Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label DNS. Show all posts
Malware Attack
AI Models AI Prompt AI prompt injection attack Cyber Security cybercriminals DNS DNS attacks DNS Hacking DOH DoT Hacker attack Malware Attack

Hackers Use DNS Records to Hide Malware and AI Prompt Injections

 

Cybercriminals are increasingly leveraging an unexpected and largely unmonitored part of the internet’s infrastructure—the Domain Name System (DNS)—to hide malicious code and exploit security weaknesses. Security researchers at DomainTools have uncovered a campaign in which attackers embedded malware directly into DNS records, a method that helps them avoid traditional detection systems. 

DNS records are typically used to translate website names into IP addresses, allowing users to access websites without memorizing numerical codes. However, they can also include TXT records, which are designed to hold arbitrary text. These records are often used for legitimate purposes, such as domain verification for services like Google Workspace. Unfortunately, they can also be misused to store and distribute malicious scripts. 

In a recent case, attackers converted a binary file of the Joke Screenmate malware into hexadecimal code and split it into hundreds of fragments. These fragments were stored across multiple subdomains of a single domain, with each piece placed inside a TXT record. Once an attacker gains access to a system, they can quietly retrieve these fragments through DNS queries, reconstruct the binary code, and deploy the malware. Since DNS traffic often escapes close scrutiny—especially when encrypted via DNS over HTTPS (DOH) or DNS over TLS (DOT)—this method is particularly stealthy. 

Ian Campbell, a senior security engineer at DomainTools, noted that even companies with their own internal DNS resolvers often struggle to distinguish between normal and suspicious DNS requests. The rise of encrypted DNS traffic only makes it harder to detect such activity, as the actual content of DNS queries remains hidden from most monitoring tools. This isn’t a new tactic. Security researchers have observed similar methods in the past, including the use of DNS records to host PowerShell scripts. 

However, the specific use of hexadecimal-encoded binaries in TXT records, as described in DomainTools’ latest findings, adds a new layer of sophistication. Beyond malware, the research also revealed that TXT records are being used to launch prompt injection attacks against AI chatbots. These injections involve embedding deceptive or malicious prompts into files or documents processed by AI models. 

In one instance, TXT records were found to contain commands instructing a chatbot to delete its training data, return nonsensical information, or ignore future instructions entirely. This discovery highlights how the DNS system—an essential but often overlooked component of the internet—can be weaponized in creative and potentially damaging ways. 

As encryption becomes more widespread, organizations need to enhance their DNS monitoring capabilities and adopt more robust defensive strategies to close this blind spot before it’s further exploited.
Read more »
Software
2FA Cloud Service Code Cyber Security DNS NPM Software

NPM Developers Targeted: Fake Packages Secretly Collecting Personal Data

 



Security experts are warning people who use NPM — a platform where developers share code — to be careful after finding several fake software packages that secretly collect information from users' computers.

The cybersecurity company Socket found around 60 harmful packages uploaded to NPM starting mid-May. These were posted by three different accounts and looked like normal software, but once someone installed them, a hidden process ran automatically. This process collected private details such as the device name, internal IP address, the folder the user was working in, and even usernames and DNS settings. All of this was sent to attackers without the user knowing.

The script also checked whether it was running in a cloud service or a testing environment. This is likely how the attackers tried to avoid being caught by security tools.

Luckily, these packages didn’t install extra malware or try to take full control of users’ systems. There was no sign that they stayed active on the system after installation or tried to gain more access.

Still, these fake packages are dangerous. The attackers used a trick known as "typosquatting" — creating names that are nearly identical to real packages. For example, names like “react-xterm2” or “flipper-plugins” were designed to fool people who might type quickly and not notice the slight changes. The attackers appeared to be targeting software development pipelines used to build and test code automatically.

Before they were taken down, these fake packages were downloaded nearly 3,000 times.

In a separate discovery, Socket also found eight other harmful packages on NPM. These had been around for about two years and had been downloaded over 6,000 times. Unlike the first group, these could actually damage systems by deleting or corrupting data.

If you've used any unfamiliar packages recently, remove them immediately. Run a full security scan, change your passwords, and enable two-factor authentication wherever possible.

This incident shows how hackers are now using platforms like NPM to reach developers directly. It’s important to double-check any code you install, especially if it’s from a source you don’t fully recognize.


