Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label DNS. Show all posts
Technology
Amazon AWS DNS Downdetector Online Banking Technology

Amazon resolves major AWS outage that disrupted apps, websites, and banks globally



 


A widespread disruption at Amazon Web Services (AWS) on Monday caused several high-profile apps, websites, and banking platforms to go offline for hours before the issue was finally resolved later in the night. The outage, which affected one of Amazon’s main cloud regions in the United States, drew attention to how heavily the global digital infrastructure depends on a few large cloud service providers.

According to Amazon’s official update, the problem stemmed from a technical fault in its Domain Name System (DNS) — a core internet function that translates website names into numerical addresses that computers can read. When the DNS experiences interruptions, browsers and applications lose their ability to locate and connect with servers, causing widespread loading failures. The company confirmed the issue affected its DynamoDB API endpoint in the US-EAST-1 region, one of its busiest hubs.

The first reports of disruptions appeared around 7:00 a.m. BST on Monday, when users began facing difficulties accessing multiple platforms. As the issue spread, users of services such as Snapchat, Fortnite, and Duolingo were unable to log in or perform basic functions. Several banking websites, including Lloyds and Halifax, also reported temporary connectivity problems.

The outage quickly escalated to a global scale. According to the monitoring website Downdetector, more than 11 million user complaints were recorded throughout the day, an unprecedented figure that reflected the magnitude of the disruption. Early in the incident, Downdetector noted over four million reports from more than 500 affected platforms within just a few hours, which was more than double its usual weekday average.

AWS engineers worked through the day to isolate the source of the issue and restore affected systems. To stabilize its network, Amazon temporarily limited some internal operations to prevent further cascading failures. By 11:00 p.m. BST, the company announced that all services had “returned to normal operations.”

Experts said the incident underlined the vulnerabilities of an increasingly centralized internet. Professor Alan Woodward of the University of Surrey explained that modern online systems are highly interdependent, meaning that an error within one major provider can ripple across numerous unrelated services. “Even small technical mistakes can trigger large-scale failures,” he said, pointing out how human or software missteps in one corner of the infrastructure can have global consequences.

Professor Mike Chapple from the University of Notre Dame compared the recovery process to restoring electricity after a large power outage. He said the system might “flicker” several times as engineers fix underlying causes and bring services gradually back online.

Industry observers say such incidents reflect a growing systemic risk within the cloud computing sector, which is dominated by a handful of major firms such as Amazon, Microsoft, and Google collectively controlling nearly 70% of the market. Cori Crider, director of the Future of Technology Institute, described the current model as “unsustainable,” warning that heavy reliance on a few global companies poses economic and security risks for nations and organizations alike.

Other experts suggested that responsibility also lies with companies using these services. Ken Birman, a computer science professor at Cornell University, noted that many organizations fail to develop backup mechanisms to keep essential applications online during provider outages. “We already know how to build more resilient systems,” he said. “The challenge is that many businesses still rely entirely on their cloud providers instead of investing in redundancy.”

Although AWS has not released a detailed technical report yet, its preliminary statement confirmed that the outage originated from a DNS-related fault within its DynamoDB service. The incident, though resolved, highlights a growing concern within the cybersecurity community: as dependence on cloud computing deepens, so does the scale of disruption when a single provider experiences a failure.


Read more »
rogue VPN servers
Cyber Networks Cyber Security data security DNS Free Wi-Fi Mobile Encryption Network Security Public Wifi Robust security rogue VPN servers

How to Stay Safe on Public Wi-Fi: Myths, Real Risks, and Smart Habits

 

Many people view public Wi-Fi as an open invitation for hackers to steal their personal data, but this perception isn’t entirely accurate. While using Wi-Fi in public places such as cafés, airports, or hotels does come with certain cybersecurity risks, the actual danger lies not in the connection itself but in how people use it.

Modern websites and apps typically use encryption protocols like HTTPS, which secure most of your sensitive information, including passwords and messages, making casual data theft far less likely than commonly believed. However, even with HTTPS in place, not all your online activity is invisible. Some data, like the websites you visit, may still be visible through DNS queries. 

