Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label DNS Hacking. Show all posts
Malware Attack
AI Models AI Prompt AI prompt injection attack Cyber Security cybercriminals DNS DNS attacks DNS Hacking DOH DoT Hacker attack Malware Attack

Hackers Use DNS Records to Hide Malware and AI Prompt Injections

 

Cybercriminals are increasingly leveraging an unexpected and largely unmonitored part of the internet’s infrastructure—the Domain Name System (DNS)—to hide malicious code and exploit security weaknesses. Security researchers at DomainTools have uncovered a campaign in which attackers embedded malware directly into DNS records, a method that helps them avoid traditional detection systems. 

DNS records are typically used to translate website names into IP addresses, allowing users to access websites without memorizing numerical codes. However, they can also include TXT records, which are designed to hold arbitrary text. These records are often used for legitimate purposes, such as domain verification for services like Google Workspace. Unfortunately, they can also be misused to store and distribute malicious scripts. 

In a recent case, attackers converted a binary file of the Joke Screenmate malware into hexadecimal code and split it into hundreds of fragments. These fragments were stored across multiple subdomains of a single domain, with each piece placed inside a TXT record. Once an attacker gains access to a system, they can quietly retrieve these fragments through DNS queries, reconstruct the binary code, and deploy the malware. Since DNS traffic often escapes close scrutiny—especially when encrypted via DNS over HTTPS (DOH) or DNS over TLS (DOT)—this method is particularly stealthy. 

Ian Campbell, a senior security engineer at DomainTools, noted that even companies with their own internal DNS resolvers often struggle to distinguish between normal and suspicious DNS requests. The rise of encrypted DNS traffic only makes it harder to detect such activity, as the actual content of DNS queries remains hidden from most monitoring tools. This isn’t a new tactic. Security researchers have observed similar methods in the past, including the use of DNS records to host PowerShell scripts. 

However, the specific use of hexadecimal-encoded binaries in TXT records, as described in DomainTools’ latest findings, adds a new layer of sophistication. Beyond malware, the research also revealed that TXT records are being used to launch prompt injection attacks against AI chatbots. These injections involve embedding deceptive or malicious prompts into files or documents processed by AI models. 

In one instance, TXT records were found to contain commands instructing a chatbot to delete its training data, return nonsensical information, or ignore future instructions entirely. This discovery highlights how the DNS system—an essential but often overlooked component of the internet—can be weaponized in creative and potentially damaging ways. 

As encryption becomes more widespread, organizations need to enhance their DNS monitoring capabilities and adopt more robust defensive strategies to close this blind spot before it’s further exploited.
Read more »
Tracking
Cyber Crime DNS DNS Hacking Network Tracking

Hackers Tracking Victims with DNS Tricks


 


Cybercriminals have adopted a highly intricate technique known as DNS tunnelling to carry out malicious activities such as tracking victims and scanning network vulnerabilities, posing a significant threat to cybersecurity. DNS tunnelling involves the encoding of data or commands within DNS queries, effectively transforming DNS into a covert communication channel, which can be challenging for traditional security measures to detect.

Hackers leverage various encoding methods, such as Base16 or Base64, to conceal their digital footprints within DNS records, including TXT, MX, CNAME, and Address records. This covert communication method allows them to bypass network firewalls and filters, using it for command and control operations and VPN activities, thereby upgrading their ability to evade detection by security tools.

The Palo Alto Networks' Unit 42 security research team has recently exposed two distinct campaigns that exploit DNS tunnelling for malicious purposes. The first campaign, dubbed "TrkCdn," focuses on tracking victim interactions with phishing emails, enabling attackers to evaluate their strategies and confirm the delivery of malicious payloads. Additionally, a similar campaign named "SpamTracker" utilises DNS tunnelling to track the delivery of spam messages, highlighting the versatility of this technique in cybercriminal operations.

Furthermore, the second campaign, identified as "SecShow," employs DNS tunnelling for network scanning purposes. Attackers embed IP addresses and timestamps into DNS queries to map out network layouts and identify potential configuration flaws that can be exploited for infiltration, data theft, or denial-of-service attacks. This demonstrates the advancing tactics of cybercriminals in exploiting DNS tunnelling for a wide range of fraudulent activities. 

DNS tunnelling provides threat actors with several advantages, including bypassing security tools, avoiding detection, and maintaining operational flexibility, making it a preferred method for carrying out cyber-attacks. To alleviate this growing threat, organisations are advised to implement DNS monitoring and analysis tools to detect unusual traffic patterns and peculiarities promptly. Additionally, limiting DNS resolvers to handle only necessary queries can reduce the risk of DNS tunnelling misuse, enhancing overall cybersecurity defences.

