Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DNS Flaw. Show all posts

Decoy Dog Malware Toolkit: A New Cybersecurity Threat

 

A new cybersecurity threat has been discovered that could potentially put millions of people at risk. According to a report from Bleeping Computer, researchers have found a new malware toolkit called 'Decoy Dog' after analyzing 70 billion DNS queries. The malware toolkit was discovered by a team of researchers who were looking for new ways to protect against cyber attacks.

The Decoy Dog malware toolkit is an advanced cyber attack tool that allows hackers to access and control computer systems remotely. It is a modular tool that can be customized to fit the specific needs of an attacker. The malware is also capable of evading traditional security measures such as firewalls and antivirus software.

The researchers found that the Decoy Dog malware toolkit is being distributed through various channels such as email, social media, and file-sharing sites. Once the malware is installed on a victim's computer, it can be used to steal sensitive information such as login credentials, financial data, and personal information.

One of the ways that the Decoy Dog malware toolkit is able to evade detection is through the use of a tool called Pupy. Pupy is a remote access tool that is used to control compromised systems. It is designed to be stealthy and can operate undetected by antivirus software.

The researchers warn that the Decoy Dog malware toolkit is a serious threat and that users should take steps to protect themselves. They recommend that users keep their software up-to-date and avoid opening suspicious emails or downloading files from untrusted sources. They also suggest that users should use reputable antivirus software and regularly scan their systems for malware.

The Decoy Dog malware toolset poses a significant risk to cybersecurity, to sum up. It is an effective weapon for cybercriminals due to its modular design and capacity to bypass conventional security measures. Users must be on the lookout for these hazards online and take precautions to safeguard themselves.

 Roaming Mantis Virus Features DNS Setups


Malicious actors linked to the Roaming Mantis attack group were seen distributing an updated variation of their patented mobile malware called Wroba to compromise Wi-Fi routers and perform Domain Name System (DNS) theft.

Kaspersky found that the threat actor behind Roaming Mantis only targets routers made by a well-known South Korean network equipment manufacturer that is situated in that country.

Researchers have been tracking the Roaming Mantis malware distribution and credential theft campaign since September 2022. This malware uses an updated version of the Android malware Wroba. o/XLoader to identify susceptible WiFi routers based on its model and modify their DNS.

All Android devices connected to the WiFi network will now experience a redirect to the malicious landing page and a request to install the malware as a result of the router's DNS settings having been altered. Consequently, there is a steady flow of infected devices that can penetrate secure WiFi routers on national public networks that serve a huge number of users.

The attacks use smishing messages as their primary intrusion vector to deliver a booby-trapped URL that, depending on the mobile device's operating system, either provides a malicious APK or directs the user to phishing URLs.

Even though there are no landing pages for American targets and Roaming Mantis does not seem to be specifically targeting American router models, Kaspersky's telemetry reveals that 10% of all XLoader victims are in the United States.

Additionally, the feature was set up to primarily target WiFi routers in South Korea, according to security researchers. Roaming Mantis victims have also been spotted in France, Japan, Germany, the US, Taiwan, Turkey, and other countries.

Kaspersky experts advise consulting one's router's user manual to ensure that its DNS settings have not been modified or contacting your ISP for assistance to safeguard the internet connection from such a virus. Furthermore, updating your router's firmware regularly from the official source is advised, as is changing the router's default login and password for the admin web interface. Avoid using a third-party repository and do not install router firmware from outside sources.

5 Methods for Hackers Overcome Cloud Security

Nearly every major company has used cloud computing to varying degrees in its operations. To protect against the biggest threats to cloud security, the organization's cloud security policy must be able to handle the integration of the cloud.

The vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.

What is cloud security?

Cloud computing environments, cloud-based apps, and cloud-stored data are all protected by a comprehensive set of protocols, technologies, and procedures known as cloud security. Both the consumer and the cloud provider are jointly responsible for cloud security. 

It helps maintain data security and privacy across web-based platforms, apps, and infrastructure. Cloud service providers and users, including individuals, small and medium-sized businesses, and enterprises, must work together to secure these systems. 

How do hackers breach cloud security?

While crypto mining is the primary focus of each hacking operation at present time, some of their methods may be applied to more malicious aims in the future.

1. Cloud Misconfiguration

A major factor in cloud data breaches is incorrectly configured cloud security settings. The tactics used by many enterprises to maintain their cloud security posture are insufficient for safeguarding their cloud-based infrastructure.

