
from AI https://bit.ly/3RyFgQW
via IFTTT
Posts on Security, Cloud, DevOps, Citrix, VMware and others. Words and views are my own and do not reflect on my companies views. Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
The latest episode of the Transatlantic Cable podcast kicks off with news that hackers are paying to gain access to hotel booking[.]com portals. The hack is apparently so lucrative, they’re now advertising for access on the dark web. Additionally, the team discuss new content restriction laws being discussed in the U.K, with news that photo I.D may be required to access certain sites.
Additionally, this week the team sat down with Vidit Gujrathi, Chess grandmaster and Maher Yamout, Lead Security Researcher at Kaspersky to talk about Chess, cyber-security and how the two are more connected than you might think.
If you liked what you heard, please consider subscribing.
Ransomware attacks have become a significant and pervasive threat in the ever-evolving realm of cybersecurity. Among the various iterations of ransomware, one trend that has gained prominence is Ransomware-as-a-Service (RaaS). This alarming development has transformed the cybercrime landscape, enabling individuals with limited technical expertise to carry out devastating attacks.
Traditionally, ransomware refers to a type of malware that encrypts the victim's files, effectively blocking access to data and applications until a ransom is paid to the attacker. However, more contemporary attackers often employ an additional strategy. The bad actors create copies of the compromised data and leverage the threat of publishing sensitive information online unless their demands for ransom are met. This dual approach adds an extra layer of complexity and potential harm to the victims.
RaaS is the latest business model in the world of ransomware. Similar to other "as-a-service" offerings, inexperienced hackers can now take advantage of on-demand tools for malicious activities. Instead of creating and deploying their own ransomware, they are given the option to pay a fee, select a target, and launch an attack using specialized tools provided by a service provider.
This model significantly reduces the time and cost required to execute a ransomware attack, especially when identifying new targets. In fact, a recent survey revealed that the average timeframe between a ransomware attacker breaching a network and encrypting files has dropped below 24 hours for the first time.
The RaaS model also fosters economies of scale, as service providers are motivated to develop new strains that can bypass security defenses. Broja Rodriguez, Threat Hunting Team Lead at Outpost24, highlights that having multiple customers actually aids ransomware creators in marketing their tools.
"[The customers] propagate a specifically named ransomware across numerous machines, creating a sense of urgency for victims to pay. When victims research the ransomware and find multiple reports about it, they are more inclined to comply with the ransom demands. It's akin to a branding strategy in the criminal world."
The customer base also means the ransomware creators can get more detailed feedback about which techniques work best in different scenarios. They get real-time intelligence on how well cybersecurity tools are adapting to new strains, and where vulnerabilities remain unplugged.
Despite its illicit nature, RaaS operates similarly to legitimate businesses. Customers, commonly referred to as "affiliates," have various payment options, including flat fees, subscriptions, or a percentage of the revenue. In some cases, providers even offer to manage the ransom collection process, typically utilizing untraceable cryptocurrencies, effectively serving as payment processors.
It's also a highly competitive market, with user feedback on "dark web" forums. As Broja Rodriguez explains, customers aren't loyal, and the competition drives up quality (which is bad news for victims). If a service disappoints:
"[Customers] won't hesitate to give a try to another RaaS group. Having multiple affiliations broadens their options and enhances their chances of profiting from their cybercriminal activities. Being that all the affiliates are searching for the best group, competitiveness between RaaS groups can increase. A small failure of your malware not executing on a victim can make you lose affiliates, and they will move to other groups with more name recognition or, at least, to those where their malware executes."
There are numerous recommendations for defending against ransomware that emphasize the importance of business continuity. These include maintaining reliable backups and implementing effective disaster recovery plans to minimize the impact of a successful attack. While these measures are undoubtedly valuable, it is crucial to note that they do not directly address the risk of data exposure.
To effectively mitigate ransomware attacks, it is crucial to proactively identify and address security vulnerabilities. Leveraging penetration testing and red teaming methodologies can significantly enhance your defense. For a continuous and comprehensive approach, especially for dynamic attack surfaces like web applications, partnering with a pen testing as a service (PTaaS) provider is highly recommended. Outpost24's PTaaS offers real-time insights, continuous monitoring, and expert validation, ensuring the security of your web applications at scale.
Information is a critical asset in the fight against ransomware, and Cyber Threat Intelligence plays a pivotal role. Outpost24's Threat Compass offers a modular approach, enabling the detection and analysis of threats tailored to your organization's infrastructure. With access to up-to-date threat intelligence and actionable context, your security team can respond swiftly and effectively, bolstering your defenses against ransomware attacks.
