ransomware variant, also known as Fargo, has allowed Avast researchers to develop a free decryptor with a catch: It'll only work for victims hit before March 2024. 

In a blog post from Avast parent company Gen Digital, researchers said that they found the cryptographic flaw in a version of Mallox circulating between January 2023 and February 2024, so anyone hit by the ransomware between those dates should be able to decrypt their data using the tool.

64 and 32-bit versions are available in the blog post linked above. This is Avast's second decryption tool for the Mallox family.

"The Mallox ransomware was previously called TargetCompany ransomware, which Avast released a decryptor for in January of 2022," the company said. "Since then, the cryptographic schema has been evolving [but] the authors made new mistakes."

Hopefully they made others so more decryptors will follow.

Genesis Market probe leads to indictment of cybercriminal cop suspect

The feds continue to pour over info recovered from stolen data souk Genesis Market after shutting it down last year, and their continued digging has managed to indict an allegedly crooked cop.

Terrance Michael Ciszek, a detective with the Buffalo Police Department, was indicted last week for reportedly buying nearly 200 sets of stolen credentials between March and July 2020, and then lying to the FBI about it when they investigated the matter. During the same period, he was also allegedly active on UniCC, a dark web site used to swap stolen credit card data. 

Ciszek even made the genius move of recording a video telling other cybercriminals "how he anonymized his identity on the internet while purchasing stolen credit cards" while praising UniCC's offerings. Anyone who took his advice, presumably delivered using the "DrMonster" pseudonym the FBI accused him of operating under, ought to reconsider its effectiveness. 

Buffalo Police Department told The Register that Ciszek was suspended without pay.

Ciszek reportedly denied purchasing stolen credentials when questioned by the FBI, instead trying to shift blame to his nephew - sounds like an all-around great guy. ®