Additionally, not every service online uses robust encryption, leaving some room for exposure. These vulnerabilities aren’t as dramatic as horror stories suggest, but they do exist. The greater risk occurs when users unknowingly connect to rogue networks. Cybercriminals often set up fake Wi-Fi hotspots with names that closely mimic those of legitimate businesses, such as a café or airport. Once someone connects to these impostor networks, attackers can monitor traffic, inject malicious content, or trick users into providing login details through fake portals. 

This tactic is especially effective in busy locations where users are in a rush to get online. A study from Statista revealed that about 40% of public Wi-Fi users have faced some form of data breach. These breaches typically occur not because Wi-Fi is inherently unsafe, but because people connect without confirming if the network is authentic. Once connected to a malicious hotspot, attackers can intercept data or even hijack active sessions, impersonating the user without ever needing their password. 

To safely use public Wi-Fi, a few precautions can go a long way. Always verify the network name with staff before connecting, and avoid networks that don’t require passwords unless you are certain of their authenticity. Disable automatic connections and file sharing on your devices when in public spaces. Using a virtual private network (VPN) provides an additional layer of protection by encrypting your data, even if you’ve joined a compromised network. 

However, it’s important to avoid free VPN services, which may compromise your privacy. Reputable providers offer stronger protections and better security practices. Users should also be wary of login portals that ask for more than basic information. Legitimate public Wi-Fi networks usually request a simple access code, such as one printed on a receipt or linked to a hotel room number. Avoid entering personal details like email addresses or credit card numbers unless you’re absolutely certain the network is genuine. 

For sensitive tasks like banking or shopping, it’s best to wait until you’re on a secure, trusted network or switch to mobile data. Keeping your device software up to date is another crucial step. Manufacturers frequently release patches for known vulnerabilities, and delaying updates means exposing yourself to risks that have already been fixed. Make a habit of updating your system before heading out, rather than waiting until you’re already traveling. 

In summary, public Wi-Fi isn’t the threat it’s often made out to be, but carelessness can turn it into one. Most attackers rely on social engineering and users’ haste, not on technical flaws in the network. Taking a few extra seconds to verify the network, using a VPN, and staying alert to suspicious login pages can significantly reduce your risk. Being mindful while connecting can be the difference between staying safe and falling victim to a data breach.
Read more »
Malware Attack
AI Models AI Prompt AI prompt injection attack Cyber Security cybercriminals DNS DNS attacks DNS Hacking DOH DoT Hacker attack Malware Attack

Hackers Use DNS Records to Hide Malware and AI Prompt Injections

 

Cybercriminals are increasingly leveraging an unexpected and largely unmonitored part of the internet’s infrastructure—the Domain Name System (DNS)—to hide malicious code and exploit security weaknesses. Security researchers at DomainTools have uncovered a campaign in which attackers embedded malware directly into DNS records, a method that helps them avoid traditional detection systems. 

DNS records are typically used to translate website names into IP addresses, allowing users to access websites without memorizing numerical codes. However, they can also include TXT records, which are designed to hold arbitrary text. These records are often used for legitimate purposes, such as domain verification for services like Google Workspace. Unfortunately, they can also be misused to store and distribute malicious scripts. 

In a recent case, attackers converted a binary file of the Joke Screenmate malware into hexadecimal code and split it into hundreds of fragments. These fragments were stored across multiple subdomains of a single domain, with each piece placed inside a TXT record. Once an attacker gains access to a system, they can quietly retrieve these fragments through DNS queries, reconstruct the binary code, and deploy the malware. Since DNS traffic often escapes close scrutiny—especially when encrypted via DNS over HTTPS (DOH) or DNS over TLS (DOT)—this method is particularly stealthy. 

Ian Campbell, a senior security engineer at DomainTools, noted that even companies with their own internal DNS resolvers often struggle to distinguish between normal and suspicious DNS requests. The rise of encrypted DNS traffic only makes it harder to detect such activity, as the actual content of DNS queries remains hidden from most monitoring tools. This isn’t a new tactic. Security researchers have observed similar methods in the past, including the use of DNS records to host PowerShell scripts. 

However, the specific use of hexadecimal-encoded binaries in TXT records, as described in DomainTools’ latest findings, adds a new layer of sophistication. Beyond malware, the research also revealed that TXT records are being used to launch prompt injection attacks against AI chatbots. These injections involve embedding deceptive or malicious prompts into files or documents processed by AI models. 

