A Deep Dive on the Recent Widespread DNS Hijacking Attacks

Krebs on Security

” The DNS part of that moniker refers to the global “ D omain N ame S ystem ,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage. Talos reported that these DNS hijacks also paved the way for the attackers to obtain SSL encryption certificates for the targeted domains (e.g. PASSIVE DNS. The U.S.

DNS 204

DHS issues emergency Directive to prevent DNS hijacking attacks

Security Affairs

DHS has issued a notice of a CISA emergency directive urging federal agencies of improving the security of government-managed domains (i.e.gov) to prevent DNS hijacking attacks. The notice was issued by the DHS and links the emergency directive Emergency Directive 19-01 titled “Mitigate DNS Infrastructure Tampering.”. The emergency directive is probably related to a recently disclosed campaign of DNS hijacking attacks uncovered by FireEye.

DNS 76
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Alleged Iran-linked APT groups behind global DNS Hijacking campaign

Security Affairs

Security expert uncovered a DNS hijacking campaign targeting organizations in various industries worldwide and suspects Iranian APT groups. Security experts at FireEye uncovered a DNS hijacking campaign that is targeting government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe. SecurityAffairs – Iran, DNS hijacking).

DNS 73

China-linked LightBasin group accessed calling records from telcos worldwide

Security Affairs

A China-linked hacking group, tracked as LightBasin (aka UNC1945 ), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

Sunburst: connecting the dots in the DNS requests

SecureList

In the initial phases, the Sunburst malware talks to the C&C server by sending encoded DNS requests. These requests contain information about the infected computer; if the attackers deem it interesting enough, the DNS response includes a CNAME record pointing to a second level C&C server. Our colleagues from FireEye published several DNS requests that supposedly led to CNAME responses on Github: [link]. Each one of these DNS requests also has the Base32-encoded UID.

DNS 63

ICANN warns of large-scale attacks on Internet infrastructure

Security Affairs

“The Internet Corporation for Assigned Names and Numbers ( ICANN ) believes that there is an ongoing and significant risk to key parts of the Domain Name System ( DNS ) infrastructure. ” Even if the attacks date back to 2017, in recent weeks the experts observed a spike in the malicious activities against the Internet infrastructure, threat actors are targeting the Domain Name System or DNS which are responsible for traffic rounting.

For nearly a year, Brazilian users have been targeted with router attacks

Security Affairs

The campaign uncovered by Avast aimed at silently modifying the Brazilian users’ Domain Name System (DNS) settings to redirect victims to malicious websites mimicking legitimate ones. In some cases the router is reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites. Most recently, Netflix became a popular domain for DNS hijackers.”

What is Telecom LightBasin Cyber Attack

CyberSecurity Insiders

Interestingly, the findings state that the threat actors, probably funded by a government, were hiding in the external DNS servers of telcos and conducting espionage through General Packet Radio Services (GPRS) networks.

APT34 targets Jordan Government using new Saitama backdoor

Malwarebytes

The group is known to focus on the financial, governmental, energy, chemical, and telecommunication sectors. Calls the “eNotif’ function which is used to send a notification of each steps of macro execution to its server using the DNS protocol.

Lyceum group reborn

SecureList

As in the older DanBot instances, both variants supported similar custom C&C protocols tunneled over DNS or HTTP. This year, we had the honor to be selected for the thirty-first edition of the Virus Bulletin conference.

DNS 78

TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign

Security Boulevard

MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, and Mercury) is a threat group that primarily targets telecommunications, government, oil, defense, and finance sectors in the Middle East, Europe, and North America.

INTERNET BLOCKING IN MYANMAR – SECRET BLOCK LIST AND NO MEANS TO APPEAL

Security Affairs

In March 2020, The Ministry of Telecommunications (MoTC) issued a directive to all operators in Myanmar with a secret list of 230 sites to be blocked due to the nature of the content; adult content and fake news. Our findings show that both Telenor and MPT block websites using DNS tampering.

GALLIUM Threat Group targets global telcos, Microsoft warns

Security Affairs

The Microsoft Threat Intelligence Center (MSTIC) warns of GALLIUM threat group targeting global telecommunication providers worldwide. The Microsoft Threat Intelligence Center (MSTIC) warns of GALLIUM threat group targeting global telecommunication providers worldwide.

SolarWinds SUNBURST Backdoor DGA and Infected Domain Analysis

CyberSecurity Insiders

The enterprises need to deploy a good NTA (NDR) solution that is capable of logging important metadata from the traffic of DNS and other important L7 application protocols.

What are Common Types of Social Engineering Attacks?

eSecurity Planet

Vishing attacks are also similar to phishing and smishing, but these attacks target VoIP and telecommunications services rather than text-based mediums. In the latter approach, attackers target the website hosting server and change the DNS table so that users are redirected to a fake website.

RuNet – Russia successfully concluded tests on its Internet infrastructure

Security Affairs

The authorities want to ensure that the access to Russian Internet resources will be maintained also under attack, to do this, Russian experts are thinking a sort of DNS managed by Moscow. Russia successfully disconnected from the internet.