Ransomware attacks have grown increasingly sophisticated, resulting in more powerful, targeted, and agile threats. To effectively defend against this evolving menace, it is crucial to utilize targeted tools fueled by the latest intelligence. Contact Outpost24 to assist you in taking the necessary steps to safeguard your organization's security.
Dec 08, 2023NewsroomEndpoint Security / Malware
Unauthorized websites distributing trojanized versions of cracked software have been found to infect Apple macOS users with a new Trojan-Proxy malware.
"Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan said.
The Russian cybersecurity firm said it found evidence indicating that the malware is a cross-platform threat, owing to artifacts unearthed for Windows and Android that piggybacked on pirated tools.
The macOS variants propagate under the guise of legitimate multimedia, image editing, data recovery, and productivity tools. This suggests that users searching for pirated software are the targets of the campaign.
Unlike their genuine, unaltered counterparts, which are offered as disk image (.DMG) files, the rogue versions are delivered in the form of .PKG installers, which come equipped with a post-install script that activates the malicious behavior post installation.
"As an installer often requests administrator permissions to function, the script run by the installer process inherits those," Puzan noted.
The end goal of the campaign is to launch the Trojan-Proxy, which masks itself as the WindowServer process on macOS to evade detection. WindowServer is a core system process responsible for window management and rendering the graphical user interface (GUI) of applications.
Upon start, it attempts to obtain the IP address of the command-and-control (C2) server to connect to via DNS-over-HTTPS (DoH) by encrypting the DNS requests and responses using the HTTPS protocol.
Trojan-Proxy subsequently establishes contact with the C2 server and awaits further instructions, including processing incoming messages to parse the IP address to connect to, the protocol to use, and the message to send, signaling that its ability to act as a proxy via TCP or UDP to redirect traffic through the infected host.
Kaspersky said it found samples of the malware uploaded to the VirusTotal scanning engine as early as April 28, 2023. To mitigate such threats, users are recommended to avoid downloading software from untrusted sources.
Dec 08, 2023NewsroomVulnerability / Website Security
WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites.
"A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations," WordPress said.
According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor.
A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site.
"If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code," Wordfence noted previously in September 2023.
In a similar advisory released by Patchstack, the company said an exploitation chain has been made available on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) project. It's recommended that users manually check their sites to ensure that it's updated to the latest version.
"If you are a developer and any of your projects contain function calls to the unserialize function, we highly recommend you swap this with something else, such as JSON encoding/decoding using the json_encode and json_decode PHP functions," Patchstack CTO Dave Jong said.
Dec 08, 2023The Hacker NewsCryptocurrency / Cyber Crime
The Russian founder of the now-defunct Bitzlato cryptocurrency exchange has pleaded guilty, nearly 11 months after he was arrested in Miami earlier this year.
Anatoly Legkodymov (aka Anatolii Legkodymov, Gandalf, and Tolik), according to the U.S. Justice Department, admitted to operating an unlicensed money-transmitting business that enabled other criminal actors to launder their illicit proceeds. He faces up to five years in prison.
"Legkodymov operated a cryptocurrency exchange that was open for business to money launderers and other criminals," said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department's Criminal Division.
"He profited from catering to criminals, and now he must pay the price. Transacting in cryptocurrency does not put you beyond the reach of the law."
Bitzlato, which served as a safe haven for fraudsters and ransomware crews such as Conti, is estimated to have received $2.5 billion in cryptocurrency between 2019 and 2023, more than half of which originated from illegal and risky sources.
Prior to its takedown by law enforcement, the Hong Kong-registered exchange also drew attention for its lax know-your-customer (KYC) procedures and marketed itself as a platform that required only minimal identifying information from its users. Some of its users are believed to have registered accounts using stolen identity documents.
The Justice Department also singled out the Hydra darknet marketplace as Bizlato's largest counterparty in cryptocurrency transactions, with the former's users exchanging no less than $700 million worth of digital assets with the exchange.
Hydra was the world's largest and longest-running dark web marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services. It was dismantled by German and U.S. authorities in April 2022.
"Legkodymov's guilty plea today confirms that he was well aware that Bitzlato, his cryptocurrency exchange, was being used like an open turnstile by criminals eager to take advantage of his lax controls over illicit money transactions," said U.S. Attorney Breon Peace for the Eastern District of New York.
Netgate® announces the release of pfSense® Plus software version 23.09.1 and pfSense® CE software version 2.7.2. These upgrades address potential ZFS file system corruption issues as well as other security bugs and issues.
