Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DNS. Show all posts

Savvy Seahorse: The DNS-based Traffic Distribution System Undermining Cybersecurity

 

In the vast landscape of cyber threats, a new player named Savvy Seahorse has emerged, showcasing a distinctive modus operandi that sets it apart from its counterparts. While the investment scam it orchestrates is unfortunately commonplace, it's the intricate infrastructure supporting it that demands attention. 

Savvy Seahorse employs a sophisticated Traffic Distribution System (TDS), capitalizing on the Domain Name System (DNS) to perpetually alter its malicious domains, making takedowns a formidable challenge. This TDS, as detailed in a recent report by Infoblox, leverages Canonical Name (CNAME) records to maintain a fluid network of thousands of diverse domains. 

Traditionally associated with HTTP-based TDS networks, the use of DNS in this context is a novel approach that poses unique challenges for cybersecurity professionals. Renée Burton, Head of Threat Intelligence at Infoblox, emphasizes that DNS-based TDSs are often overlooked, with a prevailing focus on HTTP-based systems. 

However, Savvy Seahorse has been operational since at least August 2021, operating in the shadows and evading conventional detection methods. The key to Savvy Seahorse's success lies in its exploitation of CNAME records. In the DNS realm, CNAME allows multiple domains to map to a single base (canonical) domain. This seemingly innocuous feature is manipulated by Savvy Seahorse to rapidly scale and relocate its operations. 

When one phishing site is shut down, the threat actor effortlessly shifts to a new one, relying on CNAME as a map to mirror sites. CNAME not only applies to domains but extends to IP addresses. In the event of a hosting infrastructure shutdown, Savvy Seahorse can swiftly redirect its CNAME to a different address, ensuring resilience and evading detection. 

The attacker's ability to advertise any subdomain for a brief period further complicates tracking and takedown efforts. Crucially, CNAME serves as both Savvy Seahorse's strength and vulnerability. While the threat actor has cunningly utilized 30 domain registrars and 21 ISPs to host 4,200 domains, they all trace back to a single base domain: b36cname[.]site. This centralized link becomes Savvy Seahorse's Achilles' heel, presenting a unique opportunity for defenders. 

From a threat intelligence perspective, countering Savvy Seahorse involves a relatively straightforward approach – blocking the one base domain to which the CNAME points. Renée Burton notes that despite the existence of thousands of malicious domains, there's only one malicious CNAME. This single point of failure provides defenders with a potent strategy, allowing them to neutralize the entire threat with one decisive action. 
 
While attackers theoretically have the option to build malicious networks using multiple CNAMEs, Burton highlights a trend among cybercriminals to aggregate towards a smaller set of CNAMEs. This strategic choice, possibly driven by a desire to avoid detection, simplifies the task for defenders, who can focus efforts on a limited number of CNAMEs associated with the threat. 

Savvy Seahorse's exploitation of DNS-based TDS with CNAME records presents a new frontier in cyber threats. The intricate dance between attackers and defenders highlights the importance of understanding and adapting to evolving tactics. As defenders fortify their strategies, the hope is to stay one step ahead of sophisticated threat actors like Savvy Seahorse, ensuring a safer digital landscape for individuals and organizations alike.

Fraudulent KeePass Site Uses Google Ads and Punycode to Transfer Malware


A Google Ads campaign was discovered promoting a phoney KeePass download site that transferred malware by posing as the real KeePass domain using Punycode. 

Google has confirmed to be suffering from an ongoing malvertising campaign which has enabled hackers to take out sponsored ads that appear above search results. In the campaign, Google Ads can also be exploited to display the official KeePass domain in the advertisements (https://www.keepass.info), making it difficult for even the most vigilant and security-conscious consumers to identify the problem. 

Online victims who end up clicking on the malicious links navigate through a series of system-profiling redirections that block bot traffic and sandboxes, as illustrated below. 

Malwarebytes, which identified this campaign points out that using Punycode for cybercrime is nothing new. However, when combined with Google Ads misuse, it may indicate a new, risky pattern in the industry. 

Punycode Trick 

 Punycode is an encoding tactic to represent Unicode characters, that helps translate hostnames in any non-Latin script to ASCII so that the DNS (Domain Name System) can interpret them.

For instance, "München" will be converted to "Mnchen-3ya," "α" becomes "mxa," "правда" will be "80aafi6cg," and "도메인" will become "hq1bm8jm9l."

Actors who threaten to abuse Punycode uses Unicode to add one character to domain names that are identical to those of legitimate websites in order to make them appear slightly different.

These types of attacks are labelled as “homograph attacks.” Malwarebytes discovered that the threat actors were using the Punycode "xn—eepass-vbb.info" to transform to "eepass.info," the project's actual domain, but with a little intonation beneath the character "."

Although it is unlikely that most users who visit the decoy site will notice this little visual flaw, it serves as a clear indication of the approach taken in this situation.

The digitally-signed MSI installation 'KeePass-2.55-Setup.msix' that is downloaded by those who click on any download links featured on the false website includes a PowerShell script related to the FakeBat malware loader.

While Google has taken down the original Punycode advertisement, several other ongoing KeePass ads have also been found in the same malware campaign.

This advertisement leads to a domain named ‘keeqass[.]info,’ which executes the same MSIX file that contains the identical FakeBat PowerShell script to download and install malware on the Windows device, just like the Punycode domain.

Apparently, when executed, the FakeBat PowerShell script downloads a GPG-encrypted RAR archive, decrypts it, and extracts it to the %AppData% folder.

Moreover, in the file analyzed by BleepingComputer, the script launches a file called 'mergecap.exe' from the archive.

According to an Intel471 report from early 2023, FakeBat is a malware loader/dropper connected to malvertising activities from at least November 2022.