In one instance, TXT records were found to contain commands instructing a chatbot to delete its training data, return nonsensical information, or ignore future instructions entirely. This discovery highlights how the DNS system—an essential but often overlooked component of the internet—can be weaponized in creative and potentially damaging ways. 

As encryption becomes more widespread, organizations need to enhance their DNS monitoring capabilities and adopt more robust defensive strategies to close this blind spot before it’s further exploited.
Read more »
Software
2FA Cloud Service Code Cyber Security DNS NPM Software

NPM Developers Targeted: Fake Packages Secretly Collecting Personal Data

 



Security experts are warning people who use NPM — a platform where developers share code — to be careful after finding several fake software packages that secretly collect information from users' computers.

The cybersecurity company Socket found around 60 harmful packages uploaded to NPM starting mid-May. These were posted by three different accounts and looked like normal software, but once someone installed them, a hidden process ran automatically. This process collected private details such as the device name, internal IP address, the folder the user was working in, and even usernames and DNS settings. All of this was sent to attackers without the user knowing.

The script also checked whether it was running in a cloud service or a testing environment. This is likely how the attackers tried to avoid being caught by security tools.

Luckily, these packages didn’t install extra malware or try to take full control of users’ systems. There was no sign that they stayed active on the system after installation or tried to gain more access.

Still, these fake packages are dangerous. The attackers used a trick known as "typosquatting" — creating names that are nearly identical to real packages. For example, names like “react-xterm2” or “flipper-plugins” were designed to fool people who might type quickly and not notice the slight changes. The attackers appeared to be targeting software development pipelines used to build and test code automatically.

Before they were taken down, these fake packages were downloaded nearly 3,000 times.

In a separate discovery, Socket also found eight other harmful packages on NPM. These had been around for about two years and had been downloaded over 6,000 times. Unlike the first group, these could actually damage systems by deleting or corrupting data.

If you've used any unfamiliar packages recently, remove them immediately. Run a full security scan, change your passwords, and enable two-factor authentication wherever possible.

This incident shows how hackers are now using platforms like NPM to reach developers directly. It’s important to double-check any code you install, especially if it’s from a source you don’t fully recognize.


Read more »
zero-day
Cyber Security DNS espionage Iraq MarbledDust OutputMessenger threatgroup Turkey Vulnerability zero-day

Türkiye-Linked Hackers Exploit Zero-Day in Messaging App to Target Kurdish Military

 


 
A Türkiye-aligned cyberespionage group, Marbled Dust, has exploited a previously unknown zero-day vulnerability to launch attacks on users of Output Messenger — specifically those associated with the Kurdish military in Iraq, according to a report from Microsoft Threat Intelligence.

The uncovered flaw, now identified as CVE-2025-27920, is a directory traversal vulnerability in the LAN-based Output Messenger application. It enables authenticated users to break out of intended directories, granting access to sensitive system files or allowing the deployment of malicious payloads to the server’s startup folder.

"Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," Srimax, the app's developer, stated in a security advisory released in December.

The vulnerability was patched in Output Messenger V2.0.63, but attackers exploited it before updates were applied. Microsoft attributes the campaign to a group tracked as Sea Turtle, SILICON, and UNC1326, known collectively as Marbled Dust.

After infiltrating the Output Messenger Server Manager, attackers installed malware that allowed them to monitor communications, impersonate users, and disrupt internal systems.

"While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity," Microsoft explained.

Following initial compromise, a backdoor named OMServerService.exe was deployed to establish communication with an attacker-controlled command-and-control server (api.wordinfos[.]com). This enabled the group to gather victim-specific data.

In one example, an Output Messenger client connected to an IP tied to Marbled Dust, likely initiating data exfiltration. Shortly after, the system began collecting files and compressing them into a RAR archive for extraction.

Marbled Dust has a history of targeting Europe and the Middle East, especially telecom, IT firms, and government entities critical of the Turkish regime. The group is known to exploit internet-facing vulnerabilities and compromise DNS registries to carry out man-in-the-middle (MitM) attacks.

"This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft noted. "The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent."