The discovery of hackers exploiting DNS tunnelling focuses on the importance of staying careful against the pervasive nature of cyber threats and implementing robust cybersecurity measures to protect against potential attacks. By understanding the risks posed by DNS tunnelling and taking the required steps to mitigate them, organisations can effectively safeguard their networks and data.


Read more »
Varonis Threat Lab
Data Breach deactivated sites DNS Hacking Ghost sites Salesforce Threat actors Varonis Threat Lab

Ghost Sites: Attackers are now Exposing Data From Deactivated Salesforce Sites


Varonis Threat Lab researchers recently discovered that Salesforce ‘ghost sites,’ that are no longer in use, if improperly deactivated and unmaintained may remain accessible and vulnerable of being illicitly used by threat actors. They noted how by compromising the host header, a hacker may gain access to sensitive PII and business data.

With the help of Salesforce Sites, businesses can build specialized communities where partners and clients could work collaboratively.

But when these communities are no longer required, they are frequently preserved rather than shut down. These sites aren't examined for vulnerabilities since they aren't maintained, and the administrators don't update the security measures in accordance with contemporary guidelines.

Apparently, Varonis Threat Labs on its recent findings discovered that since these ghost sites were not properly deactivated, they were easily accessible to attackers who were using them to put illicit data, exploiting the sites.

They added that the exposed data did not only consist of the old data of the sites, but also fresh records that were disclosed to guest user, who shared configuration in the Salesforce environment.

Salesforce Ghost Sites

According to Varonis Threat Labs, Salesforce ghost sites are created when a company, instead of using unappealing internet URLs uses a custom domain name. This is done so that the organization’s partners could browse the sites. . “This is accomplished by configuring the DNS record so that ‘partners.acme.org’ [for example] points to the lovely, curated Salesforce Community Site at “partners.acme.org. 00d400.live.siteforce.com[…]With the DNS record changed, partners visiting “partners.acme.org” will be able to browse Acme’s Salesforce site. The trouble begins when Acme decides to choose a new Community Site vendor,” the researchers said.

Companies might switch out a Salesforce Experience Site for an alternative, just like they would with any other technology. Varonis Threat Labs stated, "Acme subsequently updates the DNS record of 'partners.acme.org' to link toward a new site that might function in their AWS environment." The Salesforce Site is no longer present from the users' perspective, and a new Community page is now accessible. The new page may not be functioning in the environment or connected to Salesforce in any way, and no blatant integrations are visible.

However, the study found that a lot of businesses only modify DNS entries. “They do not remove the custom domain in Salesforce, nor do they deactivate the site. Instead, the site continues to exist, pulling data and becoming a ghost site,” a researcher said.

Attackers exploit these sites simply by changing the host header. They mislead Salesforce into believing that the site was accessed as https://partners.acme.org/ making the sites accessible to the attackers.

Although these sites can also be accessed through their whole internal URLs, an intruder would find it difficult to recognize these URLs. However, locating ghost sites is significantly simpler when utilizing tools that index and archive DNS information, like SecurityTrails and comparable technologies.

What is the Solution

Varonis Threat Labs advised that the sites that are no longer in use should be properly deactivated. They also recommended to track all Salesforce sites and their respective users’ permissions, involving both community and guest users. Moreover, the researchers created a guide on ‘protecting your active Salesforce Communities against recon and data theft.’ 

Read more »
Teamviewer
APT actors C&C DNS Hacking ESET Illegal spying Iranian hackers malware Teamviewer

Iranian Hackers Employed a New Marlin Backdoor in a Surveillance Operation 

 

Iranian hackers are using the New Marlin backdoor as part of a long-running surveillance operation that began in April 2018. ESET, a Slovak cybersecurity firm, linked the attacks, entitled "Out to Sea," to a threat actor known as OilRig (aka APT34), firmly linking its actions to another Iranian group known as Lyceum as well (Hexane aka SiameseKitten).

Since 2014, the hacking organization has attacked Middle Eastern governments as well as a range of industry verticals, including chemical, oil, finance, and telecommunications. In April 2021, the threat actors used an implant dubbed SideTwist to assault a Lebanese company. 

"Victims of the campaign include diplomatic institutions, technological businesses, and medical organizations in Israel, Tunisia, and the United Arab Emirates," according to a report by ESET.

Lyceum has previously conducted campaigns in Israel, Morocco, Tunisia, and Saudi Arabia to single out IT companies. Since the campaign's discovery in 2018, the Lyceum infecting chains have developed to drop many backdoors, starting with DanBot and progressing to Shark and Milan in 2021. Later attacks, utilizing a new data harvesting virus dubbed Marlin, were detected in August 2021. 