While Malwarebytes was unable to identify the final malware payload delivered in the campaign, a Sophos report from July 2023 links FakeBat with infostealers like Redline, Ursniff, and Rhadamathys.  

DNS Malware Toolkit Discovered by Infoblox and Urged to be Blocked

 


This week, Infoblox Inc. announced the release of its threat report blog on a remote access Trojan (RAT) toolkit with DNS command and control, which is being used for remote access and data theft. Infoblox provides a cloud-enabled networking and security platform capable of improving performance and protection. 

In the U.S., Europe, South America, and Asia, an anomalous DNS signature had been observed in enterprise networks that were created through the use of the toolkit. Across a wide range of sectors such as technology, healthcare, energy, financial services, and others, these trends were seen. The communications with the Russian controller can be traced to some of these communications. 

A malware program is a software application that infiltrates your computer with the intent of committing malicious acts. Viruses, worms, ransomware, spyware, Trojan horses, Trojan horses, spyware, and keylogging programs, all of which can be classified as malware. There are alarming challenges network and security professionals face daily in the face of malware that is becoming more sophisticated and capable of circumventing traditional defenses. 

By leveraging DNS infrastructure and threat intelligence, Infoblox's Malware Containment and Control solution can help organizations reduce malware risk by employing the most effective mitigation methods. Additionally, it enables leading security technologies to use contextual threat data, indicators of compromise, and other context-sensitive information to automate and accelerate the threat response process. 

Informationblox's Threat Intelligence Group discovered a new toolkit known as "Decoy Dog" that was branded as an attack toolkit. To disrupt this activity, the company collaborates with other security vendors, customers, and government agencies to work together. 

Furthermore, it identifies the attack vector and even secures networks across the globe. A crucial insight is that DNS anomalies that are measured over time proved to be important in detecting and analyzing the RAT, but also enabling the C2 communications to be tracked together despite appearing to be independent on the surface. 

Analyzing threats, identifying them, and mitigating them: 

During the first and second quarters of 2023, Infoblox discovered activity in multiple enterprise networks caused by the remote access Trojan (RAT) Puppy being active in multiple enterprise networks. C2 communication has not been found since April 2022, indicating that this was a one-way communication. 

An indicator of the presence of a RAT can be uncovered by investigating its DNS footprint. It does, however, show some strong outlier behavior when analyzed using a global cloud-based DNS protection system such as Infoblox's BloxOne® Threat Defense, when compared to traditional DNS protection systems. The integration of heterogeneous domains within Infoblox was also made possible by this technology. 

Communication between two C2 systems takes place over DNS and is supported by an open-source RAT known as Puppy. The project is an open-source project but it has always been associated with actors that are acting on behalf of nations despite its open nature. 

The risks associated with a vulnerable DNS can be mitigated by organizations with a protective DNS. There is no need to worry about these suspicious domains because BloxOne Threat Defense protects customers against them. 

In the detection of the RAT, anomalous DNS traffic has been detected on limited networks and devices on the network, like firewalls, but not on devices used by users, like laptops and mobile devices. 

Malware uses DNS to connect to its command and control (C&C) servers to communicate with them. As a result of its ability to contain and control malware, DNS is ideally suited for the task. Infoblox, for example, should focus on DNS as the point of attack from where malware can be injected to contain and control malware. 

It is imperative to highlight that malware prevention solutions are becoming more and more adept at sharing threat data with the broader security ecosystem. This is thanks to APIs, Syslog, and SNMP communication protocols.

Malware Attacks can be Thwarted by Tampering with DNS Communications


The notion that you can defend yourself against all malware is absurd, especially given that malware is a catch-all term that does not refer to any particular exploit, vector, objective, or methodology. There is no magic solution that will thwart every attack since the variety and breadth of cyber dangers are so great. As a result, it won't be long until your network environment is compromised, putting you in a position where you must make some extremely difficult choices. 

Successful cyberattacks, for instance, in the medical industry have significant legal and reputational ramifications in addition to affecting an organisation's capacity to function. These factors lead to medical business victims paying ransomware demands more frequently than those in any other sector. Healthcare institutions might save an average of $10.1 million per event avoided if they could spot warning signs of issues before they develop into full-blown attacks. 

None of the security solutions can completely stop all threats at the gate; instead, they each focus on a particular subset of malware and/or penetration pathways. Even if they could, the gate is occasionally completely skipped. As demonstrated by the Log4J exploit and the most recent compromise of the well-known Ctx Python package, "trusted" resource libraries hosted on websites like GitHub can be attacked by outside parties and used to disseminate malware payloads to a large number of endpoints without raising any alarm bells right away. 

Threats are present everywhere, not just online. By using the healthcare sector as an example once more, we can illustrate a different attack vector that can bypass all of your perimeter security: physical access. The majority of hospitals, doctors' offices, pharmacies, and other healthcare institutions rely on networked terminals and gadgets that are unintentionally left in locations where patients, visitors, or other unauthorised users can access them. In these circumstances, it makes little difference how well your network is protected from external attacks because a malicious party only needs to insert a USB stick or use a logged-in device to access malware, which compromises the network from within. 

Despite the fact that it may appear hopeless, there is one characteristic that unites the vast majority of malware: a weakness known as the Domain Name System (DNS). In the fight against cyber threats, DNS is a crucial choke point because more than 91% of malware leverages DNS connectivity at some stage in the attack life cycle. 

A malware infection initially seeks to avoid detection when it enters your network. During this period, it leverages the network environment as a reconnaissance phase in an effort to expand to other devices, find important resources, and compromise backup storage. 

This is also the time that the malware has to contact the command-and-control (C2) system of the hackers to get instructions and report the network-related data it has discovered. It must submit a request to a domain name server, like all other Internet traffic, in order to communicate with the outside world. Network administrators can use a protective DNS solution to monitor DNS traffic for signs of malicious behaviour and then take action by blocking, quarantining, or otherwise interfering with it.

