Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label DNS. Show all posts
Opera Browser
API Browser Security Browser Vulnerability Cyber Attacks data security DNS Opera Browser

CrossBarking Exploit in Opera Browser Exposes Users to Extensive Risks

 

A new browser vulnerability called CrossBarking has been identified, affecting Opera users through “private” APIs that were meant only for select trusted sites. Browser APIs bridge websites with functionalities like storage, performance, and geolocation to enhance user experience. Most APIs are widely accessible and reviewed, but private ones are reserved for preferred applications. Researchers at Guardio found that these Opera-specific APIs were vulnerable to exploitation, especially if a malicious Chrome extension gained access. Guardio’s demonstration showed that once a hacker gained access to these private APIs through a Chrome extension — easily installable by Opera users — they could run powerful scripts in a user’s browser context. 
The malicious extension was initially disguised as a harmless tool, adding pictures of puppies to web pages. 

However, it also contained scripts capable of extensive interference with Opera settings. Guardio used this approach to hijack the settingsPrivate API, which allowed them to reroute a victim’s DNS settings through a malicious server, providing the attacker with extensive visibility into the user’s browsing activities. With control over the DNS settings, they could manipulate browser content and even redirect users to phishing pages, making the potential for misuse significant. Guardio emphasized that getting malicious extensions through Chrome’s review process is relatively easier than with Opera’s, which undergoes a more intensive manual review. 

The researchers, therefore, leveraged Chrome’s automated, less stringent review process to create a proof-of-concept attack on Opera users. CrossBarking’s implications go beyond Opera, underscoring the complex relationship between browser functionality and security. Opera took steps to mitigate this vulnerability by blocking scripts from running on private domains, a strategy that Chrome itself uses. However, they have retained the private APIs, acknowledging that managing security with third-party apps and maintaining functionality is a delicate balance. 

Opera’s decision to address the CrossBarking vulnerability by restricting script access to domains with private API access offers a practical, though partial, solution. This approach minimizes the risk of malicious code running within these domains, but it does not fully eliminate potential exposure. Guardio’s research emphasizes the need for Opera, and similar browsers, to reevaluate their approach to third-party extension compatibility and the risks associated with cross-browser API permissions.


This vulnerability also underscores a broader industry challenge: balancing user functionality with security. While private APIs are integral to offering customized features, they open potential entry points for attackers when not adequately protected. Opera’s reliance on responsible disclosure practices with cybersecurity firms is a step forward. However, ongoing vigilance and a proactive stance toward enhancing browser security are essential as threats continue to evolve, particularly in a landscape where third-party extensions can easily be overlooked as potential risks.


In response, Opera has collaborated closely with researchers and relies on responsible vulnerability disclosures from third-party security firms like Guardio to address any potential risks preemptively. Security professionals highlight that browser developers should consider the full ecosystem, assessing how interactions across apps and extensions might introduce vulnerabilities.
Read more »
Scams
Cyber Crime Cyber crimes DNS fraudulent activities Google Scams

New Coalition to Take Down Online Scams, Led by Google

 




As cybercrime continues to cost the world economy billions annually, a robust new coalition launched by Google, the DNS Research Federation, and the Global Anti-Scam Alliance (GASA) is working to disrupt online scammers at a global level. By all accounts, this partnership constitutes a "game changer." The United Coalition focuses on revealing and thwarting fraudulent activity online.

Online Scam Fighting via the Global Signal Exchange

The coalition will be launching a data platform called Global Signal Exchange, which will 24/7 scan open cyberspaces for signs of fraudulent activity and issue alerts. For a platform, it will leverage the DNS Research Federation's DAP.live: an aggregation platform that consolidates feeds from over 100 sources to spot potential scams. Google enhances these efforts while providing relevant feeds from DAP.live that should provide an even more comprehensive view of online fraud as it begins to take shape.

A Growing Threat in the Digital Age

Some scams are becoming almost too clever nowadays, to the extent that an estimated $8.6 billion is lost worldwide due to such scams each year, with few cases going to convictions. In the UK alone, each person is targeted nearly 240 times a year by a scammer via emails or texts from fake legitimate businesses or offices asking them for personal information, such as bank or credit card details.

Britain estimates the average loss per person due to scams is £1,169. Overall, 11% of adults admit that they have fallen for online fraud. More alarming is the economic loss in the proportion of older adults, which indicates people aged 55 and above lose an average amount of £2,151. Those between 36 and 54 lose about £1,270, while those less than 35 years old lose about £851.

The Call for International Cooperation

Another challenge while combating online scams is that many of the criminal organisations behind these scams are operating from abroad, often from such countries as Russia and North Korea. This international nature makes it even more difficult for local authorities to keep an eye on and legally prosecute them. The coalition aims to balance this gap by sharing scam information in real time, thereby creating a chance to respond quickly to new emerging threats. This collaborative approach will serve crucially because cybercriminals often operate in groups and have done all of this work so fast, which has made it really hard to fight scams alone by any single organisation.

Scammers collaborate, they pool and they act fast. The days when individual brands could combat cybercrime on their own are gone. Global Signal Exchange usher in a new chapter in the battle against cybercrime, and Google's partnership promises to be the game-changer," said Emily Taylor, Chief Executive of DNS Research Federation.

Scammers Use All Too Familiar Brand Names Trapping Victims

The research carried out by the coalition indicates that fraudsters make use of the identity of conspicuous brands to acquire victims. Some of the very popular brands currently being used in scams are: home delivery and courier services; financial services, including banks, insurance, and loan companies; companies in the Technology, Media, and Telecoms sector; many public sector organisations, including HMRC and local councils; and, in a few instances, prominent charities.

According to DNS Research Federation, the volume of scams seems to peak each year in November during the Black Friday promotions and associated online shopping. Much of such activity is occurring because of heightened online activity. Thus, proper defences are quite essential when activity reaches such peak levels.

An alliance towards consumers' protection around the world

The Global Anti-Scam Alliance was established in 2021 to create a network of businesses that stand together to protect consumers online from fraud. GASA, in partnership with Google and the DNS Research Federation, will decrease the profitability of scams in order to make them less appealing to cybercriminals.

As threats in cyber continue to grow and seemingly intensify, this alliance will very largely form a critical element in the protection of users internationally. The Global Signal Exchange represents a major leap forward in efforts on anti-scam activities as it promises that consumers will be better protected from online fraud, and are able to navigate an increasingly complex digital environment more securely.


Read more »
third party
Cyber Security Cyber Threats Risk Digital Infrastructure DNS DOH Domain Name System domains IP Address third party

Understanding the Domain Name System (DNS): How It Works and Why It Matters


The Domain Name System (DNS) serves as a critical element of the internet’s infrastructure, acting like a phone book that translates human-friendly domain names into the numerical IP addresses that computers use to communicate. Without DNS, accessing websites would be far more complicated, requiring users to remember lengthy strings of numbers instead of simple names like “google.com.” When you enter a website URL into your browser, the DNS process begins. This request, known as a “DNS query,” first goes to a DNS resolver—typically provided by your Internet Service Provider (ISP) or a third-party DNS service like Google Public DNS or Cloudflare. 