Read more »
zero-day
Cyber Security DNS espionage Iraq MarbledDust OutputMessenger threatgroup Turkey Vulnerability zero-day

Türkiye-Linked Hackers Exploit Zero-Day in Messaging App to Target Kurdish Military

 


 
A Türkiye-aligned cyberespionage group, Marbled Dust, has exploited a previously unknown zero-day vulnerability to launch attacks on users of Output Messenger — specifically those associated with the Kurdish military in Iraq, according to a report from Microsoft Threat Intelligence.

The uncovered flaw, now identified as CVE-2025-27920, is a directory traversal vulnerability in the LAN-based Output Messenger application. It enables authenticated users to break out of intended directories, granting access to sensitive system files or allowing the deployment of malicious payloads to the server’s startup folder.

"Attackers could access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution," Srimax, the app's developer, stated in a security advisory released in December.

The vulnerability was patched in Output Messenger V2.0.63, but attackers exploited it before updates were applied. Microsoft attributes the campaign to a group tracked as Sea Turtle, SILICON, and UNC1326, known collectively as Marbled Dust.

After infiltrating the Output Messenger Server Manager, attackers installed malware that allowed them to monitor communications, impersonate users, and disrupt internal systems.

"While we currently do not have visibility into how Marbled Dust gained authentication in each instance, we assess that the threat actor leverages DNS hijacking or typo-squatted domains to intercept, log, and reuse credentials, as these are techniques leveraged by Marbled Dust in previously observed malicious activity," Microsoft explained.

Following initial compromise, a backdoor named OMServerService.exe was deployed to establish communication with an attacker-controlled command-and-control server (api.wordinfos[.]com). This enabled the group to gather victim-specific data.

In one example, an Output Messenger client connected to an IP tied to Marbled Dust, likely initiating data exfiltration. Shortly after, the system began collecting files and compressing them into a RAR archive for extraction.

Marbled Dust has a history of targeting Europe and the Middle East, especially telecom, IT firms, and government entities critical of the Turkish regime. The group is known to exploit internet-facing vulnerabilities and compromise DNS registries to carry out man-in-the-middle (MitM) attacks.

"This new attack signals a notable shift in Marbled Dust's capability while maintaining consistency in their overall approach," Microsoft noted. "The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust's targeting priorities have escalated or that their operational goals have become more urgent."

In recent years, Marbled Dust has been connected to espionage campaigns in the Netherlands, with a focus on ISPs, telecommunication provi
Read more »
NSA
Cyber Attacks DNS Evasion Fast Flux NSA

NSA Warns of Fast Flux DNS Evasion Employed by Cybercrime Outfits

 

The FBI, the Cybersecurity and Infrastructure Security Agency, and a group of international partners have warned that cyber threat groups are utilising a technique known as "fast flux" to conceal the whereabouts of malicious servers, which poses a substantial threat to national security. 

Authorities have warned that both criminal and state-linked threat outfits have exploited Domain Name System records that change frequently to obscure the locations of these servers. They can also build extremely resilient command and control (C2) infrastructure to mask their malicious activities, particularly when dealing with botnets. 

Security officials also stated that fast flux techniques are utilised not only for C2 communications, but also in phishing attempts to prevent social engineering websites from being blacklisted or taken down. 

Authorities did not directly identify any threat actors currently employing the approach or indicate whether a campaign utilising fast flux is underway. They did, however, make reference to earlier activities, pointing out that fast flux was utilised in ransomware attacks connected to Hive and Nefilim. The advisory further claims that Gamaredon, a threat actor supported by Russia, has concealed threat activity using rapid flux. 

According to Andy Piazza, senior director of threat intelligence at Unit 42 of Palo Alto Networks, quick flux is a tactic used by attackers to put a financial burden on security operations teams by making it extremely expensive and challenging to identify ongoing threat activities.

Piazza stated that Trident Ursa employed fast flux during the early stages of Russia's invasion of Ukraine. According to Piazza, fast flux enables an opponent to quickly modify their infrastructure by changing hundreds of domains per minute. 

The advisory notes that there are two variations of the method known as single flux and double flux. Multiple IP addresses are linked to a single domain name using single flux. Double Flux modifies the DNS name server in addition to the domain name. 