Canadian Police Raid ‘Orcus RAT’ Author

Krebs on Security

31, 2019, Rezvesz said his company recently was the subject of an international search warrant executed jointly by the Royal Canadian Mounted Police (RCMP) and the Canadian Radio-television and Telecommunications Commission (CRTC). “In As KrebsOnSecurity noted in 2016 , in conjunction with his RAT Rezvesz also sold and marketed a bulletproof “dynamic DNS service” that promised not to keep any records of customer activity.

Operation Lyrebird: Group-IB assists INTERPOL in identifying suspect behind numerous cybercrimes worldwide

Security Affairs

According to the DNS data analysis, this name was used to register at least two domains, which were created using the email from the phishing kit. Group-IB supported INTERPOL in its Operation Lyrebird that allowed to identify a threat actor presumably responsible for multiple attacks.

Netanyahu accuses Iran of cyber attacks carried out daily

Security Affairs

Early January, security experts at FireEye uncovered a DNS hijacking campaign that was targeting government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe. Israeli Prime Minister Benjamin Netanyahu accuses Iran of launching cyber-attacks on its country with a daily basis.

APT34: Glimpse project

Security Affairs

Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. According to Duo, “ OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016.

DNS 76

Quad9 to move offices to Switzerland, invites other privacy-focused firms to follow

SC Magazine

” Quad9 is a non-profit offering a free recursive DNS service that does not log user data. and Google Public DNS. Quad9, the privacy-focused domain resolver, announced Wednesday it would move its offices to Zurich, Switzerland to subject itself to stricter privacy laws.

DNS 81

Group-IB presents its annual report on global threats to stability in cyberspace

Security Affairs

The past months have shown that the most dangerous hacks involved DNS hijacking, which helped attackers manipulate DNS records for MITM attacks. The most common objective of such attacks is cyberespionage and disruption of major telecommunications companies’ work.

Best Network Monitoring Tools for 2022

eSecurity Planet

Spun off from the telecommunications vendor JDS Uniphase in 2015, Viavi Solutions is a newer name, but it has four-plus decades of IT services experience.

Lyceum APT made the headlines with attacks in Middle East

Security Affairs

reported that Hexane is targeting organizations in the oil and gas industry and telecommunication providers. The malware uses DNS and HTTP-based communication mechanisms. “Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics, particularly from threat groups operating in the Middle East.”

How we protect our users against the Sunburst backdoor

SecureList

Several publicly available data sets, such as the one from John Bambenek, include DNS requests encoding the victim names. Based on the CNAME records published by FireEye, we identified only two entities, a US government organization and a telecommunications company, who were tagged and “promoted” to dedicated C2s for additional exploitation. What happened. SolarWinds, a well-known IT managed services provider, has recently become a victim of a cyberattack.

OilRig APT group: the evolution of attack techniques over time

Security Affairs

The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. T1094) mainly developed using DNS resolutions (which is actually one of the main characteristic of the attacker group). They begun development by introducing crafted communication protocol over DNS and later they added, to such a layer, encoding and encryption self build protocols.

DDoS attacks in Q4 2020

SecureList

The DTLS (Datagram Transport Layer Security) protocol is used to establish secure connections over UDP, through which most DNS queries, as well as audio and video traffic, are sent. In October, telecommunications firm Telenor Norway was another to fall victim. News overview.

DDOS 103

Iranian Threat Actors: Preliminary Analysis

Security Affairs

If so we are facing a state-sponsored group with high capabilities in developing persistence and hidden communication channels (for example over DNS) but without a deep interest in exploiting services.

Guarding Against Solorigate TTPs

eSecurity Planet

The National Telecommunications and Information Administration (NTIA) offers the concept of a Software Bill of Materials (SBOM) to address this problem. Mail DNS controls.

Security Ledger Podcast: Security Automation Is (And Isn't) The Future Of InfoSec

ForAllSecure

Advances in the use of polymers revolutionized everything from food packaging to electronics, telecommunication and medicine. For example, they may think, "Hey, the user's going to give me an input and it's only going to be as long as maybe a DNS record."

APT trends report Q1 2021

SecureList

Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented.NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose.

Security Ledger Podcast: Security Automation Is (And Isn't) The Future Of InfoSec

ForAllSecure

Advances in the use of polymers revolutionized everything from food packaging to electronics, telecommunication and medicine. For example, they may think, "Hey, the user's going to give me an input and it's only going to be as long as maybe a DNS record." Every so often, a technology comes along that seems to perfectly capture the zeitgeist : representing all that is both promising and troubling about the future.

SECURITY LEDGER PODCAST: SECURITY AUTOMATION IS (AND ISN'T) THE FUTURE OF INFOSEC

ForAllSecure

Advances in the use of polymers revolutionized everything from food packaging to electronics, telecommunication and medicine. For example, they may think, "Hey, the user's going to give me an input and it's only going to be as long as maybe a DNS record." Every so often, a technology comes along that seems to perfectly capture the zeitgeist : representing all that is both promising and troubling about the future.