Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DNS Hijacking. Show all posts

Iranian Attackers are Employing a New DNS Hijacking Malware to Target Organizations

 

The Iran-linked Lycaeum cyber espionage group, also known as Hexane or Spilrin, group is employing a new .NET-based DNS backdoor to target firms in the energy and telecommunication sectors.

Lyceum has previously targeted communication service vendors in the Middle East via DNS-tunneling backdoors. 

According to analytics from Zscaler ThreatLabz researchers, the backdoor is based on a DIG.net open-source tool to launch "DNS hijacking" assaults – DNS query manipulation to redirect users to malicious clones of authentic sites – implement commands, drop payloads, and exfiltrate data. 

 Employs Word doc 

The hackers target organizations via macro-laced Microsoft Documents downloaded from a domain named "news-spot[.]live," impersonating a legitimate site. The document is masked as a news report with an Iran Military affairs topic. 

When a victim downloads the file from this site, it asks to enable the macro to view the content. After enabling macros, the DnsSystem.exe backdoor is the DNS backdoor is dropped directly onto the Startup folder for establishing persistence between reboots. 

"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler researchers Niraj Shivtarkar and Avinash Kumar explained in a report published last week.

Initially, the malware sets up the DNS hijacking server by securing the IP address of the "cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID. Additionally, the malware is well trained to upload and download arbitrary files to and from the remote server as well as implement malicious system commands remotely on the exploited server.

 Evolution of Lyceum 

The Lyceum APT group was first spotted at the beginning of August 2019 attempting to secure access to the organization’s systems via password spraying or brute-force attacks. 

Lyceum primarily focuses on cyber espionage, and this new stealthy and potent backdoor is evidence of its evolution in the field. The Iranian group is expected to continue participating in these data theft campaigns that often include multiple hacking groups from the country. 

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers stated. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes the static analysis even more challenging."

DeFi Platforms PancakeSwap, Cream Finance hit by DNS Attack

 

DeFi platforms PancakeSwap and Cream Finance cautioned clients on Monday that they were hit by domain name system (DNS) hijackings. The strong alerts were given via social media in an offer to hold clients back from succumbing to dual schemes to collect private keys or seed phrases from would-be victims. Such data obtained by this sort of phishing plan would then permit a hacker to then steal funds from affected users. 

As of press time, PancakeSwap has said that it has recovered admittance to its DNS. Cream Finance seemed, by all accounts, to be currently looking for DNS access, guiding clients to an alternative address in the meantime. A DNS hijacking permits an attacker to introduce a false web portal to visiting users, regularly aimed toward gathering individual data - for this situation, the private keys needed to steal their funds. The U.S. government and private security firms have given alerts as of late about such assaults, as noted in a 2019 report by Krebs on Security. 

Exact technical details regarding how attackers figured out how to modify DNS records for the two sites are still shrouded in mystery, but as security researcher MalwareHunterTeam brought up recently, the two organizations dealt with their DNS records through web facilitating organization GoDaddy. While there is the likelihood that the attackers compromised web hosting accounts for both companies in separate incidents, there is likewise the likelihood that attackers may have compromised a GoDaddy employee’s account to change DNS server records and execute the attack. 

The latter scenario happened twice before last year, in March and November 2020, with assailants executing a phishing assault against GoDaddy employees to gather their work credentials and afterward utilize official GoDaddy accounts to alter DNS records for multiple cryptocurrencies and domain hosting-related sites. Casualties of the past assaults incorporated any semblance of Escrow.com, Liquid.com, NiceHash.com, Bibox.com, Celsius. network, and Wirex.app. Phishing assaults focusing on web facilitating accounts have become common since the beginning of 2019 when FireEye uncovered an Iranian state-sponsored hacking group behind a global DNS hijacking campaign. 

The campaign included the Iranian hackers phishing their targets for web facilitating related accounts and afterward utilizing a DNS hijack attack to divert traffic for email servers through infrastructure constrained by the attackers, permitting them to phish employees and read their emails.

Users Might be Under Risk of DNS Vulnerability


What is DNS?

It is an essential element in the network (online infrastructure) that allows users to watch or access content on the internet by building a link between an IP address and the respective website with the help of a database. Hackers can use it as an opportunity to disturb the service, which causes altering in the domain registrars. Also known as DNS hijacking, altering domain registrars can cause DDoS attacks, DNS Tunneling, cache position, etc.


About the DNS Risk 

  • In a recent incident, a cryptocurrency exchange Japanese company named Coincheck was a victim of DNS Hijacking. The attack costed the company exposure of around 200 clients' private information and e-mails. The hackers first altered the basic DNS entry by using the company's account and Oname.com- the company's domain registrar provider. After this, the hackers used a spear-phishing technique to steal information and e-mails from the 200 clients. 