Prevention tips

Authorities recommended a number of actions to recognise and mitigate the activity: 

  • Configure anomaly detection systems for DNS query logs. 
  • Employ threat intelligence feeds to detect known fast flux domains and associated IP addresses. 
  • Increase the logging and monitoring of DNS traffic. 
  • Consider sinkholing a hostile domain.
Read more »
Opera Browser
API Browser Security Browser Vulnerability Cyber Attacks data security DNS Opera Browser

CrossBarking Exploit in Opera Browser Exposes Users to Extensive Risks

 

A new browser vulnerability called CrossBarking has been identified, affecting Opera users through “private” APIs that were meant only for select trusted sites. Browser APIs bridge websites with functionalities like storage, performance, and geolocation to enhance user experience. Most APIs are widely accessible and reviewed, but private ones are reserved for preferred applications. Researchers at Guardio found that these Opera-specific APIs were vulnerable to exploitation, especially if a malicious Chrome extension gained access. Guardio’s demonstration showed that once a hacker gained access to these private APIs through a Chrome extension — easily installable by Opera users — they could run powerful scripts in a user’s browser context. 
The malicious extension was initially disguised as a harmless tool, adding pictures of puppies to web pages. 

However, it also contained scripts capable of extensive interference with Opera settings. Guardio used this approach to hijack the settingsPrivate API, which allowed them to reroute a victim’s DNS settings through a malicious server, providing the attacker with extensive visibility into the user’s browsing activities. With control over the DNS settings, they could manipulate browser content and even redirect users to phishing pages, making the potential for misuse significant. Guardio emphasized that getting malicious extensions through Chrome’s review process is relatively easier than with Opera’s, which undergoes a more intensive manual review. 

The researchers, therefore, leveraged Chrome’s automated, less stringent review process to create a proof-of-concept attack on Opera users. CrossBarking’s implications go beyond Opera, underscoring the complex relationship between browser functionality and security. Opera took steps to mitigate this vulnerability by blocking scripts from running on private domains, a strategy that Chrome itself uses. However, they have retained the private APIs, acknowledging that managing security with third-party apps and maintaining functionality is a delicate balance. 

Opera’s decision to address the CrossBarking vulnerability by restricting script access to domains with private API access offers a practical, though partial, solution. This approach minimizes the risk of malicious code running within these domains, but it does not fully eliminate potential exposure. Guardio’s research emphasizes the need for Opera, and similar browsers, to reevaluate their approach to third-party extension compatibility and the risks associated with cross-browser API permissions.


This vulnerability also underscores a broader industry challenge: balancing user functionality with security. While private APIs are integral to offering customized features, they open potential entry points for attackers when not adequately protected. Opera’s reliance on responsible disclosure practices with cybersecurity firms is a step forward. However, ongoing vigilance and a proactive stance toward enhancing browser security are essential as threats continue to evolve, particularly in a landscape where third-party extensions can easily be overlooked as potential risks.


In response, Opera has collaborated closely with researchers and relies on responsible vulnerability disclosures from third-party security firms like Guardio to address any potential risks preemptively. Security professionals highlight that browser developers should consider the full ecosystem, assessing how interactions across apps and extensions might introduce vulnerabilities.
Read more »
Scams
Cyber Crime Cyber crimes DNS fraudulent activities Google Scams

New Coalition to Take Down Online Scams, Led by Google

 




As cybercrime continues to cost the world economy billions annually, a robust new coalition launched by Google, the DNS Research Federation, and the Global Anti-Scam Alliance (GASA) is working to disrupt online scammers at a global level. By all accounts, this partnership constitutes a "game changer." The United Coalition focuses on revealing and thwarting fraudulent activity online.

Online Scam Fighting via the Global Signal Exchange

The coalition will be launching a data platform called Global Signal Exchange, which will 24/7 scan open cyberspaces for signs of fraudulent activity and issue alerts. For a platform, it will leverage the DNS Research Federation's DAP.live: an aggregation platform that consolidates feeds from over 100 sources to spot potential scams. Google enhances these efforts while providing relevant feeds from DAP.live that should provide an even more comprehensive view of online fraud as it begins to take shape.