In recent years, Marbled Dust has been connected to espionage campaigns in the Netherlands, with a focus on ISPs, telecommunication provi
Read more »
NSA
Cyber Attacks DNS Evasion Fast Flux NSA

NSA Warns of Fast Flux DNS Evasion Employed by Cybercrime Outfits

 

The FBI, the Cybersecurity and Infrastructure Security Agency, and a group of international partners have warned that cyber threat groups are utilising a technique known as "fast flux" to conceal the whereabouts of malicious servers, which poses a substantial threat to national security. 

Authorities have warned that both criminal and state-linked threat outfits have exploited Domain Name System records that change frequently to obscure the locations of these servers. They can also build extremely resilient command and control (C2) infrastructure to mask their malicious activities, particularly when dealing with botnets. 

Security officials also stated that fast flux techniques are utilised not only for C2 communications, but also in phishing attempts to prevent social engineering websites from being blacklisted or taken down. 

Authorities did not directly identify any threat actors currently employing the approach or indicate whether a campaign utilising fast flux is underway. They did, however, make reference to earlier activities, pointing out that fast flux was utilised in ransomware attacks connected to Hive and Nefilim. The advisory further claims that Gamaredon, a threat actor supported by Russia, has concealed threat activity using rapid flux. 

According to Andy Piazza, senior director of threat intelligence at Unit 42 of Palo Alto Networks, quick flux is a tactic used by attackers to put a financial burden on security operations teams by making it extremely expensive and challenging to identify ongoing threat activities.

Piazza stated that Trident Ursa employed fast flux during the early stages of Russia's invasion of Ukraine. According to Piazza, fast flux enables an opponent to quickly modify their infrastructure by changing hundreds of domains per minute. 

The advisory notes that there are two variations of the method known as single flux and double flux. Multiple IP addresses are linked to a single domain name using single flux. Double Flux modifies the DNS name server in addition to the domain name. 

Prevention tips

Authorities recommended a number of actions to recognise and mitigate the activity: 

  • Configure anomaly detection systems for DNS query logs. 
  • Employ threat intelligence feeds to detect known fast flux domains and associated IP addresses. 
  • Increase the logging and monitoring of DNS traffic. 
  • Consider sinkholing a hostile domain.
Read more »
Opera Browser
API Browser Security Browser Vulnerability Cyber Attacks data security DNS Opera Browser

CrossBarking Exploit in Opera Browser Exposes Users to Extensive Risks

 

A new browser vulnerability called CrossBarking has been identified, affecting Opera users through “private” APIs that were meant only for select trusted sites. Browser APIs bridge websites with functionalities like storage, performance, and geolocation to enhance user experience. Most APIs are widely accessible and reviewed, but private ones are reserved for preferred applications. Researchers at Guardio found that these Opera-specific APIs were vulnerable to exploitation, especially if a malicious Chrome extension gained access. Guardio’s demonstration showed that once a hacker gained access to these private APIs through a Chrome extension — easily installable by Opera users — they could run powerful scripts in a user’s browser context. 
The malicious extension was initially disguised as a harmless tool, adding pictures of puppies to web pages. 

However, it also contained scripts capable of extensive interference with Opera settings. Guardio used this approach to hijack the settingsPrivate API, which allowed them to reroute a victim’s DNS settings through a malicious server, providing the attacker with extensive visibility into the user’s browsing activities. With control over the DNS settings, they could manipulate browser content and even redirect users to phishing pages, making the potential for misuse significant. Guardio emphasized that getting malicious extensions through Chrome’s review process is relatively easier than with Opera’s, which undergoes a more intensive manual review. 

The researchers, therefore, leveraged Chrome’s automated, less stringent review process to create a proof-of-concept attack on Opera users. CrossBarking’s implications go beyond Opera, underscoring the complex relationship between browser functionality and security. Opera took steps to mitigate this vulnerability by blocking scripts from running on private domains, a strategy that Chrome itself uses. However, they have retained the private APIs, acknowledging that managing security with third-party apps and maintaining functionality is a delicate balance. 

Opera’s decision to address the CrossBarking vulnerability by restricting script access to domains with private API access offers a practical, though partial, solution. This approach minimizes the risk of malicious code running within these domains, but it does not fully eliminate potential exposure. Guardio’s research emphasizes the need for Opera, and similar browsers, to reevaluate their approach to third-party extension compatibility and the risks associated with cross-browser API permissions.