Default passwords, lax access controls, improperly managed permissions, inactive data encryption, and various other issues are usual vulnerabilities. Insider threats and inadequate security awareness are the root causes of many of these flaws.

A large data breach could occur, for instance, if the database server was configured incorrectly and data became available through a simple online search.

2. Denonia Cryptominer

Cloud serverless systems using AWS Lambda are the focus of the Denonia malware. The Denonia attackers use a scheme that uses DNS over HTTPS often referred to as DoH, sending DNS requests to resolver servers that are DoH-based over HTTPS. As a result, the attackers can conceal themselves behind encrypted communication, preventing AWS from seeing their fraudulent DNS lookups. As a result, the malware is unable to alert AWS.

The attackers also seem to have thrown in hundreds of lines of user agent HTTPS query strings as additional distractions to divert or perplex security investigators. In order to avoid mitm attacks and endpoint detection & response (EDR) systems, analysts claim that the malware discovered a way to buffer the binary.

3. CoinStomp malware 

Cloud-native malware called CoinStomp targets cloud security providers in Asia with the intention of cryptojacking. In order to integrate into the Unix environments of cloud systems, it also uses a C2 group based on a dev/tcp reverse shell. Then, using root rights, the script installs and runs additional payloads as system-wide system services. 

4.WhatDog Crptojacker

The WatchDog crypto-mining operation has obtained as many as 209 Monero cryptocurrency coins. WatchDog mining malware consists of a multi-part Go Language binary set. One binary emulates the Linux WatchDog daemon mechanism. 

5. Mirai botnet 

In order to build a network of bots that are capable of unleashing destructive cyberattacks, the Mirai botnet searches the internet for unprotected smart devices before taking control of them.

When ARC-based smart devices are infected with the malware known as Mirai, a system of remotely operated bots is created. DDoS attacks are frequently carried out via botnets.
The Mirai malware is intended to attack weaknesses in smart devices and connect them to form an infected device network called a botnet by exploiting the Linux OS, which many Internet of Things (IoT) devices run on.

The WAF did not recognize the new SQL injection payload that Claroty researchers created, yet it was acceptable for the database engine to analyze. They did this by using a JSON syntax. All of the affected vendors responded to the research by including JSON syntax support in their products, but Claroty thinks additional WAFs may also be affected.


MM.Finance, a DeFi platform, Had More Than $2 Million Stolen

 

In a Domain Name System (DNS) attack, hackers decided to retrieve $2 million worth of digital assets, as per MM.Finance. It is a DeFi ecosystem with the largest decentralized exchange on the Cronos blockchain. 

Hackers target the reliability or integrity of a network's DNS service in these attacks. The attacker could "inject a malicious contract address into the frontend code," as per the team behind MM.Finance, which bills itself as the world's largest decentralized finance ecosystem on the Cronos blockchain. "Attacker changed the network contract address in our hosted files via a DNS vulnerability." In a Medium post-mortem, the business claimed, "We understand that some of you have suffered considerable sums and are filled with anxieties and despair." 

After completing swaps or adding and deleting liquidity on the MM.Finance site starting on May 4, users lost money. "The malicious router kicked in and the LPs were withdrawn to the attacker's address when victims navigated to mm. finance to remove liquidity," the company revealed. MM.Finance has offered the attacker 48 hours to refund 90% of the stolen funds, warning that if the deadline is not met, it will notify the FBI. 

The attacker made off with more than $2 million in cryptocurrencies before laundering it all through Tornado Cash, a service that allows users to hide the source of their payments. The company is forming a compensation fund for anyone affected, and the platform's creators have stated that they will forego its part of trading revenue to pay the losses. The reward pool will be open for 45 days, with a procedure in place to reimburse individuals that participate. 

The company said it linked the seized assets to the OKX exchange in follow-up postings on Twitter, threatening to contact the FBI if the funds were not restored. OKX's CEO stated that the company is looking into the matter. According to DeFi Llama data, liquidity is still strong, with $804 million in total worth locked up (TVL).

AnchorDNS Loophole of a TrickBot Spyware Upgraded to AnchorMail

 

Even after the TrickBot infrastructure was shut down, the malware's operators continued to improve and retool its arsenal in preparation for attacks which ended in the distribution of the Conti ransomware. The new, improved edition of the criminal gang's AnchorDNS backdoor was called AnchorMail by IBM Security X-Force, which discovered it. 