A Growing Threat in the Digital Age

Some scams are becoming almost too clever nowadays, to the extent that an estimated $8.6 billion is lost worldwide due to such scams each year, with few cases going to convictions. In the UK alone, each person is targeted nearly 240 times a year by a scammer via emails or texts from fake legitimate businesses or offices asking them for personal information, such as bank or credit card details.

Britain estimates the average loss per person due to scams is £1,169. Overall, 11% of adults admit that they have fallen for online fraud. More alarming is the economic loss in the proportion of older adults, which indicates people aged 55 and above lose an average amount of £2,151. Those between 36 and 54 lose about £1,270, while those less than 35 years old lose about £851.

The Call for International Cooperation

Another challenge while combating online scams is that many of the criminal organisations behind these scams are operating from abroad, often from such countries as Russia and North Korea. This international nature makes it even more difficult for local authorities to keep an eye on and legally prosecute them. The coalition aims to balance this gap by sharing scam information in real time, thereby creating a chance to respond quickly to new emerging threats. This collaborative approach will serve crucially because cybercriminals often operate in groups and have done all of this work so fast, which has made it really hard to fight scams alone by any single organisation.

Scammers collaborate, they pool and they act fast. The days when individual brands could combat cybercrime on their own are gone. Global Signal Exchange usher in a new chapter in the battle against cybercrime, and Google's partnership promises to be the game-changer," said Emily Taylor, Chief Executive of DNS Research Federation.

Scammers Use All Too Familiar Brand Names Trapping Victims

The research carried out by the coalition indicates that fraudsters make use of the identity of conspicuous brands to acquire victims. Some of the very popular brands currently being used in scams are: home delivery and courier services; financial services, including banks, insurance, and loan companies; companies in the Technology, Media, and Telecoms sector; many public sector organisations, including HMRC and local councils; and, in a few instances, prominent charities.

According to DNS Research Federation, the volume of scams seems to peak each year in November during the Black Friday promotions and associated online shopping. Much of such activity is occurring because of heightened online activity. Thus, proper defences are quite essential when activity reaches such peak levels.

An alliance towards consumers' protection around the world

The Global Anti-Scam Alliance was established in 2021 to create a network of businesses that stand together to protect consumers online from fraud. GASA, in partnership with Google and the DNS Research Federation, will decrease the profitability of scams in order to make them less appealing to cybercriminals.

As threats in cyber continue to grow and seemingly intensify, this alliance will very largely form a critical element in the protection of users internationally. The Global Signal Exchange represents a major leap forward in efforts on anti-scam activities as it promises that consumers will be better protected from online fraud, and are able to navigate an increasingly complex digital environment more securely.


Read more »
third party
Cyber Security Cyber Threats Risk Digital Infrastructure DNS DOH Domain Name System domains IP Address third party

Understanding the Domain Name System (DNS): How It Works and Why It Matters


The Domain Name System (DNS) serves as a critical element of the internet’s infrastructure, acting like a phone book that translates human-friendly domain names into the numerical IP addresses that computers use to communicate. Without DNS, accessing websites would be far more complicated, requiring users to remember lengthy strings of numbers instead of simple names like “google.com.” When you enter a website URL into your browser, the DNS process begins. This request, known as a “DNS query,” first goes to a DNS resolver—typically provided by your Internet Service Provider (ISP) or a third-party DNS service like Google Public DNS or Cloudflare. 

The resolver acts as an intermediary, starting the process to find the corresponding IP address of the domain name you’ve entered. The DNS resolver contacts one of the 13 root servers that make up the top level of the DNS hierarchy. These servers don’t hold the IP address themselves but provide information about which “Top-Level Domain” (TLD) server to query next. The TLD server is specific to the domain extension you’ve entered (e.g., “.com,” “.net,” “.org”) and points the resolver to the authoritative name server responsible for the particular website. The authoritative name server then provides the IP address back to the resolver, which, in turn, sends it to your browser. 

The browser then connects to the web server using this IP address, loading the website you want to visit. This process, though complex, happens in milliseconds. Security is a vital aspect of DNS because it is a frequent target for cyberattacks. One common threat is DNS spoofing, where attackers redirect traffic to fraudulent websites to steal data or spread malware. DNS hijacking is another risk, where hackers manipulate DNS records to divert users to malicious sites. These threats emphasize the importance of DNS security protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT), which encrypt DNS requests to prevent interception by malicious entities, thus protecting users’ data and privacy. 