The resolver acts as an intermediary, starting the process to find the corresponding IP address of the domain name you’ve entered. The DNS resolver contacts one of the 13 root servers that make up the top level of the DNS hierarchy. These servers don’t hold the IP address themselves but provide information about which “Top-Level Domain” (TLD) server to query next. The TLD server is specific to the domain extension you’ve entered (e.g., “.com,” “.net,” “.org”) and points the resolver to the authoritative name server responsible for the particular website. The authoritative name server then provides the IP address back to the resolver, which, in turn, sends it to your browser. 

The browser then connects to the web server using this IP address, loading the website you want to visit. This process, though complex, happens in milliseconds. Security is a vital aspect of DNS because it is a frequent target for cyberattacks. One common threat is DNS spoofing, where attackers redirect traffic to fraudulent websites to steal data or spread malware. DNS hijacking is another risk, where hackers manipulate DNS records to divert users to malicious sites. These threats emphasize the importance of DNS security protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT), which encrypt DNS requests to prevent interception by malicious entities, thus protecting users’ data and privacy. 

Switching to a third-party DNS service can enhance your internet experience in terms of speed, reliability, and security. Services like Google Public DNS, OpenDNS, or Cloudflare’s 1.1.1.1 offer faster query response times, better privacy protection, and can help circumvent geographical restrictions imposed by ISPs. These alternatives often provide built-in security features, such as blocking malicious sites, to offer an extra layer of protection. 

DNS is the backbone of internet browsing, seamlessly converting domain names into IP addresses. By understanding its role and the importance of security measures, users can better appreciate how DNS keeps the internet functional and secure. Whether ensuring that websites load correctly or protecting against cyber threats, DNS plays an indispensable role in our everyday online activities.
Read more »
Obfuscation Technique
Corporate Hacking Data Breach Data Exfiltration DNS IDS Obfuscation Technique

New Hacking Method: Akami DNS Data Exfiltration



 


When it comes to cybercrime, getting into a system is only half the battle; the real challenge is extracting the stolen data without being detected. Companies often focus on preventing unauthorised access, but they must also ensure that data doesn’t slip out undetected. Hackers, driven by profit, constantly innovate methods to exfiltrate data from corporate networks, making it essential for businesses to understand and defend against these techniques.

The Challenge of Data Exfiltration

Once hackers breach a network, they need to smuggle data out without triggering alarms. Intrusion Detection Systems (IDS) are crucial in this fight. They monitor network traffic and system activities for suspicious patterns that may indicate unauthorised data extraction attempts. IDS can trigger alerts or even automatically block suspicious traffic to prevent data loss. To avoid detection, hackers use obfuscation techniques to disguise their actions. This can involve encrypting data or embedding it within harmless-looking traffic, making it difficult for IDS to identify and block the exfiltration attempts.

Reality vs. Hollywood

In Hollywood movies like "Mission Impossible," data theft is often depicted as a physical heist involving stealth and daring. In reality, hackers prefer remote methods to avoid detection and the risk of getting caught. By exploiting vulnerabilities in web servers, hackers can gain access to a network and search for valuable data. Once they find it, the challenge becomes how to exfiltrate it without triggering security systems.

One common way hackers hide their tracks is through obfuscation. A well-known method of obfuscation is image steganography, where data is embedded within images. This technique allows small amounts of data, such as passwords, to be hidden within images without raising suspicion. However, it is impractical for large datasets due to its low bandwidth and the potential for triggering alarms when numerous images are sent out.

Innovative DNS Data Exfiltration

The Domain Name System (DNS) is essential for internet functionality, translating domain names into IP addresses. Hackers can exploit this by sending data disguised as DNS queries. Typically, corporate firewalls scrutinise unfamiliar DNS requests and block those from untrusted sources. However, a novel method known as "Data Bouncing" has emerged, bypassing these restrictions and making data exfiltration easier for hackers.

How Data Bouncing Works

Data Bouncing leverages trusted web hosts to facilitate DNS resolution. Here’s how it works: hackers send an HTTP request to a reputable domain, like "bbc.co.uk," with a forged "Host" header containing the attacker’s domain. Akami Ghost HTTP servers, configured to resolve such domains, process the request, unknowingly aiding the exfiltration.

Every HTTP request a browser makes to a web server includes some metadata in the request’s headers. One of these header fields is the "Host" field, which specifies the requested domain. Normally, if you request a domain that the IP address doesn’t host, you get an error. However, Akami Ghost HTTP servers are set up to send a DNS request to resolve the domain you’ve asked for, even if it’s outside their network. This means you can send a request to a trusted domain, like "bbc.co.uk," with a "Host" header for "encryptedfilechunk.attackerdomain.com," and the trusted domain carries out the DNS resolution for you.

To prevent data exfiltration, companies need a comprehensive security strategy that includes multiple layers of defence. This makes it harder for hackers to succeed and gives security teams more time to detect and stop them. While preventing intrusions is crucial, detecting and mitigating ongoing exfiltration attempts is equally important to protect valuable data.

As cyber threats take new shapes, so must our defences. Understanding sophisticated exfiltration techniques like Data Bouncing is essential in the fight against cybercrime. By staying informed and vigilant, companies can better protect their data from falling into the wrong hands.





Read more »
Germany
botnet Golang C2 Server Cyber Security Cyber Threats DDOS Attack DNS Germany

New Golang-Based Botnet 'Zergeca' Discovered


 

Researchers at QiAnXin XLab have found a new and dangerous botnet called Zergeca. This botnet, written in the Go programming language (Golang), can launch powerful distributed denial-of-service (DDoS) attacks, which can overwhelm and shut down targeted websites or services.

How Zergeca Was Discovered

In May 2024, researchers came across a suspicious file uploaded from Russia to a security website called VirusTotal. This file, located at /usr/bin/geomi, had a unique identifier but wasn't marked as harmful. Another similar file was uploaded from Germany on the same day. This led experts to discover that these files were part of a new botnet, which they named Zergeca, inspired by a string in its code that reminded them of the Zerg creatures from the video game StarCraft.

Zergeca is capable of six different types of DDoS attacks. It also has additional features, such as acting as a proxy, scanning networks, upgrading itself, staying persistent on infected devices, transferring files, providing remote access, and collecting sensitive information from compromised devices. One unique aspect of Zergeca is its use of multiple DNS resolution methods, preferring DNS over HTTPS (DoH) for communicating with its command and control (C2) server. It also uses an uncommon library called Smux for encrypted communication.

The C2 server used by Zergeca has been linked to at least two other botnets named Mirai since September 2023. This suggests that the creator of Zergeca has prior experience with running botnets.

Between early and mid-June 2024, Zergeca was used to carry out DDoS attacks on organisations in Canada, the United States, and Germany. The primary attack method used was known as ackFlood. Victims of these attacks were spread across multiple countries and different internet networks.