Unfortunately, due to the constant development of new threats and the constant possibility of a physically initiated attack, businesses must be ready for the inevitable successful penetration of their networks. The use of DNS communication by malware, however, is nearly inevitable once it has gained access to your network. In order to render the virus inert and enable you to get started on cleaning up your systems and strengthening your defenses for the next time, a defensive DNS solution can identify these unusual requests and completely stop them.

What Exactly is DNS-over-HTTPS and Do you Need to Use it?

 

Traditional Domain Name System (DNS) traffic, such as user requests to visit specific websites, has been largely unencrypted throughout the history of the internet. This means that every party involved in the DNS value chain that your request goes through has the ability to examine your queries and responses, and even change them, whenever you look up a web address in the "internet telephone book." This is altered by DNS encryption, such as DNS over HTTPS (DoH).

Many of the major internet service providers, including Apple, Mozilla, Microsoft, and Google, have integrated encrypted DNS through DoH into their offerings. While Apple implemented DoH with the iOS 14 and macOS 11 updates in the autumn of 2020, Mozilla was an early adopter, integrating it into its browser in the US as early as late 2018. DoH has also been made available on Chrome for Android by Google. 

A global phone directory on the internet 

The Domain Name System (DNS) essentially serves as the internet's version of the phone book. If you think of it a little like this, the operation of DNS will soon become clear. Therefore, the second-level domain (in the case of international.eco.de, this would be.eco.) is the corporate switchboard number, and the top-level domain (the far right part of a web address, like.com,.org, or.info) is the equivalent to the country code or area code. The third level (international) is the particular extension, meanwhile.

It's much simpler to gain a better understanding of how this directory is put together if you keep that in mind as you work. You can also learn how computers locate the websites they want to visit in order to connect you to the website of your choice.

A website or other internet resource that you have typed into your computer or phone will be located by DNS resolvers. The router at your house or place of business, or a public hotspot, is the first DNS resolver to which your device is locally connected.

Following a series of steps, this resolver looks for any preconfigured settings on the device or a history of previous visits to the specified website (called a cache). If this doesn't work, the resolver will pass the DNS request on to the resolver after it, which could be your current internet service provider (ISP). The same steps will be followed by this resolver, and if all else fails, it will look up the domain in the "internet phone book." 

What dangers is DoH shielding users from?

By preventing DNS data manipulation and eavesdropping, one goal in the development of the DoH protocol was to increase user privacy and security. You are shielded from the possibility that a malicious actor could reroute your DNS traffic to another (malicious) location thanks to DNS traffic encryption. Instead of the actual bank website you wanted to visit, it might be a fake one or something similar. 

Man-in-the-Middle (MITM) attacks are the term used to describe this type of cyberattack. The only practical solution at this time is DNS encryption via DoH (or the related DoT protocol). The monetization of DNS data, for example, when it is used for marketing purposes, is another issue that DoH has been able to address. This is a potential and real privacy concern that should be of interest to everyone. 

User safety in public networks 

An analysis of your behaviour and cross-network tracking may be done using the DNS query data from your mobile device when you use a public wireless (Wi-Fi) network in a hotel, coffee shop, or another location. These DNS services are frequently included in an all-inclusive, globally accessible Wi-Fi solution, but they may not be well-suited to abide by local privacy laws.

Additionally, it is possible that the privacy-protecting configurations are not turned on either. Free public Wi-Fi services are also frequently ineffectively managed in terms of security and performance, particularly when they are run or offered by smaller businesses. You could end up exposed to attacks coming from their own networks if this happens. 

The good news is that DoH safeguards users on these open wireless networks because the Wi-Fi network's DNS resolver is avoided. As a result, user tracking and data manipulation at this level are prevented. That ultimately means that DoH provides a chance to safeguard communications in an unreliable setting. It's a fantastic and incredibly useful solution. 

What alters due to DoH? 

Only the transport mechanism by which your device and the resolver communicate changes with the DNS over HTTPS protocol. The well-known HTTPS protocol is used to encrypt both the requests and the responses. DNS requests using DoH currently avoid the local resolver because there aren't many DoH resolvers in use and technical work is still being done to make it possible for DoH resolvers to be "discovered." Instead, they are handled by a third-party DoH service provider that has been recommended by the relevant software maker or developer. The decision to offer their own DoH services is currently being considered by an increasing number of providers. 

DoH in my company's network—do I want it?

DoH is unquestionably a helpful method of self-protection, particularly when using a public hotspot, but it might not be the best choice in environments with trusted network infrastructure. Corporate networks or using internet access services that you get from a reputable ISP are good examples of this.

For instance, your firm may have good cause to forbid an application that deviates from and overrides the system default. Given that the network administrator has no control over it inside the network, this might even be considered potentially harmful. If DoH is implemented at the system level as opposed to the application level, many of the issues with corporate networks vanish. At the system level, for instance, a corporate network administrator can configure the system and create a policy to ensure that the corporate resolver should be used for as long as the device is connected to the corporate network.

However, DoH should be used to increase security and privacy once the device is connected to a public network. These different configurations are, however, avoided if DoH is applied by default at the application level. 

Concerning factors 

Other issues with the use of external DNS resolution through DoH include potential slow response times, circumvention of parental controls, and legally required blocking, among others. However, depending on the situation, many of the DoH's potential drawbacks are balanced out by just as many benefits. 

There is no question that DNS encryption enhances user security and privacy. DoH can offer a simple method for carrying this out. If you choose to activate DoH, you should make sure to research who will be handling the resolution, how they will handle your data, and whether you can easily turn it off when necessary.

Data Security can be Enhanced Via Web Scraping

Web information aids security professionals in understanding potential weaknesses in their own systems, threats that might come from outside organizations' networks, and prospective threats that might come via the World Wide Web. 