Switching to a third-party DNS service can enhance your internet experience in terms of speed, reliability, and security. Services like Google Public DNS, OpenDNS, or Cloudflare’s 1.1.1.1 offer faster query response times, better privacy protection, and can help circumvent geographical restrictions imposed by ISPs. These alternatives often provide built-in security features, such as blocking malicious sites, to offer an extra layer of protection. 

DNS is the backbone of internet browsing, seamlessly converting domain names into IP addresses. By understanding its role and the importance of security measures, users can better appreciate how DNS keeps the internet functional and secure. Whether ensuring that websites load correctly or protecting against cyber threats, DNS plays an indispensable role in our everyday online activities.
Read more »
Obfuscation Technique
Corporate Hacking Data Breach Data Exfiltration DNS IDS Obfuscation Technique

New Hacking Method: Akami DNS Data Exfiltration



 


When it comes to cybercrime, getting into a system is only half the battle; the real challenge is extracting the stolen data without being detected. Companies often focus on preventing unauthorised access, but they must also ensure that data doesn’t slip out undetected. Hackers, driven by profit, constantly innovate methods to exfiltrate data from corporate networks, making it essential for businesses to understand and defend against these techniques.

The Challenge of Data Exfiltration

Once hackers breach a network, they need to smuggle data out without triggering alarms. Intrusion Detection Systems (IDS) are crucial in this fight. They monitor network traffic and system activities for suspicious patterns that may indicate unauthorised data extraction attempts. IDS can trigger alerts or even automatically block suspicious traffic to prevent data loss. To avoid detection, hackers use obfuscation techniques to disguise their actions. This can involve encrypting data or embedding it within harmless-looking traffic, making it difficult for IDS to identify and block the exfiltration attempts.

Reality vs. Hollywood

In Hollywood movies like "Mission Impossible," data theft is often depicted as a physical heist involving stealth and daring. In reality, hackers prefer remote methods to avoid detection and the risk of getting caught. By exploiting vulnerabilities in web servers, hackers can gain access to a network and search for valuable data. Once they find it, the challenge becomes how to exfiltrate it without triggering security systems.

One common way hackers hide their tracks is through obfuscation. A well-known method of obfuscation is image steganography, where data is embedded within images. This technique allows small amounts of data, such as passwords, to be hidden within images without raising suspicion. However, it is impractical for large datasets due to its low bandwidth and the potential for triggering alarms when numerous images are sent out.

Innovative DNS Data Exfiltration

The Domain Name System (DNS) is essential for internet functionality, translating domain names into IP addresses. Hackers can exploit this by sending data disguised as DNS queries. Typically, corporate firewalls scrutinise unfamiliar DNS requests and block those from untrusted sources. However, a novel method known as "Data Bouncing" has emerged, bypassing these restrictions and making data exfiltration easier for hackers.

How Data Bouncing Works

Data Bouncing leverages trusted web hosts to facilitate DNS resolution. Here’s how it works: hackers send an HTTP request to a reputable domain, like "bbc.co.uk," with a forged "Host" header containing the attacker’s domain. Akami Ghost HTTP servers, configured to resolve such domains, process the request, unknowingly aiding the exfiltration.

Every HTTP request a browser makes to a web server includes some metadata in the request’s headers. One of these header fields is the "Host" field, which specifies the requested domain. Normally, if you request a domain that the IP address doesn’t host, you get an error. However, Akami Ghost HTTP servers are set up to send a DNS request to resolve the domain you’ve asked for, even if it’s outside their network. This means you can send a request to a trusted domain, like "bbc.co.uk," with a "Host" header for "encryptedfilechunk.attackerdomain.com," and the trusted domain carries out the DNS resolution for you.

To prevent data exfiltration, companies need a comprehensive security strategy that includes multiple layers of defence. This makes it harder for hackers to succeed and gives security teams more time to detect and stop them. While preventing intrusions is crucial, detecting and mitigating ongoing exfiltration attempts is equally important to protect valuable data.

As cyber threats take new shapes, so must our defences. Understanding sophisticated exfiltration techniques like Data Bouncing is essential in the fight against cybercrime. By staying informed and vigilant, companies can better protect their data from falling into the wrong hands.





Read more »
Subscribe to: Posts (Atom)