Zergeca operates through four main modules: persistence, proxy, silivaccine, and zombie. The persistence module ensures the botnet stays active on infected devices, while the proxy module manages proxying tasks. The silivaccine module removes any competing malware, ensuring that Zergeca has full control of the device. The zombie module is the most critical, as it carries out the botnet's main functions, including DDoS attacks, scanning, and reporting information back to the C2 server.

To stay active, Zergeca adds a system service called geomi.service on infected devices. This service ensures that the botnet process restarts automatically if the device reboots or the process is stopped.

Researchers have gained insights into the skills of Zergeca’s creator. The use of techniques like modified file packing, XOR encryption, and DoH for C2 communication shows a deep understanding of how to evade detection. The implementation of the Smux protocol demonstrates advanced development skills. Given these abilities, researchers expect to see more sophisticated threats from this author in the future.

The discovery of Zergeca highlights the increasing intricacy of cyber threats. Organisations must remain vigilant and adopt strong security measures to protect against such advanced attacks. The detailed analysis of Zergeca provides valuable information on the capabilities and tactics of modern botnets, emphasising the need for continuous monitoring and proactive defence strategies in cybersecurity.


Read more »
Wifi vulnerability
Browser Security Cyber Security DNS Hackers attack Internet Speed Network Security VPN WiFi Routers Wifi vulnerability

Signs Your Home Network Has Been Hacked and How to Protect Yourself

 

While many are aware of the risks associated with public Wi-Fi, fewer realize that home networks are also vulnerable to cyberattacks. Hackers can infiltrate home networks to access sensitive information like bank details, private conversations, and personal photos. Here are key indicators that your home network may be compromised and steps to enhance your security. 

One sign of a compromised network is a sudden drop in internet speed. If your connection slows down without any issues from your provider, it could mean hackers are using your bandwidth for malicious purposes. Another warning sign is the appearance of unfamiliar devices on your network. Hackers might connect their devices to your network to steal information. To check for this, log into your router and review the list of connected devices. Unrecognized entries should be investigated. Unexpected changes to your Wi-Fi password are also concerning. If you haven't changed it but find it different, someone might have hacked into your network to lock you out. 

Additionally, spotting unfamiliar software on your devices can indicate malware installation by hackers aiming to steal your data. Browser hijacking is another serious threat. If hackers gain access to your router, they can alter its DNS settings, redirecting your internet traffic to malicious sites that can steal information and install harmful software. If your browser frequently redirects to suspicious websites, your network might be compromised. Understanding how hackers operate can also help in recognizing threats. 

For example, they may pose as buyers in online transactions, sending phishing links to steal bank details from sellers. To protect your home network, ensure your router’s firmware is up to date and use strong, unique passwords for your Wi-Fi and devices. Enable network encryption, such as WPA3, and disable remote management features that can provide easy access to hackers. Using a virtual private network (VPN) can further secure your internet traffic and protect your online activities. 

Securing your home network requires vigilance and proactive measures. By staying aware of potential warning signs and implementing strong security practices, you can protect your personal information and maintain your digital privacy. Continuous learning and adaptation to new cyber threats are essential for keeping your network safe.
Read more »
Privacy
Ad Blocking AdGuard DNS Browser DNS phishing Privacy

Block Ads and Boost Security with AdGuard DNS

 



Advertisements are omnipresent, disrupting our web browsing and compromising our online security. Many ads slow down our internet speed, infringe on our privacy, and even pose malware risks. However, there is a solution that can alleviate these issues: AdGuard DNS.

AdGuard DNS offers a comprehensive way to block malicious websites, intrusive ads, and trackers while also enabling parental controls. This service stands out by allowing up to 20 devices to connect across more than 50 servers in 15 locations. Now, a five-year subscription is available for $24.97, down from the regular price of $719.64, but only until May 22.

Default DNS (Domain Name System) services translate website names into IP addresses, guiding your browser to the correct site. AdGuard DNS takes this further by filtering out unsafe sites before you even visit them. This added layer of protection can demonstrably enhance your digital security.


Benefits of Blocking Ads

Blocking ads with a DNS service like AdGuard can make web pages load faster. This is because ads often consume substantial bandwidth and processing power, particularly those that are interactive or video-based. By reducing the data your browser needs to load, AdGuard DNS can dramatically improve your browsing experience.

Unlike browser-based ad-blockers, AdGuard DNS provides network-wide protection. This means it blocks ads and trackers not only in your web browser but also across your entire operating system, installed programs, and mobile apps. This system-level blocking is far more effective than relying solely on browser extensions, which can't intercept ads and trackers operating outside the browser.

AdGuard DNS also enhances your privacy and security. Ads are not just annoying; they can be dangerous, containing trackers, malware, and phishing links. For example, in April 2021, hackers used malicious ads to distribute infected software via fake sites, leading to data theft for many users. By blocking such ads, AdGuard DNS protects you from these threats before they reach your device.

For those seeking even more robust protection, AdGuard DNS offers advanced features like AI-powered malware filtering. This level of protection ensures that even the most sophisticated cyber threats are kept at bay, providing peace of mind in an increasingly vulnerable digital environment. 

In conclusion, AdGuard DNS provides a powerful, comprehensive solution for blocking ads, strengthening privacy, and securing your digital experience. With its current discounted offer, it's an excellent opportunity to protect your online world effectively and affordably.


Read more »
Tracking
Cyber Crime DNS DNS Hacking Network Tracking

Hackers Tracking Victims with DNS Tricks


 


Cybercriminals have adopted a highly intricate technique known as DNS tunnelling to carry out malicious activities such as tracking victims and scanning network vulnerabilities, posing a significant threat to cybersecurity. DNS tunnelling involves the encoding of data or commands within DNS queries, effectively transforming DNS into a covert communication channel, which can be challenging for traditional security measures to detect.

Hackers leverage various encoding methods, such as Base16 or Base64, to conceal their digital footprints within DNS records, including TXT, MX, CNAME, and Address records. This covert communication method allows them to bypass network firewalls and filters, using it for command and control operations and VPN activities, thereby upgrading their ability to evade detection by security tools.

The Palo Alto Networks' Unit 42 security research team has recently exposed two distinct campaigns that exploit DNS tunnelling for malicious purposes. The first campaign, dubbed "TrkCdn," focuses on tracking victim interactions with phishing emails, enabling attackers to evaluate their strategies and confirm the delivery of malicious payloads. Additionally, a similar campaign named "SpamTracker" utilises DNS tunnelling to track the delivery of spam messages, highlighting the versatility of this technique in cybercriminal operations.

Furthermore, the second campaign, identified as "SecShow," employs DNS tunnelling for network scanning purposes. Attackers embed IP addresses and timestamps into DNS queries to map out network layouts and identify potential configuration flaws that can be exploited for infiltration, data theft, or denial-of-service attacks. This demonstrates the advancing tactics of cybercriminals in exploiting DNS tunnelling for a wide range of fraudulent activities. 