The hacking organization discarded the old OilRig TTPs, which comprised command-and-control (C&C) connections over DNS and HTTPS. For its C2 activities, Marlin relies on Microsoft's OneDrive API. ESET identified parallels in tools and tactics between OilRig's backdoors and those of Lyceum as "too numerous and specific," stating the initial access to the network was gained through spear-phishing and management applications like ITbrain and TeamViewer. 

"The ToneDeaf backdoor connected with its C&C primarily over HTTP/S, but featured a secondary route, DNS tunneling, which did not work effectively," the researcher indicated. "Shark has similar problems, with DNS as its primary communication channel and an HTTP/S secondary one which isn't working." 

Marlin randomly selects the executable code's internal structure, denying the attacker a comprehensive assessment of instruction addresses needed to build the intended exploit payload. The findings also revealed the usage of several folders in a backdoor's file menu for sending and receiving data from the C&C server, the concurrent use of DNS as a C&C communication route while also utilizing HTTP/S as a backup communication mechanism.
Read more »
Voyager
Crypto Currency Cyber Attacks DNS Hacking Voyager

Crypto Trading App Voyager Hit By Cyberattack, Company Shuts Down Website

 

Cryptocurrency brokerage platform Voyager stopped its operations on 28th December after it suffered a  cyberattack that disrupted its DNS configuration. Voyager Digital LLC is a cryptocurrency is a brokerage platform where an investor can trade their assets with the help of the Voyager mobile app. The company has shown rapid growth in the year 2020, increasing its growth by 40x times in the last 12 months. Not only this, Voyager currently holds under management $200 million in assets. On 28th December, Voyager's online platform had to shut down due to, as per the press release "currently undergoing maintenance." 

The company later revealed that it had suffered a cyberattack which led to the closing and canceling of all limit orders. Steve Ehrlich, Co-founder, and CEO of Voyager said in a press release that "customer funds and security are of the utmost importance to Voyager. Whilst all funds and crypto are secure we have had to temporarily halt trading on the platform and we sincerely apologize for the inconvenience and thank our clients for their patience." 

The team at voyager had no trouble finding the intrusion, the moment it was detected, the team shut down the systems to save client information and assets.  After the cyberattack, the Voyager app is now online, and all the tradings on the website are now back to normal. To assure cybersecurity, Voyager signed out all its users from the app and has advised them to change their login credentials and reset 2-step verification (2fa). As of now, there is not much detail about how the cyberattack happened other than a tweet that mentioned that it was a DNS attack. 

"With a highly experienced team that has previously built successful online brokerages, we know the importance of having robust and highly secure systems to counter cyber attacks. With our rapid growth to date bringing the business into the spotlight, we are fully prepared for such events and in this case, have acted swiftly to prevent any impact on the business," says Voyager press release. 
Read more »
malware
DNS Hacking Linksys malware

Linksys asks users to reset their smart wifi passwords after DNS routers were hacked


Linksys, a router developing firm asked its users to reset passwords to their smart wifi accounts after some of the accounts were hacked and illegally  accessed to direct users to a COVID-19 themed malware.



The reset took place after all accounts were locked in order to prevent further hacking on April 2nd. The hackers changed the home routers' DNS server settings and prevented users from accessing various domains like Amazon AWS, Disney or pornography. Instead, the users were directed to a webpage with a corona virus-themed app "that displays a message purportedly from the World Health Organization, telling users to download and install an application that offers instructions and information about COVID-19."

The app was a fluke and it attached the Oski info-stealing malware into the system. The malware uses the victim's login credentials to access various services like cryptocurrency wallets.

Linksys told it's customers to reset their passwords when they login and a confusing message about " The COVID-19 Malware ".

Jen Wei Warren from Belkin's global PR veep Linksys parent firm, told The Register that "the original illicit access to customer routers through their cloud-hosted Smart Wi-Fi accounts was a successful credential-stuffing attempt using login details harvested from previous breaches elsewhere."

She said: "Multiple factors lead us to the conclusion that credentials were stolen elsewhere: the majority of authentication requests contained usernames that have never registered on our system. We checked email addresses with services like haveibeenpwned.com which indicate the list of credentials being attempted on our system are known to have been exposed previously."

She further added, "Multiple attempts were made using the same username but different passwords, which would not be necessary if our own systems were compromised." But refused to mention how many accounts were affected from this hacking.

The email sent to the customers read, "All Linksys Smart Wi-Fi accounts were locked at 8:00 pm PDT on April 2 because someone was logging in with email address and password combinations stolen from other websites.
Your account was not compromised, but out of an abundance of caution we locked it to prevent unauthorized access. You need to change your password to log back in – unless you have already done so since we locked it."
Read more »
Subscribe to: Posts (Atom)