  • In another DNS hijacking incident last month, a group of experts from Israel found an "NXNS Vulnerability." The vulnerability in the DNS servers can cause massive scale DDoS attacks if exploited by hackers. To lessen the impact of the attack, Microsoft recently issued a security advisory about the vulnerability. 
It is not all; the DNS vulnerability issue is just one thing. According to cyber experts, there is another DNS threat out in the wild, and the pressing issue is that very few people know about it.

Concerns regarding DNS 

In present times, the most pressing problem, according to cybersecurity experts, is the exploitation of unattended domains. In other words, domains that are no longer in use but still exist on the internet. It happens under the circumstances of dissolved firms, mergers, and partnerships, as the companies leave out their old domains because of the rebranding. If a domain is left out to expire, the following things can happen:

  • If the hackers re-register the expired domains and make a new e-mail server, they can have access to confidential organizational information.
  • Left out domains of stores can be re-built, and the hackers can use it to receive orders and steal the money.

New Malicious Campaign Discovered Attacking Public and Private Entities via DNS Hijacking




A new malicious campaign called "Sea Turtle," as of late discovered by researchers allegedly, is said to have been attacking public and private elements in different nations utilizing DNS hijacking as a mechanism.

Moreover the campaign is known to have compromised no less than 40 different organizations across over 13 different nations amid this vindictive campaign in the first quarter of 2019.

Since DNS hijacking is a sort of malevolent attack that redirects the users to the noxious site by altering the DNS name records when they visit the site by means of compromised routers or attackers affecting a server's settings.

The attackers helped out their work through very industrious strategies and propelled apparatuses in order to gain access to the sensitive systems and frameworks as smoothly as possible.

By focusing on two distinct groups of victims they are focusing on a third party that is known to provide services to the primary targets to effectively play out the DNS seizing. The main aim of the attackers behind "Sea Turtle" is to ultimately aim to steal the credentials so as to access the systems and frameworks in the following manner:
  1.        Via establishing a means to control the DNS records of the target.
  2.        To modifying DNS records in order to point legitimate users of the target to actor-controlled servers.
  3.        To capturing legitimate user credentials when users interacted with these actor-controlled servers.
Researchers said that they "assess” with probably high certainty that these hijacking attacks are being propelled by an advanced, state-sponsored actor hoping to get to the sensitive systems and frameworks.

To ensure against these DNS hijacking attacks, the organizations are currently attempting to execute a registry lock service, multifaceted verification (to access the DNS records), and obviously keeping up to date on the patches, particularly on the internet facing machines.


Altran Technologies, France; Smacked By A Cyber-Attack!




Reportedly, the France based Altran Technologies fell prey to a cyber-attack which attempted to smack down its operations in some of the European nations.



Last Thursday, a cyber-attack took the French engineering consultancy, Altran Technologies by storm.



This led to the organization’s closing down its It network and applications.



The firm instantly started working on a resurgence plan, making sure that it didn’t undergo much damage.



A large scale “Domain Name System” hijacking campaign is already being investigated and is subject to a lot of questioning.



This campaign is said to have wreaked havoc among a lot of government as well as commercial organizations, all across the world, cited the Britain’s National Cyber Security Center.

Attackers Targeting Dlink DSL Modem Routers ; Exploiting Them To Change The DNS Settings




A recent research has found attackers to be resorting to targeting DLink DSL modem routers in Brazil, with a specific end goal to exploit their DNS settings, which at that point enables them to redirect users endeavoring to associate with their online banks to fake banking websites that steal the client's record data.

As per the research by Radware, the exploit being utilized by the hackers enables them to effectively scan for and script the changing of a lot of vulnerable switches so the user's DNS settings point to a DNS server that is under the hacker's control.

Example of Fake Cloned Bank Site (Source: Radware)
Certificate Warning on Fake Site

At the point when the user attempts to connect to a website on the internet, they first question a DNS server to determine a hostname like www.google.com to an IP address like 172.217.11.36.
Their PC at that point associates with this IP address and starts the coveted connection. In this way by changing the name servers utilized on the router, users are diverted to fake and malignant sites without their insight and made to believe that these sites are indeed legitimate and dependable.
The pernicious URL takes the following form:

/dnscfg.cgi?dnsPrimary=&dnsSecondary=&dnsDynamic=0&dnsRefresh=1

at the point when the exploit permits unauthenticated remote configuration of DNS server settings on the modem router.

Radware’s research stated that – “The uniqueness about this approach is that the hijacking is performed without any interaction from the user, phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser have been reported as early as 2014 and throughout 2015 and 2016. In 2016, an exploit tool known as RouterHunterBr 2.0 was published on the internet and used the same malicious URLs, but there are no reports that Radware is aware of currently of abuse originating from this tool."

The researcher's state that the attack is deceptive as the user is totally unaware of the change, the hijacking works without creating or changing URLs in the user's browser.