DNS tunnelling provides threat actors with several advantages, including bypassing security tools, avoiding detection, and maintaining operational flexibility, making it a preferred method for carrying out cyber-attacks. To alleviate this growing threat, organisations are advised to implement DNS monitoring and analysis tools to detect unusual traffic patterns and peculiarities promptly. Additionally, limiting DNS resolvers to handle only necessary queries can reduce the risk of DNS tunnelling misuse, enhancing overall cybersecurity defences.

The discovery of hackers exploiting DNS tunnelling focuses on the importance of staying careful against the pervasive nature of cyber threats and implementing robust cybersecurity measures to protect against potential attacks. By understanding the risks posed by DNS tunnelling and taking the required steps to mitigate them, organisations can effectively safeguard their networks and data.


Read more »
VPN
Android Flaw Block Chain Cyber Bug Cyber Data Cyberattacks Cybersecurity Data Leaks DNS Mullvad Privacy VPN

Android Flaw Exposes DNS Queries Despite VPN Kill Switch

 


Several months ago, a Mullvad VPN user discovered that Android users have a serious privacy concern when using Mullvad VPN. Even with the Always-On VPN feature activated, which ensures that the VPN connection is always active, and with the "Block connections without VPN" setting active, which acts as a kill switch that ensures that only the VPN is the one that passes network traffic, it has been found that when switching between VPN servers, Android devices leak DNS queries. 

It is important to understand that enabling the "Block Connections Without VPN" option (also known as the kill switch) ensures that all network traffic and connections pass through an always-connected VPN tunnel, preventing prying eyes from tracking all Internet activity by users. During the investigation, Mullvad discovered that even with these features enabled in the latest version of Android (Android 14), a bug still leaks some DNS information. 

As a result, this bug may occur when you use apps that make direct calls to the getaddrinfo C function. The function provides protocol-independent translation from a text hostname to an IP address through the getaddrinfo function. When the VPN is active (and the DNS server is not configured) or when the VPN app re-configures the tunnel, crashes or is forced to stop, Android leaks DNS traffic. 

This leakage behaviour is not observed by apps that are solely based on Android's API, such as DNSResolver, Mullvad clarified. As a result, apps such as Flash Player and Chrome that currently have support for getting address information directly from the OS are susceptible to this issue since they can access the address information directly. This is rather concerning since it goes against what you would expect from the OS, even if security features are enabled. 

Users may want to use caution when using Android devices for sensitive tasks, and may even want to employ additional protective measures until Google addresses this bug and issues a patch that is compatible with both original Android and older versions of Android, in light of the severity of this privacy issue. 

The first DNS leak scenario, which occurs when the user changes the DNS server or switches to a different server, is easily mitigated if the VPN app is set to use a bogus DNS server at the same time. It has also failed to resolve the VPN tunnel reconnect DNS query leak, which is a significant issue for all other Android VPN apps because this issue is likely to affect all other VPN apps as well. 

Mullvad also discovered in October 2022 that, every time an Android device connected to a WiFi network, the device leaked DNS queries (such as IP addresses and DNS lookups), since the device was performing connectivity checks. Even when the "Always-on VPN" feature was enabled with the "Block connections without VPN" option enabled, Android devices still leaked DNS queries.

The leak of DNS traffic can potentially expose users' approximate locations and the online platforms they use as well as their precise locations, posing a serious threat to user privacy. Since this is a serious issue, it may be best to stop using Android devices for sensitive activities or to adapt additional safeguards to mitigate the risk of such leaks until Google fixes the bug and backports the patch to older versions of Android to mitigate the risk.
Read more »
Phishing Attack
Cyber Attacks Cyber Hacking DNS Investment Scam Phishing Attack

Savvy Seahorse: The DNS-based Traffic Distribution System Undermining Cybersecurity

 

In the vast landscape of cyber threats, a new player named Savvy Seahorse has emerged, showcasing a distinctive modus operandi that sets it apart from its counterparts. While the investment scam it orchestrates is unfortunately commonplace, it's the intricate infrastructure supporting it that demands attention. 

Savvy Seahorse employs a sophisticated Traffic Distribution System (TDS), capitalizing on the Domain Name System (DNS) to perpetually alter its malicious domains, making takedowns a formidable challenge. This TDS, as detailed in a recent report by Infoblox, leverages Canonical Name (CNAME) records to maintain a fluid network of thousands of diverse domains. 

Traditionally associated with HTTP-based TDS networks, the use of DNS in this context is a novel approach that poses unique challenges for cybersecurity professionals. Renée Burton, Head of Threat Intelligence at Infoblox, emphasizes that DNS-based TDSs are often overlooked, with a prevailing focus on HTTP-based systems. 

However, Savvy Seahorse has been operational since at least August 2021, operating in the shadows and evading conventional detection methods. The key to Savvy Seahorse's success lies in its exploitation of CNAME records. In the DNS realm, CNAME allows multiple domains to map to a single base (canonical) domain. This seemingly innocuous feature is manipulated by Savvy Seahorse to rapidly scale and relocate its operations. 

When one phishing site is shut down, the threat actor effortlessly shifts to a new one, relying on CNAME as a map to mirror sites. CNAME not only applies to domains but extends to IP addresses. In the event of a hosting infrastructure shutdown, Savvy Seahorse can swiftly redirect its CNAME to a different address, ensuring resilience and evading detection. 

The attacker's ability to advertise any subdomain for a brief period further complicates tracking and takedown efforts. Crucially, CNAME serves as both Savvy Seahorse's strength and vulnerability. While the threat actor has cunningly utilized 30 domain registrars and 21 ISPs to host 4,200 domains, they all trace back to a single base domain: b36cname[.]site. This centralized link becomes Savvy Seahorse's Achilles' heel, presenting a unique opportunity for defenders. 

From a threat intelligence perspective, countering Savvy Seahorse involves a relatively straightforward approach – blocking the one base domain to which the CNAME points. Renée Burton notes that despite the existence of thousands of malicious domains, there's only one malicious CNAME. This single point of failure provides defenders with a potent strategy, allowing them to neutralize the entire threat with one decisive action. 
 
While attackers theoretically have the option to build malicious networks using multiple CNAMEs, Burton highlights a trend among cybercriminals to aggregate towards a smaller set of CNAMEs. This strategic choice, possibly driven by a desire to avoid detection, simplifies the task for defenders, who can focus efforts on a limited number of CNAMEs associated with the threat. 

Savvy Seahorse's exploitation of DNS-based TDS with CNAME records presents a new frontier in cyber threats. The intricate dance between attackers and defenders highlights the importance of understanding and adapting to evolving tactics. As defenders fortify their strategies, the hope is to stay one step ahead of sophisticated threat actors like Savvy Seahorse, ensuring a safer digital landscape for individuals and organizations alike.
Read more »
Punycode
DNS FakeBat malware loader KeePass malware Malware loader MalwareBytes Punycode

Fraudulent KeePass Site Uses Google Ads and Punycode to Transfer Malware


A Google Ads campaign was discovered promoting a phoney KeePass download site that transferred malware by posing as the real KeePass domain using Punycode. 