In reality, automated tests that can find the presence of potential malware, phishing links, various types of fraud, information breaches, and counterfeiting schemes are performed using this database of public Web data.

Web scraping: What is it?

Large volumes of data can be automatically gathered from websites via web scraping. The majority of this data is unstructured and is shown in HTML format, t is transformed into structured data in a spreadsheet or database so that it can be used in a variety of applications.

These include utilizing online services, certain APIs, or even writing one's own code from scratch for web scraping. The company doing the scraping is aware of the sites to visit and the information to be collected. There are APIs on a lot of big websites, including Google, Twitter, Facebook, StackOverflow, etc., which let users access their data in a structured manner. 

How Do Web Scrapers Operate?

Web scrapers have the power to extract all the data from specified websites or the precise data that a user requires. If you wanted to find out what kinds of peelers were available, for instance, you might want to scrape an Amazon page, but you might only need information on the models of the various peelers, not the feedback from customers.

Therefore, the URLs are first provided when a web scraper intends to scrape a website. Then, all of the websites' HTML code is loaded. A more sophisticated scraper might also extract all of the CSS and Javascript parts. The scraper then extracts the necessary data from this HTML code and outputs it in the manner that the user has chosen. The data is typically stored as an Excel spreadsheet or a CSV file, but it is also possible to save it in other formats, such as JSON files.

Cybersecurity Via Web Scraping

1. Monitoring for Potential Attacks on Institutions

Some of the top firms' security teams use open Web data collecting networks to acquire data on potential online threat actors and analyze malware. 

Additionally, they continuously and automatically check the public domain for potentially harmful websites or links using Web scraping techniques. For instance, security teams can instantly recognize several phishing websites that aim to steal important customer or business data like usernames, passwords, or credit card information.

2. Scraping the Web for Cybersecurity 

Web data collecting is used by a variety of cybersecurity companies to evaluate the risk that various domains pose for fraud and viruses. In order to properly assess the risk, cybersecurity firms can utilize this to contact potentially harmful websites as a 'victim' or a legitimate user to see how the website might target an unwary visitor. 

3. Analysis and Reduction of Threats

Public Web data collecting networks are used by threat intelligence companies to get information from a variety of sources, including blogs, public social media channels, and hackers, in order to find fresh information on a range of potential dangers. 

Their insights are based on this Web data collecting, which they subsequently disseminate to a wide range of customers that want to strengthen their own system security.

Despite being utilized often in business, lawful web scraping is still a touchy subject. Where personal information is scraped, this is the most evident. Users of LinkedIn, for instance, are aggressively marketing their personal information since the platform essentially functions as a professional CV showcase. Less desirable is having those details gathered in bulk, compiled, and sold to random people.

An organization's visibility and capacity to respond to online threats across the large online terrain in real-time are both improved by integrating with Web data collecting networks.








Sophos Firewall Zero-Day Flaw Exploited by Hackers

 

Chinese hackers leveraged a zero-day exploit for a vital vulnerability in Sophos Firewall to infiltrate a corporation and gain access to the victim's cloud-hosted web servers. Although the security flaw has been patched, many threat actors have continued to use it to escape authentication and execute arbitrary code remotely on businesses. 

Sophos Firewall's User Portal and Webadmin parts were found to have an authentication bypass vulnerability, which was tagged as CVE-2022-1040 on March 25. 

Researchers from Volexity revealed that Chinese threat actors used the zero-day vulnerability in Sophos Firewall (CVE-2022-1040) to hack a corporation and its cloud-hosted web servers. The threat actor was still operational when Volexity started the study, and the researchers were able to track the attacker's movements, showing a clever adversary who tried to go undiscovered.

According to the researchers, "the attacker was using access to the firewall to conduct man-in-the-middle (MitM) assaults." "Data obtained from these MitM assaults was used by the attacker to target further systems outside of the network where the firewall was located." Following the firewall breach, the infection sequence included backdooring a legitimate component of the security software with the Behinder web shell, which could be accessed remotely from any URL chosen by the threat actor.

Securing web server access 

Apart from the web shell, Volexity discovered further malicious behavior that maintained the threat actor's survival and allowed them to carry on the attack: 
  • The initial phase in the assault is gaining access to the Sophos Firewall, which permits a Man-in-the-Middle (MitM) attack by altering DNS replies for specified websites of the victim companies. 
  • Using stolen session cookies, the attacker gains access to the CMS admin page and then installs a File Manager plugin to manipulate files on the website. 
For a simpler investigation of intrusions, the firm advises using the auditd framework on Unix-based servers. Vendors' devices should also include tools for analyzing potential security flaws. Volexity also made a set of YARA rules accessible that may be used to detect unusual behavior from this form of threat.

Experts Estimated the Probability of Disconnecting Russia From the Internet

 

On 5th March, a telegram signed by Deputy Head of the Ministry of Digital Andrei Chernenko was sent to federal executive authorities and subjects of the Russian Federation with a number of recommendations for the protection of information infrastructure of the country. It does not contain direct instructions on disconnecting Russian users from the global network, but a number of experts saw in it indirect preconditions for the isolation of Runet. 

According to the document, by March 11, state websites and services must switch to using DNS servers located in the Russian Federation; remove from HTML page templates all JavaScript code downloaded from foreign resources (banners, counters, and so on); in case of using foreign hosting, switch to Russian; move to the domain zone.ru; complicate the "password policy". 

The Ministry of Finance stated that the sending of telegrams is connected with cyberattacks on Russian websites from abroad. The proposed "set of the simplest recommendations on cyber hygiene" is designed to ensure the availability of web resources of the Russian Federation. "There are no plans to turn off the Internet from the inside," the ministry assured. 
 
Mikhail Klimarev, executive director of the Internet Protection Society, said that the items listed in the telegram are absolutely banal rules of information security, but they may also indicate the preparation of state agencies for any force majeure. He found it difficult to say why the document appeared only now but suggested that this was due to the ongoing cyberwar between Russia and other states. 