These releases have changes related to three ZFS file system issues, two of which could lead to data corruption. The first is related to block cloning, a ZFS feature that is not currently enabled in pfSense software. The second, as detailed in this FreeBSD Errata Notice, is related to reporting holes in sparse files, which is difficult to trigger given typical usage on a system loaded with pfSense software. However, given other data corruption problems reported in the same area in the past, we have included a change to address the issue. This fix may result in a small increase in storage space used. These releases also correct a third ZFS issue that can cause high CPU usage. Details for this issue are available in this FreeBSD Errata Notice.
In addition to these fixes for ZFS, these releases also:
Detailed Release Notes are available for pfSense Plus version 23.09.1 and pfSense CE version 2.7.2.
Netgate has a detailed Upgrade Guide available in the pfSense documentation to help explain the process. Below are the high-level steps to perform the upgrade.
Upgrades from an earlier version of pfSense Plus software or pfSense CE software are usually made through the web user interface. It’s always recommended to save a backup of the pfSense configuration prior to any major change such as an upgrade. You can find Backup and Recovery instructions in the pfSense Documentation.
These pfSense software releases have been tested and are ready for use. Should any issues arise, please post to our Forum, or (for pfSense Plus software) please contact Netgate Technical Assistance Center (TAC) for paid support.
When you purchase Netgate hardware, TAC, or AWS/Azure cloud instances, you directly sustain the engineering teams responsible for maintaining high quality pfSense software.
Our efforts are made possible by the support of our customers and the community, and for that we express our sincere gratitude and appreciation.
Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard (formerly SEABORGIUM, also known as COLDRIVER and Callisto Group). Star Blizzard has improved their detection evasion capabilities since 2022 while remaining focused on email credential theft against the same targets. Star Blizzard, whose activities we assess to have historically supported both espionage and cyber influence objectives, continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests. Microsoft continues to refine and deploy protections against Star Blizzard’s evolving spear-phishing tactics.
Microsoft is grateful for the collaboration on investigating Star Blizzard compromises with the international cybersecurity community, including our partners at the UK National Cyber Security Centre, the US National Security Agency Cybersecurity Collaboration Center, and the US Federal Bureau of Investigation.
This blog provides updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs), building on our 2022 blog as the actor continues to refine their tradecraft to evade detection. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.
PROTECT YOURSELF AGAINST STAR BLIZZARD
Read FAQsINDICATORS OF COMPROMISE
Get IOCsBased on our analysis of the actor’s TTPs since our previous blog in 2022, Star Blizzard has evolved to focus on improving its detection evasion capabilities. Microsoft has identified five new Star Blizzard evasive techniques:
Beginning in April 2023, we observed Star Blizzard gradually move away from using hCaptcha servers as the sole initial filter to prevent automatic scanning of their Evilginx server infrastructure. Redirection was still performed by an actor-controlled server, now first executing JavaScript code (titled “Collect and Send User Data”) before redirecting the browsing session to the Evilginx server.
Shortly after, in May 2023, the threat actor was observed refining the JavaScript code, resulting in an updated version (titled “Docs”), which is still in use today.
This capability collects various information from the browser performing the browsing session to the redirector server.
The code contains three main functions:
Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection.
When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server.
A bad verdict results in the receipt of an HTTP error response and no further redirection.
We have observed Star Blizzard using two different services, HubSpot and MailerLite. The actor uses these services to create an email campaign, which provides them with a dedicated subdomain on the service that is then used to create URLs. These URLs act as the entry point to a redirection chain ending at actor-controlled Evilginx server infrastructure. The services can also provide the user with a dedicated email address per configured email campaign, which the threat actor has been seen to use as the “From” address in their campaigns.
Most Star Blizzard HubSpot email campaigns have targeted multiple academic institutions, think tanks, and other research organizations using a common theme, aimed at obtaining their credentials for a US grants management portal. We assess that this use-case of the HubSpot mailing platform was to allow the threat actor to track large numbers of identical messages sent to multiple recipients. Note should be taken to the “Reply-to” address in these emails, which is required by the HubSpot platform to be an actual in-use account. All the sender accounts in the following examples are dedicated threat actor-controlled accounts.
Other HubSpot campaigns have been observed using the campaign URL embedded in an attached PDF lure or directly in the email body to perform redirection to actor-controlled Evilginx server infrastructure configured for email account credential theft. We assess that in these cases, the HubSpot platform was used to remove the need for including actor-controlled domain infrastructure in the spear-phishing emails and better evade detection based on indicators of compromise (IOC).
Star Blizzard’s use of the MailerLite platform is similar to the second HubSpot tactic described above, with the observed campaign URL redirecting to actor-controlled infrastructure purposed for email credential theft.