Google has confirmed to be suffering from an ongoing malvertising campaign which has enabled hackers to take out sponsored ads that appear above search results. In the campaign, Google Ads can also be exploited to display the official KeePass domain in the advertisements (https://www.keepass.info), making it difficult for even the most vigilant and security-conscious consumers to identify the problem. 

Online victims who end up clicking on the malicious links navigate through a series of system-profiling redirections that block bot traffic and sandboxes, as illustrated below. 

Malwarebytes, which identified this campaign points out that using Punycode for cybercrime is nothing new. However, when combined with Google Ads misuse, it may indicate a new, risky pattern in the industry. 

Punycode Trick 

 Punycode is an encoding tactic to represent Unicode characters, that helps translate hostnames in any non-Latin script to ASCII so that the DNS (Domain Name System) can interpret them.

For instance, "München" will be converted to "Mnchen-3ya," "α" becomes "mxa," "правда" will be "80aafi6cg," and "도메인" will become "hq1bm8jm9l."

Actors who threaten to abuse Punycode uses Unicode to add one character to domain names that are identical to those of legitimate websites in order to make them appear slightly different.

These types of attacks are labelled as “homograph attacks.” Malwarebytes discovered that the threat actors were using the Punycode "xn—eepass-vbb.info" to transform to "eepass.info," the project's actual domain, but with a little intonation beneath the character "."

Although it is unlikely that most users who visit the decoy site will notice this little visual flaw, it serves as a clear indication of the approach taken in this situation.

The digitally-signed MSI installation 'KeePass-2.55-Setup.msix' that is downloaded by those who click on any download links featured on the false website includes a PowerShell script related to the FakeBat malware loader.

While Google has taken down the original Punycode advertisement, several other ongoing KeePass ads have also been found in the same malware campaign.

This advertisement leads to a domain named ‘keeqass[.]info,’ which executes the same MSIX file that contains the identical FakeBat PowerShell script to download and install malware on the Windows device, just like the Punycode domain.

Apparently, when executed, the FakeBat PowerShell script downloads a GPG-encrypted RAR archive, decrypts it, and extracts it to the %AppData% folder.

Moreover, in the file analyzed by BleepingComputer, the script launches a file called 'mergecap.exe' from the archive.

According to an Intel471 report from early 2023, FakeBat is a malware loader/dropper connected to malvertising activities from at least November 2022.

While Malwarebytes was unable to identify the final malware payload delivered in the campaign, a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys.  

Read more »
virus
communication Cyber Attacks DNS Informationblox malware RAT Trojan virus

DNS Malware Toolkit Discovered by Infoblox and Urged to be Blocked

 


This week, Infoblox Inc. announced the release of its threat report blog on a remote access Trojan (RAT) toolkit with DNS command and control, which is being used for remote access and data theft. Infoblox provides a cloud-enabled networking and security platform capable of improving performance and protection. 

In the U.S., Europe, South America, and Asia, an anomalous DNS signature had been observed in enterprise networks that were created through the use of the toolkit. Across a wide range of sectors such as technology, healthcare, energy, financial services, and others, these trends were seen. The communications with the Russian controller can be traced to some of these communications. 

A malware program is a software application that infiltrates your computer with the intent of committing malicious acts. Viruses, worms, ransomware, spyware, Trojan horses, Trojan horses, spyware, and keylogging programs, all of which can be classified as malware. There are alarming challenges network and security professionals face daily in the face of malware that is becoming more sophisticated and capable of circumventing traditional defenses. 

By leveraging DNS infrastructure and threat intelligence, Infoblox's Malware Containment and Control solution can help organizations reduce malware risk by employing the most effective mitigation methods. Additionally, it enables leading security technologies to use contextual threat data, indicators of compromise, and other context-sensitive information to automate and accelerate the threat response process. 

Informationblox's Threat Intelligence Group discovered a new toolkit known as "Decoy Dog" that was branded as an attack toolkit. To disrupt this activity, the company collaborates with other security vendors, customers, and government agencies to work together. 

Furthermore, it identifies the attack vector and even secures networks across the globe. A crucial insight is that DNS anomalies that are measured over time proved to be important in detecting and analyzing the RAT, but also enabling the C2 communications to be tracked together despite appearing to be independent on the surface. 

Analyzing threats, identifying them, and mitigating them: 

During the first and second quarters of 2023, Infoblox discovered activity in multiple enterprise networks caused by the remote access Trojan (RAT) Puppy being active in multiple enterprise networks. C2 communication has not been found since April 2022, indicating that this was a one-way communication. 

An indicator of the presence of a RAT can be uncovered by investigating its DNS footprint. It does, however, show some strong outlier behavior when analyzed using a global cloud-based DNS protection system such as Infoblox's BloxOne® Threat Defense, when compared to traditional DNS protection systems. The integration of heterogeneous domains within Infoblox was also made possible by this technology. 

Communication between two C2 systems takes place over DNS and is supported by an open-source RAT known as Puppy. The project is an open-source project but it has always been associated with actors that are acting on behalf of nations despite its open nature. 

The risks associated with a vulnerable DNS can be mitigated by organizations with a protective DNS. There is no need to worry about these suspicious domains because BloxOne Threat Defense protects customers against them. 

In the detection of the RAT, anomalous DNS traffic has been detected on limited networks and devices on the network, like firewalls, but not on devices used by users, like laptops and mobile devices. 

Malware uses DNS to connect to its command and control (C&C) servers to communicate with them. As a result of its ability to contain and control malware, DNS is ideally suited for the task. Infoblox, for example, should focus on DNS as the point of attack from where malware can be injected to contain and control malware. 

It is imperative to highlight that malware prevention solutions are becoming more and more adept at sharing threat data with the broader security ecosystem. This is thanks to APIs, Syslog, and SNMP communication protocols.
Read more »
Malware attacks
cyber threat data security DNS malware Malware attacks

Malware Attacks can be Thwarted by Tampering with DNS Communications


The notion that you can defend yourself against all malware is absurd, especially given that malware is a catch-all term that does not refer to any particular exploit, vector, objective, or methodology. There is no magic solution that will thwart every attack since the variety and breadth of cyber dangers are so great. As a result, it won't be long until your network environment is compromised, putting you in a position where you must make some extremely difficult choices. 

Successful cyberattacks, for instance, in the medical industry have significant legal and reputational ramifications in addition to affecting an organisation's capacity to function. These factors lead to medical business victims paying ransomware demands more frequently than those in any other sector. Healthcare institutions might save an average of $10.1 million per event avoided if they could spot warning signs of issues before they develop into full-blown attacks. 

None of the security solutions can completely stop all threats at the gate; instead, they each focus on a particular subset of malware and/or penetration pathways. Even if they could, the gate is occasionally completely skipped. As demonstrated by the Log4J exploit and the most recent compromise of the well-known Ctx Python package, "trusted" resource libraries hosted on websites like GitHub can be attacked by outside parties and used to disseminate malware payloads to a large number of endpoints without raising any alarm bells right away. 