"Anonymous hackers, DDoS attacks, attacks on DNS servers - it's really serious, and the Russian authorities really need to worry about how it should work," Klimarev explained. "There's really nothing to worry about, but it's all terrifying. From the outside, it looks like preparation for a sovereign Runet," he added.  

The norm on DNS servers may also indicate preparation for possible shutdowns of the Runet. However, the main logic of the document works to reduce cyberattacks and switch to local root servers to provide access to sites in the Russian domain zone. 

According to experts, disconnecting Russia from the Internet is extremely dangerous for the state, as it carries unpredictable social and financial consequences. 


Carpet Bombing DDoS Attacks Increased in 2021

 

In a carpet bombing, a DDoS attack targets different IPs of any company in a short span of time, these account for 44% of total attacks that happened last year, but the difference between the first and second half of 2021 is huge. Carpet bombing accounted for 34% of total attacks resolved in Q1 and Q2, however, the attacks increased in the second half accounting for 60% attacks and 56% attacks in Q3 and Q4 respectively. The longest attack recorded 9 days, 22 hours, and 42 minutes, however, these were over within minutes. Around 40% of the attacks were observed by SOC in 2021 in the first quarter of 2021. 

The figures dropped in second and third quarters while rising again in the fourth quarter. "The domain name system (DNS) has long been a popular target for DDoS attacks, both as an amplification vector and as a direct target, as well as for other types of exploits," reports Helpnet Security. Attacks varied in nature compared to the past few years. Single attack vectors account for 54% of attacks in 2021, in comparison to 5% in 2020, representing more activity of attackers. Also, the number of attacks using more than four-vectors also increased, accounting for a record 4% of total attacks, this means when an attacker gets serious, it gets difficult for victims to protect themselves. 

Botnets continue to be the main part in DDoS attacks in 2021, security experts are discovering new botnets and command and control (C2) servers every day. The high-profile botnet in 2021 was Meris, it uses HTTP pipelines to stuff web applications, bombarding websites and apps with large numbers of requests per second. The SOC also observed high-intensity amplification km DDoS attacks, which use familiar vectors like DNS and Remote Desktop Protocol (RDP) and new variants as well. 

The report covers how web apps are vulnerable from different fronts, threats against web services have risen with the increase in usage of web applications, making web apps the top hacking vector in the attacks. "While the vast majority of attacks fell into the 25 gigabits per second (Gbps) and undersize category, and the average attack was just 4.9 Gbps last year, 2021 saw many large-scale attacks as well. The largest measured 1.3 terabits per second (Tbps) and the most intense was 369 million packets per second (Mpps)," reports Helpnet Security.

Linux Kernel Detected With New Side-Channel Vulnerability

 

The latest research work published by a group at the University of California, Riverside, demonstrates the existence of formerly unnoticed side channels in Linux kernels that can be used to attack DNS servers. 

As per the researchers, the problem with DNS stems from its design, which never prioritized security and made it incredibly difficult to retrofit robust security features into it. 

Although DNS security capabilities such as DNSSEC and DNS cookies are available, they are not generally used owing to backward compatibility, according to the researchers. However, the only way to make DNS more secured has always been to randomize UDP ports, known as ephemeral ports, intending to make it more difficult for an intruder to find them.

As a consequence, various DNS attacks have been reported in the past, including the recently revealed SAD DNS, a variation of DNS cache poisoning which allows an attacker to insert harmful DNS records into a DNS cache, routing all traffic to their server and then becoming a man-in-the-middle (MITM). Subsequently, a few of the researchers that first reported SAD DNS discovered side-channel vulnerabilities in the Linux kernel that had gone unnoticed for over a decade. 

The study focuses on two forms of ICMP error messages: ICMP fragment required (or ICMP packet too large in IPv6) and ICMP redirect. The Linux kernel analyzes the messages, as demonstrated by the researchers, utilizing shared resources that constitute side channels. 

Essentially, this means that an attacker might send ICMP probes to a certain port. If somehow the targeted port is correct, there will be some modification in the shared resource state which can be detected indirectly, validating the correctness of the estimate. An attack, for example, may reduce a server's MTU, resulting in fragmented future answers. 

According to the investigators, the newly found side channels affect the most popular DNS software, like BIND, Unbound, and dnsmasq operating on top of Linux. An approximate 13.85% of open resolvers are impacted. Furthermore, the researchers demonstrate an end-to-end attack against one of the most recent BIND resolvers and a home router that just takes minutes to complete. 

This unique attack can be avoided by configuring suitable socket options, such as asking the operating system not to accept ICMP frag required messages, which eliminates the side-channel; randomizing the kernel shared caching structure itself, and refusing ICMP redirects. As a result of the revelation of this new vulnerability, the Linux kernel has indeed been fixed to randomize the shared kernel structure for both IPv4 and IPv6.

New DNS Flaw Enables 'Nation-State Level Spying' on Companies

 

Researchers discovered a new category of DNS vulnerabilities hitting major DNS-as-a-Service (DNSaaS) providers, which may enable attackers to get access to sensitive data of company networks. 

DNSaaS providers (also referred to as managed DNS providers) rent DNS to other businesses who don't want to maintain and protect yet additional network resources on their own. 

These DNS vulnerabilities, as disclosed by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak at the Black Hat security conference, grant threat actors nation-state intelligence harvesting powers with simple domain registration. 

As per the description, they simply created a domain and utilized it to hijack a DNSaaS provider's nameserver (in this instance, Amazon Route 53), permitting them to eavesdrop on dynamic DNS traffic streaming from Route 53 users' networks. 

The Wiz researchers stated, "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," 

"The dynamic DNS traffic we 'wiretapped' came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies." 