This vulnerability also underscores a broader industry challenge: balancing user functionality with security. While private APIs are integral to offering customized features, they open potential entry points for attackers when not adequately protected. Opera’s reliance on responsible disclosure practices with cybersecurity firms is a step forward. However, ongoing vigilance and a proactive stance toward enhancing browser security are essential as threats continue to evolve, particularly in a landscape where third-party extensions can easily be overlooked as potential risks.


In response, Opera has collaborated closely with researchers and relies on responsible vulnerability disclosures from third-party security firms like Guardio to address any potential risks preemptively. Security professionals highlight that browser developers should consider the full ecosystem, assessing how interactions across apps and extensions might introduce vulnerabilities.
Read more »
Scams
Cyber Crime Cyber crimes DNS fraudulent activities Google Scams

New Coalition to Take Down Online Scams, Led by Google

 




As cybercrime continues to cost the world economy billions annually, a robust new coalition launched by Google, the DNS Research Federation, and the Global Anti-Scam Alliance (GASA) is working to disrupt online scammers at a global level. By all accounts, this partnership constitutes a "game changer." The United Coalition focuses on revealing and thwarting fraudulent activity online.

Online Scam Fighting via the Global Signal Exchange

The coalition will be launching a data platform called Global Signal Exchange, which will 24/7 scan open cyberspaces for signs of fraudulent activity and issue alerts. For a platform, it will leverage the DNS Research Federation's DAP.live: an aggregation platform that consolidates feeds from over 100 sources to spot potential scams. Google enhances these efforts while providing relevant feeds from DAP.live that should provide an even more comprehensive view of online fraud as it begins to take shape.

A Growing Threat in the Digital Age

Some scams are becoming almost too clever nowadays, to the extent that an estimated $8.6 billion is lost worldwide due to such scams each year, with few cases going to convictions. In the UK alone, each person is targeted nearly 240 times a year by a scammer via emails or texts from fake legitimate businesses or offices asking them for personal information, such as bank or credit card details.

Britain estimates the average loss per person due to scams is £1,169. Overall, 11% of adults admit that they have fallen for online fraud. More alarming is the economic loss in the proportion of older adults, which indicates people aged 55 and above lose an average amount of £2,151. Those between 36 and 54 lose about £1,270, while those less than 35 years old lose about £851.

The Call for International Cooperation

Another challenge while combating online scams is that many of the criminal organisations behind these scams are operating from abroad, often from such countries as Russia and North Korea. This international nature makes it even more difficult for local authorities to keep an eye on and legally prosecute them. The coalition aims to balance this gap by sharing scam information in real time, thereby creating a chance to respond quickly to new emerging threats. This collaborative approach will serve crucially because cybercriminals often operate in groups and have done all of this work so fast, which has made it really hard to fight scams alone by any single organisation.

Scammers collaborate, they pool and they act fast. The days when individual brands could combat cybercrime on their own are gone. Global Signal Exchange usher in a new chapter in the battle against cybercrime, and Google's partnership promises to be the game-changer," said Emily Taylor, Chief Executive of DNS Research Federation.

Scammers Use All Too Familiar Brand Names Trapping Victims

The research carried out by the coalition indicates that fraudsters make use of the identity of conspicuous brands to acquire victims. Some of the very popular brands currently being used in scams are: home delivery and courier services; financial services, including banks, insurance, and loan companies; companies in the Technology, Media, and Telecoms sector; many public sector organisations, including HMRC and local councils; and, in a few instances, prominent charities.

According to DNS Research Federation, the volume of scams seems to peak each year in November during the Black Friday promotions and associated online shopping. Much of such activity is occurring because of heightened online activity. Thus, proper defences are quite essential when activity reaches such peak levels.

An alliance towards consumers' protection around the world

The Global Anti-Scam Alliance was established in 2021 to create a network of businesses that stand together to protect consumers online from fraud. GASA, in partnership with Google and the DNS Research Federation, will decrease the profitability of scams in order to make them less appealing to cybercriminals.

As threats in cyber continue to grow and seemingly intensify, this alliance will very largely form a critical element in the protection of users internationally. The Global Signal Exchange represents a major leap forward in efforts on anti-scam activities as it promises that consumers will be better protected from online fraud, and are able to navigate an increasingly complex digital environment more securely.


Read more »
Subscribe to: Comments (Atom)