A massive cybercrime URL shortening service known as "Prolific Puma" has been uncovered by security researchers at Infoblox. The service has been used to deliver phishing attacks, scams, and malware for at least four years, and has registered thousands of domains in the U.S. top-level domain (usTLD) to facilitate its activities.
Prolific Puma works by shortening malicious URLs into shorter, more memorable links that are easier to click on. These shortened links are then distributed via email, social media, and other channels to unsuspecting victims. When a victim clicks on a shortened link, they are redirected to the malicious website.
Security researchers were able to track Prolific Puma's activity by analyzing DNS data. DNS is a system that translates domain names into IP addresses, which are the numerical addresses of websites and other devices on the internet. By analyzing DNS data, researchers were able to identify the thousands of domains that Prolific Puma was using to deliver its malicious links.
Prolific Puma's use of the usTLD is particularly noteworthy. The usTLD is one of the most trusted TLDs in the world, and many people do not suspect that a link with a usTLD domain could be malicious. This makes Prolific Puma's shortened links particularly effective at deceiving victims.
The discovery of Prolific Puma is a reminder of the importance of being vigilant when clicking on links, even if they come from seemingly trusted sources. It is also a reminder that cybercriminals are constantly developing new and sophisticated ways to attack their victims.
Here are some tips for staying safe from Prolific Puma and other malicious URL shortening services:
The security researchers who discovered Prolific Puma have contacted the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) about the service. Both agencies are working to take down Prolific Puma's infrastructure and prevent it from being used to launch further attacks.
Prolific Puma is not the first malicious URL-shortening service to be discovered. In recent years, there have been a number of other high-profile cases of cybercriminals using URL shortening services to deliver malware and phishing attacks.
The discovery of Prolific Puma is a reminder that URL shortening services can be abused for malicious purposes. Users should be cautious when clicking on shortened links, and should take steps to protect themselves from malware and phishing attacks.
Despite the fact that a patch has been available for three weeks, ransomware hackers are exploiting a vulnerability that allows attackers to bypass multifactor authentication and access enterprise networks using Citrix hardware.
CVE-2023-4966, which exists in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, has been actively exploited since August. The vulnerability has a severity rating of 9.4 out of a possible 10, which is quite high for a simple information-disclosure fault.
According to some estimates, 20,000 smartphones have already been compromised. The reason for this is that the information released may contain session tokens, which are assigned by the hardware to devices that have previously successfully provided credentials, including those delivering MFA
Attacks have just lately increased, forcing security researcher Kevin Beaumont to write on Saturday, "This vulnerability is now under mass exploitation." He went on to describe the situation as follows: "From talking to multiple organizations, they are seeing widespread exploitation."
He stated that as of Saturday, he has discovered an estimated 20,000 instances of compromised Citrix machines with stolen session tokens. He stated that his estimate was based on establishing a honeypot of servers disguised as susceptible Netscaler devices to track opportunistic Internet attacks. Beaumont then compared the results to other data sources, such as Netflow and the Shodan search engine.
Meanwhile, GreyNoise, a security firm that also uses honeypots, was reporting CVE-2023-4966 attacks coming from 135 IP addresses. This is a 27-fold rise from the five IPs discovered by GreyNoise five days earlier.
According to the most recent data from security firm Shadowserver, there were approximately 5,500 unpatched machines. Beaumont has admitted that the amount contradicts his previous estimate of 20,000 affected devices. It's unclear what was causing the disparity.
The vulnerability is reasonably simple to exploit for experienced users. A simple reverse-engineering of the Citrix patch reveals the vulnerable methods, and it's not difficult to develop code that exploits them from there. A number of proof-of-concept exploits are available online, making attacks considerably easier.
Atlassian has confirmed that malicious actors are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134, designed to install web shells with no fix available at this time.