Employee/computer identities and locations and extremely sensitive data about organizations' infrastructure, such as Internet-exposed network equipment, were among the data they acquired this way. 

In one instance, the researchers used network data from 40,000 corporate endpoints to trace the office locations of one of the world's major services companies. The information gathered in this manner would make it much simpler for threat actors to compromise an organization's network since it would offer them a bird's eye perspective of what's going on within corporations and governments and provide them with "nation-state level surveillance capacity." 

The researchers haven't found any indication that the DNS flaw they identified has ever been exploited in the open, but they do warn that anybody with the expertise of the vulnerabilities and the abilities to exploit it might have gathered data undiscovered for over a decade. 

"The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable," they added at Black Hat. 

Patched by some, likely to affect others: 

Although two significant DNS providers (Google and Amazon) have already patched these DNS vulnerabilities, others are still likely prone, potentially exposing millions of devices to attacks. 

Moreover, it is unclear who is responsible for fixing this serious DNS flaw. Microsoft has previously informed Wiz that this is not a vulnerability since it could alter the dynamic DNS mechanism that permits Windows endpoints to leak internal network traffic to rogue DNS servers. 

Microsoft explained, this flaw as "a known misconfiguration that occurs when an organization works with external DNS resolvers." 

To minimize DNS conflicts and network difficulties, Redmond recommends utilizing distinct DNS names and zones for internal and external hosts and provides extensive guidance on how to correctly handle DNS dynamic updates in Windows. 

Maintained DNS providers can mitigate nameserver hijacking by adhering to the RFC's "reserved names" specification and checking and confirming domain ownership and validity before enabling their customers to register them. Companies renting DNS servers can also modify the default Start-of-Authority (SOA) record to stop internal network traffic from leaking via dynamic DNS updates.

Global Outage Disrupts the Services of Major Websites

 

Several major websites faced outages on Thursday due to a glitch in Akamai Technologies Inc's (AKAM.O) systems, the second widespread outage linked to the cloud company in two months. Affected websites included DraftKings, Airbnb, FedEx, Delta, Barclays, and the PlayStation network used for online games. 

"We have implemented a fix for this issue, and based on current observations, the service is resuming normal operations," Akamai tweeted. 

The disruption was caused by a vulnerability in the domain name system (DNS) service, designed to keep websites, apps, and services running smoothly and securely, that was triggered during a software update and lasted up to an hour.

DNS services play a vital role in the functioning of the internet, but are known to have bugs and can be easily exploited by threat actors. Companies like Akamai have designed their own DNS services that are meant to solve some of these problems for their users. But when things go south or there’s an outage, it can cause a knock-on effect to all of the customer websites and services that rely on it.

Akamai said it was “actively investigating the issue,” but when reached a spokesperson, he would not say if its outage was the cause of the disruption to other sites and services that are currently offline. However, a spokesperson for ThousandEyes, an internet monitoring company bought by Cisco in 2020, attributed the outage to Akamai.

Major internet companies such as Zomato, Paytm, Disney+ Hotstar, Sony LIV were also affected due to issues with Akamai Technologies. Other affected services reported by Internet outage monitoring platform DownDetector included Banks such as Lloyds, TSB, and Halifax, gaming services including Steam, Call of Duty, and EA, and streaming services on Channel 4 and ITV.

In June, cloud computing provider Fastly had an interrupted service that took down social media, government, and news websites across the globe. In that case, it later emerged that settings change by one customer had inadvertently affected the entire infrastructure. Last year Cloudflare, which also offers networking services to companies across the globe, had a similar outage following a vulnerability that caused major sites to stop loading, including Shopify, Discord, and Politico.

Microsoft Adds DNS-over-HTTPS to Windows 11

 

DNS-over-HTTPS is a privacy feature in Windows 11 that allows users to evade censorship and Internet activity by doing encrypted DNS lookups. Your computer must first query a domain name system (DNS) server for the IP address associated with the hostname before connecting to a website or other host on the Internet. 

The method aims to improve user privacy and security by avoiding eavesdropping and DNS data modification by man-in-the-middle attacks by encrypting data between the DoH client and the DoH-based DNS resolver using the HTTPS protocol. Google and the Mozilla Foundation began testing DNS over HTTPS versions in March 2018. For users in the United States, Firefox switched to DNS over HTTPS by default in February 2020. 

The IETF published RFC 8484 (October 2018) as a proposed standard for DoH. It leverages HTTP/2 and HTTPS, and it accepts wire format DNS response data in an HTTPS payload with the MIME type application/dns-message, as returned in existing UDP responses. If HTTP/2 is implemented, the server may also communicate items that it predicts the client will find valuable in advance via HTTP/2 server push. 

As some governments and ISPs prohibit access to websites by monitoring a user's DNS traffic, DoH will help users to avoid censorship, reduce spoofing attacks, and increase privacy because their DNS requests will be more difficult to track. Microsoft has re-enabled the DoH capability in Windows 11, and users who are currently utilizing DNS servers from Cloudflare, Google, or Quad9 can begin testing it again. 

It would be preferable if the DoH server for a configured DNS server could be identified automatically, according to Microsoft, however, this would pose a privacy concern. "It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could be established, we would have to first send a plain-text DNS query to bootstrap it," says Tommy Jensen, a Program Manager on the Windows Core Networking team, in a new blog post. 

"This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates." Using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which Microsoft has submitted to the IETF ADD WG, Microsoft aims to learn about new DoH server configurations from a DNS server in the future.

TsuNAME: New DNS Bug could be used to DDoS Authoritative DNS Servers


Security researchers have found extreme domain name system (DNS) fixes that hackers may use to conduct constructive denial-of-service attacks on authoritative DNS servers. The bug they refer to as TsuNAME has been discovered by researchers from SIDN Labs and InternetNZ. The bug is a humongous reflection-based distributed denial of service (DDoS) amplification function attacking authoritative DNS servers. 