A user can utilize any browser and his/her consistent regular routes, the user can type in the URL physically or even utilize it from cell phones, for example, a smart phone or tablet, and he/she will in any case be sent to the vindictive site rather than to their requested for site since the capturing viably works at the gateway level.

Radware along these lines , recommends users to utilize the http://www.whatsmydnsserver.com/ website to check their router's configured DNS servers, with the goal that they can alone decide whether there are servers that look suspicious as they won't be relegated by their internet service provider.

Multilingual Malware Targets Android Devices for Phishing Attacks


A blog post titled 'Roaming Mantis uses DNS hijacking to infect Android smartphones' was published in April 2018, by the Kaspersky Lab, which spoke particularly about this Malware.

The malware i.e. Roaming Mantis utilizes Android malware which is intended to spread by means of DNS hijacking and targets Android gadgets specifically. This activity is said to be found for the most parts in Asia (South Korea, Bangladesh and Japan) in view of the telemetry data by the Kaspersky Lab.

Potential victims were supposedly redirected by DNS hijacking to a pernicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed by the users manually. The application in reality contained an Android Trojan-Banker.

Not long after their publication it was drawn out into the open that various other researchers were also additionally concentrated on this malware family. In May though, while the Roaming Mantis also known as MoqHao and XLoader, was being monitored, the scientists at the Kaspersky Lab observed some very significant changes in their M.O.

“The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition to that, the criminals also added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

According to Kaspersky Lab's researcher Suguru Ishimaru, the last crusade including Roaming Mantis was likewise dissected by the Kaspersky Lab and the discoveries were point by point in its blog post "The Roaming Mantis campaign evolved significantly in a short period of time."

The attacks have been extended to around 27 different languages including English, Hindi, Russian, Chinese, and Hebrew. Initially the malware was dispersed in five dialects only however now the range has been extended by utilizing an automatic translator. The full rundown of dialects is available here : 


Roaming Mantis is likewise said to be well-equipped for stealing private and sensitive data and necessary related  information from Apple and Android phones while cryptocurrency mining is performed by the accretion of a special script present  in the malware's HTML source code, which gets executed at whatever point the browser is opened.

Confirmed: Angry Birds website hacked by Anti-NSA Hacker

Syrian Electronic Army yesterday posted a tweet saying that one of its friend with handle "Anti-NSA" hacker defaced the Angry website.

At the time, we were not able to confirm the defacement.  No one was reported to have seen the hack.  Even the Zone-h mirror didn't confirm the defacement, displayed a message "The mirror is onhold and has not been verified yet".

So, we didn't have strong proof to report the hack.  Today,  Rovio, creator of angry birds, confirmed that the defacement was there for few minutes and corrected immediately.  Now, the Zone-h record also confirmed it.

Antti Tikkanen, Director of Security Response at F-Secure Labs, said in twitter that the attack is actually 'DNS Hijack attack'. He mentioned that the website itself not touched by the hacker; hacker managed to modify the DNS records.

He also said that the angrybirds website pointed to some IP address(31.170.165.141) assoicated with Lithuania for at least one hour.  The same IP address shown in the Zone-h record(https://www.zone-h.org/mirror/id/21666969).

The hack comes after the angry birds application is said to be used by NSA and GCHQ to spy on people. 

New service will protect Hong Domains(.hk) from DNS Hijacking


We have recently seen several DNS Hijacking attacks. Hackers had defaced several high profile domains including Google, facebook.

Hackers normally attempt to obtain login details for the Domain admin panel through various method including Social Engineering attack.  If he succeeds, he will change the DNS records fort the websites.

By modifying DNS records, hacker can deface the website or redirect to any other malicious websites.

To make an end to such kind of attacks, a new " registry-lock" service has been launched by Hong Kong domain registrar.

"We are putting back the human factor in the verification process," South China Morning Post quoted the Internet Registration Corporation head Jonathan Shea Tat-on as saying.

The new service will require telephone call verification in order to make any changes to the existing DNS records.  Only up to three persons can be authorized to modify the records.  In addition, the server will be unlocked for just 15 minutes each time.  These options are believed to be security measures that will remove the existing loopholes in automation. 

MYNIC says the Google Malaysia DNS hijack is done through Reseller’s account

We recently learned that Google Malaysia main page was defaced via DNS hijacking. Malaysian Registrar MYNIC has published a statement saying the DNS hijack is done through one of their Reseller's account.

"We can assure there is no customer’s content, password information and other personal information affected by the redirect" Hasnul Fadhly Hasan, Chief Executive Officer (CEO) of MYNIC said in their official blog post.

MYNIC says it is "undertaking all necessary measures to monitor the situation and prevent further related issues".

Hasnul said that various security measures have taken place on MYNIC’s infrastructure since the first incident on 1st July 2013. The investigation shows their system is not compromised after the incident.

"However, this time around, the group manipulated reseller's account management. MYNIC’s next course of action is to immediately improve resellers’ security on account management" Hasnul added.