According to IBM's malware reverse researcher Charlotte Hammond, AnchorMail "uses an email-based [command-and-control] server with which it connects using SMTP and IMAP protocols over TLS." "AnchorMail's behavior is essentially similar to vs its AnchorDNS predecessor, excluding the redesigned C2 communication method." 

The Trickbot Group, also known as ITG23 on X-Force, is a cybercriminal group best known for creating the Trickbot financial Trojan. Originally discovered in 2016, it was used to aid online banking fraud, initially. The gang adapted to the ransomware economy by gaining a footing for ransomware assaults utilizing its Trickbot and Bazarloader payloads, a tight partnership with both the Conti ransomware-as-a-service provider (RaaS). 

ITG23 is also known for creating the Anchor malware framework, which includes the AnchorDNS variant. In 2018 various high-profile targets were being infected with Trickbot or Bazarbackdoor, another ITG23 backdoor. AnchorDNS is known for using the DNS protocol to communicate with its Command and Control (C2) server. The improved backdoor, dubbed AnchorMail or Delegatz by IBM Security X-Force researchers, now communicates with an email-based C2 server through SMTP and IMAP protocols via TLS. AnchorMail's functionality is essentially similar to its AnchorDNS predecessor for most of its part, with the exception of the redesigned C2 communication mechanism. 

The uncovering of this updated Anchor variant adds an extra inconspicuous backdoor during ransomware assaults, demonstrating the group's drive to continually improve its malware. AnchorMail provides a scheduled job for persistence after execution, which is set to execute every 10 minutes. It then gathers basic system data, registers with its C2, and enters a loop of monitoring for and executing commands received. 

The command structure of the backdoor and AnchorDNS appear to be fairly similar, and both forms appear to accept the same set of control codes, which allow a variety of various possibilities for processing orders and payloads received from the C2. The commands include the ability to run binaries, DLLs, and shellcode downloaded from a remote server, as well as launch PowerShell commands and erase themselves from infected PCs. 

"The revelation of this new Anchor version adds a new covert gateway used during ransomware assaults, AnchorMail has only been seen to target Windows PCs so far. However, given the AnchorDNS has been adapted to Linux, a Linux-based version of AnchorMail appears inevitable," said Charlotte Hammond, BM's malware reverse engineer.

500 Organizations Affected Via Security Flaw in AWS Route53

 

Earlier this year in January 2021, Cloud security researchers from Wiz.io accidentally uncovered a ‘novel’ class of Domain Name Service (DNS) flaws in Amazon Web Services' Route53. Researchers were left surprised after they realized that its self-service domain registration system is allowing them to create a new hosted zone with the same name as the real AWS name server and directed it to their IP address. 

Cloud security researchers received traffic from more than 15,000 different AWS customers and a million endpoint devices, all after registering a bogus AWS name server as ns-852.awsdns-42.net, the same name as an actual AWS name server. However, researchers managed to gather a treasure trove of information on Fortune 500 companies including 45 US government agencies and 85 government agencies overseas.

"We were trying to figure out how to break DNS and we had no idea what traffic we were getting at first. In theory, if you register a name server name ... it shouldn't have any impact. We understood then that we were on top of an unbelievable set of intelligence, just by tapping for a few hours into a small portion of the network. I called it a nation-state intelligence capability using a simple domain registration," says Ami Luttwak, co-founder and CTO of Wiz.io as well as a former member of Microsoft's cloud security team. 

AWS patched the security hole in mid-February, shortly after the researchers alerted it back in January. However, two other vendors, the researchers contacted about the flaw have not yet fixed it in their DNS services. An AWS spokesperson did not provide any details but confirmed that Route53 "is not affected by this issue," adding that the service "prevents the creation of Hosted Zones for DNS names associated to Route53 name servers." 

“All it took to close the vulnerability in AWS Route53 was placing the official AWS name-server name on a so-called ‘ignore’ list. The problem was anyone could register the official name servers on the platform, so they put the list of their name servers on an 'ignore' list so attackers can't register them anymore,” Shir Tamari, head of Wiz.io security research team, explained.

On May 19, 2020, researchers from the Tel Aviv University and the Interdisciplinary Center in Israel identified a similar flaw in the execution of DNS recursive resolvers that can be exploited to launch disruptive DDoS attacks against any organization.