Authoritative DNS servers are translated into IP addresses, such as 64.233.160.0, through web domains along like, www.google.com. One must realize the distinction between an authoritative and recursive DNS server to consider the context of the vulnerability and its functions. 

Authoritative DNS servers, like Internet Service Providers (ISPs) and global tech giants, are usually operated by government and private sector organizations. Attackers trying to take advantage of the complexity of TsuNAME DNS target insecure recidivism resolutions to overload reputable servers, including large numbers of malicious DNS queries. 

"Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records," the researchers explain in their security advisory. 

"While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do." 

A potential effect after such an attack could be that authenticated DNS servers are downloaded, which may cause country-wide Internet interruption if a country code top-level domain (ccTLD) is impaired. It could be utilized to perform DDoS attacks on critical DNS infrastructure and services such as large TLDs or ccTLDs, which possibly impact country resources according to primary research materials which makes TsuNAME especially more dangerous. 

"We observed 50% traffic increases due to TsuNAME in production in .nz traffic, which was due to a configuration error and not a real attack," the researchers added. 

TsuNAME also had events affecting an EU-based ccTLD which raised incoming DNS traffic by a factor of 10 due to only two domains that are misconfigured by cyclical dependence. An intruder with access to several fields and a botnet can cause even more damage if their domains are misconfigured and open resolvers are tested. 

The impact of TsuNAME attacks can also be reduced by authoritative server managers using the open-source CycleHunter tool that avoids such incidents, detects, and prevents the pre-emptively fixing of cyclical dependencies in their DNS areas.

Bug in Brave Browser Expose Users’ Dark Web History

 

Brave, the web browser that insists on privacy, exposes users' activities to its Internet Service Providers on Tor's secret servers, or "dark web." In its browser, Brave has solved a data protection problem that sends queries for .onion domains to a DNS solution, instead of a Tor node path, so that access to the dark website is shown to users. In a hotfix release, the bug was addressed.

Brave is an open-source web browser built on a Chromium web browser created by Brave Software, Inc. It restricts advertisements and website trackers and supplies users with a way to submit cryptocurrency donations to websites and developers of content in the form of simple tokens. 

Introduced in June 2018, Brave's Tor mode has enabled Brave users to gain anonymity when browsing the internet, encouraging them to have access to the .onion versions of legal websites such as Facebook, Wikipedia, and key news portals over the years. However, an unnamed security researcher reported in the research article, that Brave's Tor mode had sent queries to DNS resolvers rather than Tor nodes on the open Network. DNS requests are non-encrypted so that attempts to access .onion sites in Brave can be monitored using the Tor functionality, which is directly contradictory to the goal of this platform at first. 

The aforementioned DNS leak poses great dangers when all leaks build footprints on the Tor traffic of Brave users in DNS server logs. The risk is important. While in some Western states with stable democracy it might not be troublesome, it may be a concern for certain browser users to browse Brave's Tor websites from the authoritarian regimes. 

This problem seems to be the product of the browser's CNAME ad-block feature, which blocks third-party monitoring scripts using CNAME DNS for first-party scripts and prevents traffic blocker detection. This allows a website to cloak third-party scripts using primary domain's- sub-domains that are then immediately routed into a monitoring domain. 

Over the last three years, the organization has worked to develop today, second only to Tor Browser, one of the most privacy-driven Web browser solutions available. 

A Brave developer has stated after the release that the browser provided a hotfix on the problem. The problem is already solved on the night of the development of the browser. 

“Since it’s now public we’re uplifting the fix to a stable hotfix. Root cause is regression from CNAME- based adblocking which used a separate DNS query.” He further added. 

Hackers Dropping Malware via Free WinZip Trial Popup Vulnerability

 

Researchers have discovered a critical security flaw in WinZip 24 that targets users with malware. WinZip trial popup vulnerability allows hackers to perform arbitrary code execution and DNS poisoning.
 
When WinZip displays prompt informing about the expiry of the free trial and sends requests for checking updates, it communicates in plaintext over HTTP instead of HTTPS; the vulnerability has been reported to exist in the way WinZip communicated with its servers, making it susceptible to exploits by malicious actors who delivered malware through the same. 

WinZip is free to download ZIP tool program that is used to compress and decompress files easily. It enables users to zip and unzip almost all file formats including zip, tar, rar, and etc. However, the tool is available online free for a trial period, and to continue availing its services fully, users need to purchase a license for which the tool checks software status for users over a period of time, repeatedly. Once it detects the trial period being expired, the software displays a prompt using the abovementioned way of communication: That is where the bug was found.
 
It was in between that attackers could intercept the traffic and intervene in the communicated text and added an infected WinZip version. Furthermore, the users' concerns are aggravated by the fact that the update request also contains personal data of the user such as 'registered username', 'registration code', and other required information for the processing of the request. This information could also be accessed by the attacker meddling with the trial popup.
 
"WinZip 24 opens pop-up windows time to time when running in Trial mode. Since the content of these popups is HTML with JavaScript that is also retrieved via HTTP, it makes manipulation of that content easy for a network adjacent attacker," as told by Researchers from Trustwave.
 
"The application sends out potentially sensitive information like the registered username, registration code and some other information in query string as a part of the update request. Since this is over an unencrypted channel this information is fully visible to the attacker."
 
"This means anyone on the same network as user running a vulnerable version of WinZip can use techniques like DNS poisoning to trick the application to fetch “update” files from malicious web server instead of legitimate WinZip update host. As a result, unsuspecting user can launch arbitrary code as if it is a valid update," the researchers further added.

Vulnerability in DNS Servers Discovered By Academics from Israel


A vulnerability in DNS servers that can be exploited to launch DDoS attacks of huge extents was as of late discovered by a team academics from Israel, the attack as indicated by them impacts recursive DNS servers and the procedure of DNS delegation.