Threats are present everywhere, not just online. By using the healthcare sector as an example once more, we can illustrate a different attack vector that can bypass all of your perimeter security: physical access. The majority of hospitals, doctors' offices, pharmacies, and other healthcare institutions rely on networked terminals and gadgets that are unintentionally left in locations where patients, visitors, or other unauthorised users can access them. In these circumstances, it makes little difference how well your network is protected from external attacks because a malicious party only needs to insert a USB stick or use a logged-in device to access malware, which compromises the network from within. 

Despite the fact that it may appear hopeless, there is one characteristic that unites the vast majority of malware: a weakness known as the Domain Name System (DNS). In the fight against cyber threats, DNS is a crucial choke point because more than 91% of malware leverages DNS connectivity at some stage in the attack life cycle. 

A malware infection initially seeks to avoid detection when it enters your network. During this period, it leverages the network environment as a reconnaissance phase in an effort to expand to other devices, find important resources, and compromise backup storage. 

This is also the time that the malware has to contact the command-and-control (C2) system of the hackers to get instructions and report the network-related data it has discovered. It must submit a request to a domain name server, like all other Internet traffic, in order to communicate with the outside world. Network administrators can use a protective DNS solution to monitor DNS traffic for signs of malicious behaviour and then take action by blocking, quarantining, or otherwise interfering with it.

Unfortunately, due to the constant development of new threats and the constant possibility of a physically initiated attack, businesses must be ready for the inevitable successful penetration of their networks. The use of DNS communication by malware, however, is nearly inevitable once it has gained access to your network. In order to render the virus inert and enable you to get started on cleaning up your systems and strengthening your defenses for the next time, a defensive DNS solution can identify these unusual requests and completely stop them.
Read more »
User Security
Cyber Security DNS DOH HTTP Internet Users User Privacy User Security

What Exactly is DNS-over-HTTPS and Do you Need to Use it?

 

Traditional Domain Name System (DNS) traffic, such as user requests to visit specific websites, has been largely unencrypted throughout the history of the internet. This means that every party involved in the DNS value chain that your request goes through has the ability to examine your queries and responses, and even change them, whenever you look up a web address in the "internet telephone book." This is altered by DNS encryption, such as DNS over HTTPS (DoH).

Many of the major internet service providers, including Apple, Mozilla, Microsoft, and Google, have integrated encrypted DNS through DoH into their offerings. While Apple implemented DoH with the iOS 14 and macOS 11 updates in the autumn of 2020, Mozilla was an early adopter, integrating it into its browser in the US as early as late 2018. DoH has also been made available on Chrome for Android by Google. 

A global phone directory on the internet 

The Domain Name System (DNS) essentially serves as the internet's version of the phone book. If you think of it a little like this, the operation of DNS will soon become clear. Therefore, the second-level domain (in the case of international.eco.de, this would be.eco.) is the corporate switchboard number, and the top-level domain (the far right part of a web address, like.com,.org, or.info) is the equivalent to the country code or area code. The third level (international) is the particular extension, meanwhile.

It's much simpler to gain a better understanding of how this directory is put together if you keep that in mind as you work. You can also learn how computers locate the websites they want to visit in order to connect you to the website of your choice.

A website or other internet resource that you have typed into your computer or phone will be located by DNS resolvers. The router at your house or place of business, or a public hotspot, is the first DNS resolver to which your device is locally connected.

Following a series of steps, this resolver looks for any preconfigured settings on the device or a history of previous visits to the specified website (called a cache). If this doesn't work, the resolver will pass the DNS request on to the resolver after it, which could be your current internet service provider (ISP). The same steps will be followed by this resolver, and if all else fails, it will look up the domain in the "internet phone book." 

What dangers is DoH shielding users from?

By preventing DNS data manipulation and eavesdropping, one goal in the development of the DoH protocol was to increase user privacy and security. You are shielded from the possibility that a malicious actor could reroute your DNS traffic to another (malicious) location thanks to DNS traffic encryption. Instead of the actual bank website you wanted to visit, it might be a fake one or something similar. 

Man-in-the-Middle (MITM) attacks are the term used to describe this type of cyberattack. The only practical solution at this time is DNS encryption via DoH (or the related DoT protocol). The monetization of DNS data, for example, when it is used for marketing purposes, is another issue that DoH has been able to address. This is a potential and real privacy concern that should be of interest to everyone. 

User safety in public networks 

An analysis of your behaviour and cross-network tracking may be done using the DNS query data from your mobile device when you use a public wireless (Wi-Fi) network in a hotel, coffee shop, or another location. These DNS services are frequently included in an all-inclusive, globally accessible Wi-Fi solution, but they may not be well-suited to abide by local privacy laws.

Additionally, it is possible that the privacy-protecting configurations are not turned on either. Free public Wi-Fi services are also frequently ineffectively managed in terms of security and performance, particularly when they are run or offered by smaller businesses. You could end up exposed to attacks coming from their own networks if this happens. 

The good news is that DoH safeguards users on these open wireless networks because the Wi-Fi network's DNS resolver is avoided. As a result, user tracking and data manipulation at this level are prevented. That ultimately means that DoH provides a chance to safeguard communications in an unreliable setting. It's a fantastic and incredibly useful solution. 

What alters due to DoH? 

Only the transport mechanism by which your device and the resolver communicate changes with the DNS over HTTPS protocol. The well-known HTTPS protocol is used to encrypt both the requests and the responses. DNS requests using DoH currently avoid the local resolver because there aren't many DoH resolvers in use and technical work is still being done to make it possible for DoH resolvers to be "discovered." Instead, they are handled by a third-party DoH service provider that has been recommended by the relevant software maker or developer. The decision to offer their own DoH services is currently being considered by an increasing number of providers. 

DoH in my company's network—do I want it?

DoH is unquestionably a helpful method of self-protection, particularly when using a public hotspot, but it might not be the best choice in environments with trusted network infrastructure. Corporate networks or using internet access services that you get from a reputable ISP are good examples of this.

For instance, your firm may have good cause to forbid an application that deviates from and overrides the system default. Given that the network administrator has no control over it inside the network, this might even be considered potentially harmful. If DoH is implemented at the system level as opposed to the application level, many of the issues with corporate networks vanish. At the system level, for instance, a corporate network administrator can configure the system and create a policy to ensure that the corporate resolver should be used for as long as the device is connected to the corporate network.

However, DoH should be used to increase security and privacy once the device is connected to a public network. These different configurations are, however, avoided if DoH is applied by default at the application level. 

Concerning factors 

Other issues with the use of external DNS resolution through DoH include potential slow response times, circumvention of parental controls, and legally required blocking, among others. However, depending on the situation, many of the DoH's potential drawbacks are balanced out by just as many benefits. 

There is no question that DNS encryption enhances user security and privacy. DoH can offer a simple method for carrying this out. If you choose to activate DoH, you should make sure to research who will be handling the resolution, how they will handle your data, and whether you can easily turn it off when necessary.
Read more »
Privacy
Data protection DNS Fraud Website HTML Mallicious URLs Phishing and Spam Privacy

Data Security can be Enhanced Via Web Scraping

Web information aids security professionals in understanding potential weaknesses in their own systems, threats that might come from outside organizations' networks, and prospective threats that might come via the World Wide Web. 

In reality, automated tests that can find the presence of potential malware, phishing links, various types of fraud, information breaches, and counterfeiting schemes are performed using this database of public Web data.

Web scraping: What is it?

Large volumes of data can be automatically gathered from websites via web scraping. The majority of this data is unstructured and is shown in HTML format, t is transformed into structured data in a spreadsheet or database so that it can be used in a variety of applications.

These include utilizing online services, certain APIs, or even writing one's own code from scratch for web scraping. The company doing the scraping is aware of the sites to visit and the information to be collected. There are APIs on a lot of big websites, including Google, Twitter, Facebook, StackOverflow, etc., which let users access their data in a structured manner. 

How Do Web Scrapers Operate?

Web scrapers have the power to extract all the data from specified websites or the precise data that a user requires. If you wanted to find out what kinds of peelers were available, for instance, you might want to scrape an Amazon page, but you might only need information on the models of the various peelers, not the feedback from customers.

Therefore, the URLs are first provided when a web scraper intends to scrape a website. Then, all of the websites' HTML code is loaded. A more sophisticated scraper might also extract all of the CSS and Javascript parts. The scraper then extracts the necessary data from this HTML code and outputs it in the manner that the user has chosen. The data is typically stored as an Excel spreadsheet or a CSV file, but it is also possible to save it in other formats, such as JSON files.

Cybersecurity Via Web Scraping

1. Monitoring for Potential Attacks on Institutions

Some of the top firms' security teams use open Web data collecting networks to acquire data on potential online threat actors and analyze malware. 

Additionally, they continuously and automatically check the public domain for potentially harmful websites or links using Web scraping techniques. For instance, security teams can instantly recognize several phishing websites that aim to steal important customer or business data like usernames, passwords, or credit card information.

2. Scraping the Web for Cybersecurity 

Web data collecting is used by a variety of cybersecurity companies to evaluate the risk that various domains pose for fraud and viruses. In order to properly assess the risk, cybersecurity firms can utilize this to contact potentially harmful websites as a 'victim' or a legitimate user to see how the website might target an unwary visitor. 

3. Analysis and Reduction of Threats

Public Web data collecting networks are used by threat intelligence companies to get information from a variety of sources, including blogs, public social media channels, and hackers, in order to find fresh information on a range of potential dangers. 

Their insights are based on this Web data collecting, which they subsequently disseminate to a wide range of customers that want to strengthen their own system security.

Despite being utilized often in business, lawful web scraping is still a touchy subject. Where personal information is scraped, this is the most evident. Users of LinkedIn, for instance, are aggressively marketing their personal information since the platform essentially functions as a professional CV showcase. Less desirable is having those details gathered in bulk, compiled, and sold to random people.

An organization's visibility and capacity to respond to online threats across the large online terrain in real-time are both improved by integrating with Web data collecting networks.








Read more »
User Privacy
Chinese Actors CMS CVE vulnerability Cyber Security DNS Sophos User Privacy

Sophos Firewall Zero-Day Flaw Exploited by Hackers

 

Chinese hackers leveraged a zero-day exploit for a vital vulnerability in Sophos Firewall to infiltrate a corporation and gain access to the victim's cloud-hosted web servers. Although the security flaw has been patched, many threat actors have continued to use it to escape authentication and execute arbitrary code remotely on businesses. 

Sophos Firewall's User Portal and Webadmin parts were found to have an authentication bypass vulnerability, which was tagged as CVE-2022-1040 on March 25. 

Researchers from Volexity revealed that Chinese threat actors used the zero-day vulnerability in Sophos Firewall (CVE-2022-1040) to hack a corporation and its cloud-hosted web servers. The threat actor was still operational when Volexity started the study, and the researchers were able to track the attacker's movements, showing a clever adversary who tried to go undiscovered.

According to the researchers, "the attacker was using access to the firewall to conduct man-in-the-middle (MitM) assaults." "Data obtained from these MitM assaults was used by the attacker to target further systems outside of the network where the firewall was located." Following the firewall breach, the infection sequence included backdooring a legitimate component of the security software with the Behinder web shell, which could be accessed remotely from any URL chosen by the threat actor.

Securing web server access 

Apart from the web shell, Volexity discovered further malicious behavior that maintained the threat actor's survival and allowed them to carry on the attack: 
  • The initial phase in the assault is gaining access to the Sophos Firewall, which permits a Man-in-the-Middle (MitM) attack by altering DNS replies for specified websites of the victim companies. 
  • Using stolen session cookies, the attacker gains access to the CMS admin page and then installs a File Manager plugin to manipulate files on the website. 
For a simpler investigation of intrusions, the firm advises using the auditd framework on Unix-based servers. Vendors' devices should also include tools for analyzing potential security flaws. Volexity also made a set of YARA rules accessible that may be used to detect unusual behavior from this form of threat.
Read more »
Russia
Cyber Security CyberWar DDoS DNS domains Internet Runet Russia

Experts Estimated the Probability of Disconnecting Russia From the Internet

 

On 5th March, a telegram signed by Deputy Head of the Ministry of Digital Andrei Chernenko was sent to federal executive authorities and subjects of the Russian Federation with a number of recommendations for the protection of information infrastructure of the country. It does not contain direct instructions on disconnecting Russian users from the global network, but a number of experts saw in it indirect preconditions for the isolation of Runet. 

According to the document, by March 11, state websites and services must switch to using DNS servers located in the Russian Federation; remove from HTML page templates all JavaScript code downloaded from foreign resources (banners, counters, and so on); in case of using foreign hosting, switch to Russian; move to the domain zone.ru; complicate the "password policy". 

The Ministry of Finance stated that the sending of telegrams is connected with cyberattacks on Russian websites from abroad. The proposed "set of the simplest recommendations on cyber hygiene" is designed to ensure the availability of web resources of the Russian Federation. "There are no plans to turn off the Internet from the inside," the ministry assured. 
 
Mikhail Klimarev, executive director of the Internet Protection Society, said that the items listed in the telegram are absolutely banal rules of information security, but they may also indicate the preparation of state agencies for any force majeure. He found it difficult to say why the document appeared only now but suggested that this was due to the ongoing cyberwar between Russia and other states. 

"Anonymous hackers, DDoS attacks, attacks on DNS servers - it's really serious, and the Russian authorities really need to worry about how it should work," Klimarev explained. "There's really nothing to worry about, but it's all terrifying. From the outside, it looks like preparation for a sovereign Runet," he added.  

The norm on DNS servers may also indicate preparation for possible shutdowns of the Runet. However, the main logic of the document works to reduce cyberattacks and switch to local root servers to provide access to sites in the Russian domain zone. 

According to experts, disconnecting Russia from the Internet is extremely dangerous for the state, as it carries unpredictable social and financial consequences. 


Read more »
DNS
Cyber Security Cyberattack DDOS Attacks DNS

Carpet Bombing DDoS Attacks Increased in 2021

 

In a carpet bombing, a DDoS attack targets different IPs of any company in a short span of time, these account for 44% of total attacks that happened last year, but the difference between the first and second half of 2021 is huge. Carpet bombing accounted for 34% of total attacks resolved in Q1 and Q2, however, the attacks increased in the second half accounting for 60% attacks and 56% attacks in Q3 and Q4 respectively. The longest attack recorded 9 days, 22 hours, and 42 minutes, however, these were over within minutes. Around 40% of the attacks were observed by SOC in 2021 in the first quarter of 2021. 

The figures dropped in second and third quarters while rising again in the fourth quarter. "The domain name system (DNS) has long been a popular target for DDoS attacks, both as an amplification vector and as a direct target, as well as for other types of exploits," reports Helpnet Security. Attacks varied in nature compared to the past few years. Single attack vectors account for 54% of attacks in 2021, in comparison to 5% in 2020, representing more activity of attackers. Also, the number of attacks using more than four-vectors also increased, accounting for a record 4% of total attacks, this means when an attacker gets serious, it gets difficult for victims to protect themselves. 

Botnets continue to be the main part in DDoS attacks in 2021, security experts are discovering new botnets and command and control (C2) servers every day. The high-profile botnet in 2021 was Meris, it uses HTTP pipelines to stuff web applications, bombarding websites and apps with large numbers of requests per second. The SOC also observed high-intensity amplification km DDoS attacks, which use familiar vectors like DNS and Remote Desktop Protocol (RDP) and new variants as well. 

The report covers how web apps are vulnerable from different fronts, threats against web services have risen with the increase in usage of web applications, making web apps the top hacking vector in the attacks. "While the vast majority of attacks fell into the 25 gigabits per second (Gbps) and undersize category, and the average attack was just 4.9 Gbps last year, 2021 saw many large-scale attacks as well. The largest measured 1.3 terabits per second (Tbps) and the most intense was 369 million packets per second (Mpps)," reports Helpnet Security.
Read more »
Vulnerability
Cyber Security DNS Linux Kernel Side Channel Attacks Vulnerability

Linux Kernel Detected With New Side-Channel Vulnerability

 

The latest research work published by a group at the University of California, Riverside, demonstrates the existence of formerly unnoticed side channels in Linux kernels that can be used to attack DNS servers. 

As per the researchers, the problem with DNS stems from its design, which never prioritized security and made it incredibly difficult to retrofit robust security features into it. 

Although DNS security capabilities such as DNSSEC and DNS cookies are available, they are not generally used owing to backward compatibility, according to the researchers. However, the only way to make DNS more secured has always been to randomize UDP ports, known as ephemeral ports, intending to make it more difficult for an intruder to find them.

As a consequence, various DNS attacks have been reported in the past, including the recently revealed SAD DNS, a variation of DNS cache poisoning which allows an attacker to insert harmful DNS records into a DNS cache, routing all traffic to their server and then becoming a man-in-the-middle (MITM). Subsequently, a few of the researchers that first reported SAD DNS discovered side-channel vulnerabilities in the Linux kernel that had gone unnoticed for over a decade. 

The study focuses on two forms of ICMP error messages: ICMP fragment required (or ICMP packet too large in IPv6) and ICMP redirect. The Linux kernel analyzes the messages, as demonstrated by the researchers, utilizing shared resources that constitute side channels. 

Essentially, this means that an attacker might send ICMP probes to a certain port. If somehow the targeted port is correct, there will be some modification in the shared resource state which can be detected indirectly, validating the correctness of the estimate. An attack, for example, may reduce a server's MTU, resulting in fragmented future answers. 

According to the investigators, the newly found side channels affect the most popular DNS software, like BIND, Unbound, and dnsmasq operating on top of Linux. An approximate 13.85% of open resolvers are impacted. Furthermore, the researchers demonstrate an end-to-end attack against one of the most recent BIND resolvers and a home router that just takes minutes to complete. 

This unique attack can be avoided by configuring suitable socket options, such as asking the operating system not to accept ICMP frag required messages, which eliminates the side-channel; randomizing the kernel shared caching structure itself, and refusing ICMP redirects. As a result of the revelation of this new vulnerability, the Linux kernel has indeed been fixed to randomize the shared kernel structure for both IPv4 and IPv6.
Read more »
Vulnerabilities and Exploits
Amazon DNS DNSaaS Google Microsoft spying Vulnerabilities and Exploits

New DNS Flaw Enables 'Nation-State Level Spying' on Companies

 

Researchers discovered a new category of DNS vulnerabilities hitting major DNS-as-a-Service (DNSaaS) providers, which may enable attackers to get access to sensitive data of company networks. 

DNSaaS providers (also referred to as managed DNS providers) rent DNS to other businesses who don't want to maintain and protect yet additional network resources on their own. 

These DNS vulnerabilities, as disclosed by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak at the Black Hat security conference, grant threat actors nation-state intelligence harvesting powers with simple domain registration. 

As per the description, they simply created a domain and utilized it to hijack a DNSaaS provider's nameserver (in this instance, Amazon Route 53), permitting them to eavesdrop on dynamic DNS traffic streaming from Route 53 users' networks. 

The Wiz researchers stated, "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," 

"The dynamic DNS traffic we 'wiretapped' came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies." 

Employee/computer identities and locations and extremely sensitive data about organizations' infrastructure, such as Internet-exposed network equipment, were among the data they acquired this way. 

In one instance, the researchers used network data from 40,000 corporate endpoints to trace the office locations of one of the world's major services companies. The information gathered in this manner would make it much simpler for threat actors to compromise an organization's network since it would offer them a bird's eye perspective of what's going on within corporations and governments and provide them with "nation-state level surveillance capacity." 

The researchers haven't found any indication that the DNS flaw they identified has ever been exploited in the open, but they do warn that anybody with the expertise of the vulnerabilities and the abilities to exploit it might have gathered data undiscovered for over a decade. 

"The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable," they added at Black Hat. 

Patched by some, likely to affect others: 

Although two significant DNS providers (Google and Amazon) have already patched these DNS vulnerabilities, others are still likely prone, potentially exposing millions of devices to attacks. 

Moreover, it is unclear who is responsible for fixing this serious DNS flaw. Microsoft has previously informed Wiz that this is not a vulnerability since it could alter the dynamic DNS mechanism that permits Windows endpoints to leak internal network traffic to rogue DNS servers. 

Microsoft explained, this flaw as "a known misconfiguration that occurs when an organization works with external DNS resolvers." 

To minimize DNS conflicts and network difficulties, Redmond recommends utilizing distinct DNS names and zones for internal and external hosts and provides extensive guidance on how to correctly handle DNS dynamic updates in Windows. 

Maintained DNS providers can mitigate nameserver hijacking by adhering to the RFC's "reserved names" specification and checking and confirming domain ownership and validity before enabling their customers to register them. Companies renting DNS servers can also modify the default Start-of-Authority (SOA) record to stop internal network traffic from leaking via dynamic DNS updates.
Read more »
Subscribe to: Posts (Atom)