In December 2022, we began to observe Star Blizzard first using a domain name service (DNS) provider that also acts as a reverse proxy server to resolve actor-registered domain infrastructure. As of May 2023, most Star Blizzard registered domains associated with their redirector servers use a DNS provider to obscure the resolving IP addresses allocated to their dedicated VPS infrastructure.
We have yet to observe Star Blizzard utilizing a DNS provider to resolve domains used on Evilginx servers.
Star Blizzard has been observed sending password-protected PDF lures in an attempt to evade email security processes implemented by defenders. The threat actor usually sends the password to open the file to the targeted user in the same or a subsequent email message.
In addition to password-protecting the PDF lures themselves, the actor has been observed hosting PDF lures at a cloud storage service and sharing a password-protected link to the file in a message sent to the intended victim. While Star Blizzard frequently uses cloud storage services from all major providers (including Microsoft OneDrive), Proton Drive is predominantly chosen for this purpose.
Microsoft suspends Star Blizzard operational accounts discovered using our platform for their spear-phishing activities.
Following the detailed public reporting by Recorded Future (August 2023) on detection opportunities for Star Blizzard domain registrations, we have observed the threat actor making significant changes in their chosen domain naming syntax.
Prior to the public reporting, Star Blizzard utilized a limited wordlist for their DGA. Subsequently, Microsoft has observed that the threat actor has upgraded their domain-generating mechanism to include a more randomized list of words.
Despite the increased randomization, Microsoft has identified detection opportunities based on the following constant patterns in Star Blizzard domain registration behavior:
A list of recent domain names registered by Star Blizzard can be found at the end of this report.
Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts.
Star Blizzard continues to utilize the publicly available Evilginx framework to achieve their objective, with the initial access vector remaining to be spear-phishing via email. Target redirection to the threat actor’s Evilginx server infrastructure is still usually achieved using custom-built PDF lures that open a browser session. This session follows a redirection chain ending at actor-controlled Evilginx infrastructure that is configured with a “phishlet” for the intended targets’ email provider.
Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain.
As with all threat actors that focus on phishing or spear-phishing to gain initial access to victim mailboxes, individual email users should be aware of who these attacks target and what they look like to improve their ability to identify and avoid further attacks.
The following are a list of answers to questions that enterprise and consumer email users should be asking about the threat from Star Blizzard:
Users and organizations are more likely to be a potential Star Blizzard target if connected to the following areas:
Remember that Star Blizzard targets both consumer and enterprise accounts, so there is an equal threat to both organization and personal accounts.
The email will appear to be from a known contact that users or organizations expect to receive email from. The sender address could be from any free email provider, but special attention should be paid to emails received from Proton account senders (@proton.me, @protonmail.com) as they are frequently used by Star Blizzard.
An initial email will usually be sent asking to review a document, but without any attachment or link to the document.
The threat actor will wait for a response, and following that, will send an additional message with either an attached PDF file or a link to a PDF file hosted on a cloud storage platform. The PDF file will be unreadable, with a prominent button purporting to enable reading the content.
Pressing the button in a PDF lure causes the default browser to open a link embedded in the PDF file code—this is the beginning of the redirection chain. Targets will likely see a web page titled “Docs” in the initial page opened and may be presented with a CAPTCHA to solve before continuing the redirection. The browsing session will end showing a sign-in screen to the account where the spear-phishing email was received, with the targeted email already appearing in the username field.
The host domain in the web address is an actor-controlled domain (see appendix for full list), and not the expected domain of the email server or cloud service.
If multifactor authentication is configured for a targeted email account, entering a password in the displayed sign-in screen will trigger an authentication approval request. If passwordless access is configured for the targeted account, an authentication approval request is immediately received on the device chosen for receiving authentication approvals.
As long as the authentication process is not completed (a valid password is not entered and/or an authentication request is not approved), the threat actor has not compromised the account.
If the authentication process is completed, the credentials have been successfully compromised by Star Blizzard, and the threat actor has all the required details needed to immediately access the mailbox, even if multifactor authentication is enabled.
As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the necessary information to secure their accounts.
Microsoft emphasizes that the following two mitigations will strengthen customers’ environments against Star Blizzard attack activity:
Microsoft is sharing indicators of compromise related to this attack at the end of this report to encourage the security community to further investigate for potential signs of Star Blizzard activity using their security solution of choice. All these indicators have been incorporated into the threat intelligence feed that powers Microsoft Defender products to aid in protecting customers and mitigating this threat. If your organization is a Microsoft Defender for Office customer or a Microsoft Defender for Endpoint customer with network protection turned on, no further action is required to mitigate this threat presently. A thorough investigation should be performed to understand potential historical impact if Star Blizzard activity has been previously alerted on in the environment.
Additionally, Microsoft recommends the following mitigations to reduce the impact of this threat:
Microsoft Defender for Office 365
Microsoft Defender for Office offers enhanced solutions for blocking and identifying malicious emails. Signals from Microsoft Defender for Office inform Microsoft 365 Defender, which correlate cross-domain threat intelligence to deliver coordinated defense, when this threat has been detected. These alerts, however, can be triggered by unrelated threat activity. Example alerts:
Microsoft Defender SmartScreen
Microsoft Defender SmartScreen has implemented detections against the phishing domains represented in the IOC section below. By enabling Network protection, organizations can block attempts to connect to these malicious domains.
Microsoft Defender for Endpoint
Aside from the Microsoft Defender for Office 365 alerts above, customers can also monitor for the following Microsoft 365 Defender alerts for this attack. Note that these alerts can also be triggered by unrelated threat activity. Example alerts:
Microsoft customers can use the following reports in Microsoft products to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, and respond to associated threats found in customer environments.
Microsoft Defender Threat Intelligence
Microsoft 365 Defender Threat analytics
Microsoft Sentinel
Microsoft Sentinel customers can use the TI Mapping analytics (a series of analytics all prefixed with ‘TI map’) to automatically match the malicious domain indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace.
Star Blizzard domain infrastructure
Domain | Registered | Registrar | X.509 TLS Certificate Issuer | DNS provider resolving |
centralitdef[.]com | 2023/04/03 14:29:33 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
rootgatewayshome[.]com | 2023/04/06 16:09:06 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
directstoragepro[.]com | 2023/04/07 14:18:19 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infocryptoweb[.]com | 2023/04/07 14:44:38 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cloudwebstorage[.]com | 2023/04/09 14:13:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cryptdatahub[.]com | 2023/04/10 10:07:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
datainfosecure[.]com | 2023/04/10 10:16:20 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
servershieldme[.]com | 2023/04/11 07:32:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
scandefinform[.]com | 2023/04/12 10:18:26 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
guardittech[.]com | 2023/04/12 13:36:33 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
storageinfohub[.]com | 2023/04/14 12:23:02 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docsinfohub[.]com | 2023/04/14 16:24:45 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
dbasechecker[.]com | 2023/04/20 08:31:04 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
dbasecheck[.]com | 2023/04/20 08:31:04 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
gaterecord[.]com | 2023/04/25 14:17:14 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
directsgate[.]com | 2023/04/25 14:17:14 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
storageinformationsolutions[.]com | 2023/04/25 15:33:03 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
storagedatadirect[.]com | 2023/04/25 15:33:05 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
informationdoorwaycertificate[.]com | 2023/04/25 17:50:04 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
datagatewaydoc[.]com | 2023/04/25 17:50:37 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
panelittechweb[.]com | 2023/04/27 12:19:19 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
panelitsolution[.]com | 2023/04/27 12:19:19 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
keeperdocument[.]com | 2023/04/27 14:18:19 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
keeperdocumentgatewayhub[.]com | 2023/04/27 14:18:25 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
docview[.]cloud | 2023/05/03 06:33:44 | Hostinger UAB | C=US, O=Let’s Encrypt, CN=R3 | |
protectitbase[.]com | 2023/05/03 09:07:33 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
webcatalogpro[.]com | 2023/05/04 09:47:19 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infoformdata[.]com | 2023/05/04 13:13:56 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
keydatastorageunit[.]com | 2023/05/10 09:20:39 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docanalizergate[.]com | 2023/05/10 15:23:14 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
docanalizerhub[.]com | 2023/05/10 15:23:21 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
hubdatapage[.]com | 2023/05/10 16:07:31 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
skyinformdata[.]com | 2023/05/11 11:10:35 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docsaccessdata[.]com | 2023/05/11 12:35:02 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
datacryptosafe[.]com | 2023/05/11 16:46:00 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cloudsetupprofi[.]com | 2023/05/12 15:35:42 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
setupprofi[.]com | 2023/05/12 15:35:52 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
analyzedatainfo[.]com | 2023/05/15 15:30:04 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infocryptodata[.]com | 2023/05/15 16:41:42 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
datadocsview[.]com | 2023/05/16 13:23:38 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
gatedocsview[.]com | 2023/05/16 13:23:42 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
hubinfodocs[.]com | 2023/05/16 13:27:07 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
proffsolution[.]com | 2023/05/16 14:20:42 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
proffitsolution[.]com | 2023/05/16 14:20:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
defproresults[.]com | 2023/05/16 14:20:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
greatnotifyinfo[.]com | 2023/05/16 14:55:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
topnotifydata[.]com | 2023/05/16 14:55:53 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
topinformdata[.]com | 2023/05/16 14:55:58 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
defoffresult[.]com | 2023/05/16 15:23:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cloudinfodata[.]com | 2023/05/16 15:23:52 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
webpartdata[.]com | 2023/05/16 15:23:57 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infostoragegate[.]com | 2023/05/17 14:41:37 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
wardenstoragedoorway[.]com | 2023/05/17 15:17:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
myposcheck[.]com | 2023/05/25 08:52:50 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
poscheckdatacenter[.]com | 2023/05/25 08:52:51 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
checkdatapos[.]com | 2023/05/25 08:52:55 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docdatares[.]com | 2023/05/26 13:42:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
datawebhub[.]com | 2023/05/26 16:28:34 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cloudithub[.]com | 2023/05/26 16:28:35 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
secitweb[.]com | 2023/05/26 16:28:39 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
documentitsolution[.]com | 2023/05/29 13:21:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
keeperinformation[.]com | 2023/05/29 13:21:48 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
webprodata[.]com | 2023/05/29 14:28:00 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
clouditprofi[.]com | 2023/05/29 14:28:01 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cryptoinfostorage[.]com | 2023/05/29 14:34:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
rootinformationgateway[.]com | 2023/05/29 14:34:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
gatewaydocumentdata[.]com | 2023/06/01 14:49:07 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
gatewayitservices[.]com | 2023/06/01 14:49:17 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infoviewerdata[.]com | 2023/06/01 14:59:51 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infoviewergate[.]com | 2023/06/01 14:59:51 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
webitresourse[.]com | 2023/06/02 19:35:46 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
homedocsdata[.]com | 2023/06/05 16:05:54 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
homedocsview[.]com | 2023/06/05 16:06:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
webdataproceed[.]com | 2023/06/08 17:29:54 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
directkeeperstorage[.]com | 2023/06/12 15:47:55 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
gatewaykeeperinformation[.]com | 2023/06/12 15:48:01 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
rootgatestorage[.]com | 2023/06/12 16:46:02 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
documentinformationsolution[.]com | 2023/06/12 16:46:04 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
getclouddoc[.]com | 2023/06/14 10:56:38 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
statusfiles[.]com | 2023/06/16 09:49:55 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
webstaticdata[.]com | 2023/06/16 09:49:55 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cloudwebfile[.]com | 2023/06/16 09:49:59 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
statuswebcert[.]com | 2023/06/16 10:29:57 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
nextgenexp[.]com | 2023/06/16 10:29:57 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
informationkeeper[.]com | 2023/06/16 14:48:40 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
documentgatekeeper[.]com | 2023/06/16 14:48:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cryptogatesolution[.]com | 2023/06/16 15:32:31 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
rootgatewaystorage[.]com | 2023/06/16 15:32:34 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infoviewstorage[.]com | 2023/06/22 12:34:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infoconnectstorage[.]com | 2023/06/22 12:34:18 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infolookstorage[.]com | 2023/06/22 13:53:04 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
judicialliquidators[.]com | 2023/06/25 11:28:05 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
safetyagencyservice[.]com | 2023/06/25 11:28:08 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
dynamiclnk[.]com | 2023/06/27 13:20:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
temphoster[.]com | 2023/06/27 13:20:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
documententranceintelligence[.]com | 2023/06/27 17:13:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
documentgateprotector[.]com | 2023/06/27 17:13:51 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
readinfodata[.]com | 2023/06/28 16:09:46 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
readdatainform[.]com | 2023/06/28 16:09:50 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
webcryptoinfo[.]com | 2023/06/29 12:41:50 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
storageinfodata[.]com | 2023/06/29 12:41:50 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
keeperdatastorage[.]com | 2023/07/03 17:40:16 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
keepinformationroot[.]com | 2023/07/03 17:40:21 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
keyservicebar[.]com | 2023/07/05 13:25:41 | PDR Ltd. | C=US, O=Let’s Encrypt, CN=R3 | |
bitespacedev[.]com | 2023/07/05 13:25:43 | PDR Ltd. | C=US, O=Let’s Encrypt, CN=R3 | |
cryptodocumentinformation[.]com | 2023/07/05 15:04:46 | PDR Ltd. | C=US, O=Let’s Encrypt, CN=R3 | |
directdocumentinfo[.]com | 2023/07/05 15:04:48 | PDR Ltd. | C=US, O=Let’s Encrypt, CN=R3 | |
techpenopen[.]com | 2023/07/05 15:49:13 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
loginformationbreakthrough[.]com | 2023/07/06 16:01:36 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
alldocssolution[.]com | 2023/07/06 16:01:39 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
documentkeepersolutionsystems[.]com | 2023/07/06 18:45:01 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docholdersolution[.]com | 2023/07/06 18:45:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infodocitsolution[.]com | 2023/07/07 11:00:59 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
securebrowssolution[.]com | 2023/07/07 11:00:59 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
secbrowsingate[.]com | 2023/07/07 11:18:09 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
secbrowsingsystems[.]com | 2023/07/07 11:18:14 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docguardmaterial[.]com | 2023/07/10 11:38:40 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
dockeeperweb[.]com | 2023/07/10 11:38:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docsecgate[.]com | 2023/07/11 13:27:59 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
documentsecsolution[.]com | 2023/07/11 13:28:01 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
cryptogatehomes[.]com | 2023/07/11 17:51:38 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
topcryptoprotect[.]com | 2023/07/12 13:03:36 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
safedocumentgatesolution[.]com | 2023/07/12 13:17:15 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
safedocitsolution[.]com | 2023/07/12 13:17:23 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docscontentview[.]com | 2023/07/12 15:05:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
docscontentgate[.]com | 2023/07/12 15:05:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
openprojectgate[.]com | 2023/07/12 15:30:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
infowardendoc[.]com | 2023/07/12 15:30:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
wardensecbreakthrough[.]com | 2023/07/12 15:41:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
lawsystemjudgement[.]com | 2023/07/12 15:41:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
explorewebdata[.]com | 2023/07/13 08:12:07 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
doorwayseclaw[.]com | 2023/07/13 13:22:18 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
entryloginpoint[.]com | 2023/07/13 13:22:22 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
wardenlawsec[.]com | 2023/07/13 14:12:32 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
entrygatebreak[.]com | 2023/07/13 14:12:32 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
digitalworkdata[.]com | 2023/07/13 15:00:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
digitalhubdata[.]com | 2023/07/13 15:00:45 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
craftfilelink[.]com | 2023/07/13 15:31:00 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
createtempdoc[.]com | 2023/07/13 15:31:00 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
provideexplorer[.]com | 2023/07/13 16:25:33 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
reviewopenfile[.]com | 2023/07/13 16:25:34 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
govsafebreakthrough[.]com | 2023/07/13 16:26:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
govlawentrance[.]com | 2023/07/13 16:26:55 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
storagekeepdirect[.]com | 2023/07/13 17:36:39 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
storageguarddirect[.]com | 2023/07/13 17:36:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
storagekeeperexpress[.]com | 2023/07/14 13:27:26 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
onestorageprotectordirect[.]com | 2023/07/14 13:27:27 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
lawwardensafety[.]com | 2023/07/14 13:41:52 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
entrancequick[.]com | 2023/07/14 13:41:53 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
seclawdoorway[.]com | 2023/07/14 15:28:39 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
wardengovermentlaw[.]com | 2023/07/14 15:28:43 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
getvaluepast[.]com | 2023/07/14 16:14:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
transferlinkdata[.]com | 2023/07/14 16:14:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
remcemson[.]com | 2023/07/26 11:25:48 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
osixmals[.]com | 2023/07/26 11:25:56 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
entranceto[.]com | 2023/07/28 12:26:15 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
govermentsecintro[.]com | 2023/07/28 12:26:17 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
itbugreportbeta[.]com | 2023/07/28 13:06:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
theitbugreportbeta[.]com | 2023/07/28 13:06:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
sockintrodoorway[.]com | 2023/07/28 13:21:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
maxintrosec[.]com | 2023/07/28 13:21:42 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
doorgovcommunity[.]com | 2023/07/28 15:11:40 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
tarentrycommunity[.]com | 2023/07/28 15:11:40 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
webfigmadesignershop[.]com | 2023/07/28 16:09:07 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
webfigmadesigner[.]com | 2023/07/28 16:09:11 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
logincontrolway[.]com | 2023/07/28 16:35:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
vertransmitcontrol[.]com | 2023/07/28 16:35:44 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
everyinit[.]com | 2023/08/09 13:56:51 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
aliceplants[.]com | 2023/08/09 17:22:26 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
countingtall[.]com | 2023/08/09 17:22:30 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
silenceprotocol[.]com | 2023/08/10 12:32:10 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
mintwithapples[.]com | 2023/08/10 12:32:15 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
winterholds[.]com | 2023/08/10 12:53:29 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
ziplinetransfer[.]com | 2023/08/10 16:47:53 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
translatesplit[.]com | 2023/08/10 16:47:53 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
getfigmacreator[.]com | 2023/08/11 13:13:20 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
postrequestin[.]com | 2023/08/11 13:13:23 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
tarifjane[.]com | 2023/08/17 14:05:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
configlayers[.]com | 2023/08/17 14:05:48 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
winterhascometo[.]com | 2023/08/17 16:21:43 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
inyourheadexp[.]com | 2023/08/17 16:21:43 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
glorybuses[.]com | 2023/08/18 15:27:40 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
janeairintroduction[.]com | 2023/08/18 15:27:40 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
vikingonairplane[.]com | 2023/08/18 16:19:48 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
marungame[.]com | 2023/08/18 16:19:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
victorinwounder[.]com | 2023/08/21 16:14:48 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
paneindestination[.]com | 2023/08/21 16:15:02 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
trastamarafamily[.]com | 2023/08/22 11:20:22 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
territoryedit[.]com | 2023/08/22 11:20:24 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
vectorto[.]com | 2023/08/24 09:40:49 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
johnysadventure[.]com | 2023/08/24 09:40:54 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
paternenabler[.]com | 2023/08/25 14:40:31 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
fastnamegenerator[.]com | 2023/08/25 14:40:35 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
literallyandme[.]com | 2023/08/28 13:21:33 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
andysalesproject[.]com | 2023/08/28 13:21:34 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
pandawithrainbow[.]com | 2023/08/28 17:08:58 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
natalyincity[.]com | 2023/08/29 15:25:02 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
machinerelise[.]com | 2023/09/01 16:29:09 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
industrialcorptruncate[.]com | 2023/09/01 16:30:07 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
constructionholdingnewlife[.]com | 2023/09/07 14:00:55 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
adventuresrebornpanda[.]com | 2023/09/07 14:00:55 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
cryingpand[.]com | 2023/09/13 13:10:40 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
industrialwatership[.]com | 2023/09/13 13:10:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
olohaisland[.]com | 2023/09/13 14:25:35 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
voodoomagician[.]com | 2023/09/13 14:25:36 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
newestchairs[.]com | 2023/09/14 11:24:47 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
cpuisocutter[.]com | 2023/09/14 12:37:53 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
incorpcpu[.]com | 2023/09/14 12:37:57 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
gulperfish[.]com | 2023/09/14 14:00:25 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
leviathanfish[.]com | 2023/09/14 14:00:25 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
truncationcorp[.]com | 2023/09/14 14:05:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
gzipinteraction[.]com | 2023/09/14 14:05:42 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
ghostshowing[.]com | 2023/09/14 16:10:42 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
hallowenwitch[.]com | 2023/09/14 16:10:43 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
certificatentrance[.]com | 2023/09/19 08:18:39 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
apiwebdata[.]com | 2023/10/02 14:59:14 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
apidatahook[.]com | 2023/10/04 15:45:19 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
apireflection[.]com | 2023/10/04 15:45:25 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
protectionoffice[.]tech | 2023/10/05 11:33:46 | Hostinger UAB | C=US, O=Let’s Encrypt, CN=R3 | |
lazyprotype[.]com | 2023/10/11 11:52:18 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
angelicfish[.]com | 2023/10/13 17:57:29 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
globalyfish[.]com | 2023/10/13 17:57:31 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
medicprognosis[.]com | 2023/10/16 14:36:32 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
medicoutpatient[.]com | 2023/10/16 14:36:41 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
krakfish[.]com | 2023/10/17 17:09:29 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
stingrayfish[.]com | 2023/10/17 17:09:31 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
incorpreview[.]com | 2023/10/17 18:27:09 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
truncatetrim[.]com | 2023/10/17 18:27:11 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
corporatesinvitation[.]com | 2023/10/18 14:48:54 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
triminget[.]com | 2023/10/18 17:31:40 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
firewitches[.]com | 2023/10/19 10:40:51 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
solartemplar[.]com | 2023/10/19 10:40:52 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
encryptionrenewal[.]com | 2023/10/20 13:36:24 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
sslkeycert[.]com | 2023/10/20 13:36:24 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
barbarictruths[.]com | 2023/10/23 07:37:30 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
castlefranks[.]com | 2023/10/23 07:37:33 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | Yes |
comintroduction[.]com | 2023/10/24 14:01:11 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 | |
corpviewer[.]com | 2023/10/31 13:10:38 | NameCheap, Inc | C=US, O=Let’s Encrypt, CN=R3 |
Star Blizzard HubSpot campaign domains:
Star Blizzard MailerLite campaign domain:
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.
To get notified about new publications and to join discussions on social media, follow us on X (formerly Twitter) at https://twitter.com/MsftSecIntel.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: https://thecyberwire.com/podcasts/microsoft-threat-intelligence.
The post Star Blizzard increases sophistication and evasion in ongoing attacks appeared first on Microsoft Security Blog.