In a research paper published, the academics from the Tel Aviv University and The Interdisciplinary Center in Herzliya, Israel, said they figured out how to abuse this delegation procedure for DDoS attacks. 

The NXNSAttack technique has various aspects and varieties, yet the fundamental steps are detailed below:

1) The attacker sends a DNS query to a recursive DNS server. The solicitation is for a domain like "attacker.com," which is overseen through an attacker-controlled authoritative DNS server. 

2) Since the recursive DNS server isn't approved to resolve this domain, it forwards the operation to the attacker's malicious authoritative DNS server. 

3) The malignant DNS server answers to the recursive DNS server with a message that likens to “I’m delegating this DNS resolving operation to this large list of name servers." The list contains a large number of subdomains for a victim website.

4) The recursive DNS server forwards the DNS inquiry to all the subdomains on the list, giving rise to a surge in traffic for the victim's authoritative DNS server.



The Israeli researchers said they've been working for the past few months with the producers of DNS software; content delivery networks, and oversaw DNS suppliers apply mitigations to DNS servers over the world. 

Affected software incorporates the likes of ISC BIND (CVE-2020-8616), NLnet labs Unbound (CVE-2020-12662), PowerDNS (CVE-2020-10995), and CZ.NIC Knot Resolver (CVE-2020-12667), yet additionally commercial DNS administrations provided by organizations like Cloudflare, Google, Amazon, Microsoft, Oracle (DYN), Verisign, IBM Quad9, and ICANN.



Patches have been discharged over the previous weeks. They incorporate mitigations that keep attackers from mishandling the DNS delegation procedure to flood different DNS servers.

The research team's work has been properly detailed in a scholarly paper entitled "NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities," available for download in PDF format.

4G Network Is Under Attack!




As of yesterday a team of academics published a report on a research conducted that described three attacks against the mobile communication standard LTE (Long Term Evolution), otherwise called the 4G network.

As indicated by the researchers, two of the three attacks are 'passive', which means that they allow an attacker to gather meta-information about the user's activity and in addition to this also enable the attacker to determine what sites a user may visit through his LTE device. Then again the third is a functioning attack or an active attack in other words, that gives the attacker a chance to manipulate data sent to the user's LTE gadget.

Researchers nicknamed the active attack aLTEr in view of its intrusive capacities, which they utilized as a part of their experiments to re-direct users to malevolent sites by altering the DNS packets.
In any case, the researchers said that the regular users have nothing to fear, until further notice as carrying out any of the three attacks requires extremely unique and costly hardware, alongside custom programming, which for the most part puts this kind of attack out of the reach of most cyber criminals.

"We conducted the attacks in an experimental setup in our lab that depends on special hardware and a controlled environment," researchers said. "These requirements are, at the moment, hard to meet in real LTE networks. However, with some engineering effort, our attacks can also be performed in the wild."

The equipment expected to pull off such attacks is fundamentally the same as purported "IMSI catchers" or "Stingray" gadgets, equipment utilized by law enforcement around the globe to trap a target's phone into interfacing with a fake telecommunication tower.

The contrast between an aLTEr attack and a classic IMSI catcher is that the IMSI catchers perform 'passive' MitM attack to decide the target's geo-area, while aLTEr can actually alter what the user views on his/her device.

With respect to the technical details of the three attacks, the three vulnerabilities exist in one of the two LTE layers called the data layer, the one that is known for transporting the user's real information. The other layer is the control layer as that is the one that controls and keeps the user's 4G connection running.

As indicated by researchers, the vulnerabilities exist on the grounds that the data layer isn't secured, so an attacker can capture, change, and after that transfer the altered packets to the actual cell tower.
The research team, made up of three researchers from the Ruhr-University in Bochum, Germany and a specialist from New York University, say they have warned the relevant institutions like the GSM Association (GSMA), 3rd Generation Partnership Project (3GPP), as well as the telephone companies about the issues they had found.

Cautioning that the issue could likewise influence the up and coming version of the 5G standard in its present form. Experts said that the 5G standard incorporates extra security features to forestall aLTEr attacks; however these are as of now discretionary.

The research team has although, published its discoveries in a research paper entitled "Breaking LTE on Layer Two," which they intend to display at the 2019 IEEE Symposium on Security and Privacy , to be held in May 2019 in San Francisco.

Below is a link of a demo of an aLTEr attack recorded by researchers.


DDOS attack brings the Internet to its knees

The fight between a spam fighting company called "Spamhaus" and a web hosting company called "Cyberbunker" has slowed down a majority of the internet by making DNS resolving slow.



The reason behind the attack is that Spamhaus added the IP addresses of cyberbunker to its "spam" list due to Cyberbunker allowing almost any sort of content to be hosted hence also maybe the source for spam. So Cyberbunker attacked back and this attack also affected normal internet users.

The attack was possible because of the large number of vulnerable DNS servers that allow open DNS resolving.Simply put an attack exploiting this type of vulnerability makes use of the vulnerability of the DNS server to increase the intensity of the attack 100 fold.

The origins of these type of attacks goes back to the 1990's to an attack called "smurf attack"

But now the attack method has become more efficient and uses DNS amplification to flood the victim with spoofed requests which are sent to the DNS servers by using a botnet of compromised computers.The attack at its peak reached a speed of 300 Gbps making it the largest DDOS attack in history.

Cyberbunker which claims itself to be a supporter of free speech and defender against the "big bullies" seems to have now have stooped down to their level of using aggressive offensive methods that affect the normal functioning of the internet.This is not the way to go !

The people who run DNS resolvers are also equally responsible for these attacks as its their vulnerable servers that make these attacks possible, the internet community should come up with a PERMANENT solution to this problem.

Please read cloudflare's blog post for a detailed analysis : http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet