Krebs on Security

MARCH 2, 2020

In 2018, security intelligence firm HYAS discovered a malware network communicating with systems inside of a French national power company. When it didn’t hear from French authorities after almost a week, HYAS asked the dynamic DNS provider to “ sinkhole ” the malware network’s control servers.

DNS 259

DNS Penetration Testing Malware Hacking 259

Cisco Security

AUGUST 12, 2021

For several years, Cisco Secure provided DNS visibility and architecture intelligence with Cisco Umbrella and Cisco Umbrella Investigate ; and automated malware analysis and threat intelligence with Cisco Secure Malware Analytics (Threat Grid) , backed by Cisco Talos Intelligence and Cisco SecureX. DNS traffic at Record Low.

DNS 145

DNS Firewall Malware Mobile 145

Cisco Security

AUGUST 11, 2021

We looked at REvil, also known as Sodinokibi or Sodin, earlier in the year in a Threat Trends blog on DNS Security. In it we talked about how REvil/Sodinokibi compromised far more endpoints than Ryuk, but had far less DNS communication. Figure 1-DNS activity surrounding REvil/Sodinokibi.

Ransomware 143

Ransomware DNS Encryption Backups 143

BH Consulting

JULY 17, 2024

– for anyone who’s been working in data privacy roles since 2018: you ain’t seen nothing yet. And lastly, Javvad Malik’s excellent blog paints a heartfelt picture with a human story behind a security breach. MORE The US CISA agency has a guide to implementing DNS protocols. MORE Can LLMs work for vulnerability research?

Cyber Insurance 69

Cyber Insurance Insurance Risk Marketing 69

Security Affairs

MARCH 10, 2020

The tools are being shared online on popular hacking forums and blogs, they are infected with a version of the njRAT RAT that is used by attackers to establish a backdoor on the victims’ systems and take full control of them. “On November 25 2018, the capeturk.com domain expired and was registered by a Vietnamese individual.

Hacking 139

Hacking Advertising Malware DNS 139

Security Affairs

MAY 15, 2023

“Lancefly’s custom malware, which we have dubbed Merdoor, is a powerful backdoor that appears to have existed since 2018.” The intelligence-gathering campaign started in mid-2022 and is likely still ongoing. ” reads the analysis published by Symantec.

Encryption 98

Encryption DNS Phishing Malware 98

Security Affairs

JUNE 9, 2022

Other techniques employed by the APT group include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection. From 2018 to present, Aoqin Dragon has also been observed using a fake removable device as an initial infection vector. The APT has improved its malicious code over the time to avoid detection.

Malware 98

Malware DNS Encryption Education 98

Security Affairs

JULY 1, 2019

“Surfacing during the latter half of 2018 and wrapped in a bespoke OceanLotus shellcode loader, this sample was first reported in a blog from Macnica Networks.” The experts analyzed four different samples of the Ratsnif RAT, three dated back 2016, and the fourth created in H2 2018.

Malware 65

Malware Advertising DNS Manufacturing 65

McAfee

FEBRUARY 4, 2021

This blog is part of our SOCwise series where we’ll be digging into all things related to SecOps from a practitioner’s point of view, helping us enable defenders to both build context and confidence in what they do. . And they didn’t even give it a DNS look up until almost a year later.

DNS 102

DNS Firewall Accountability Technology 102

Security Affairs

AUGUST 7, 2019

group_b : from August 2017 to January 2018 3. group_c : from January 2018 to February 2018 4. T1094) mainly developed using DNS resolutions (which is actually one of the main characteristic of the attacker group). The original post and other interesting analysis are published on the Marco Ramilli’s blog: [link].

Computers and Electronics 89

Computers and Electronics Penetration Testing DNS Phishing 89

SecureList

AUGUST 19, 2024

There is evidence that the group has been active since at least 2018. This blog aims to give an introduction to the group, detail its TTPs, and provide insights into their recent operations. Dynamic DNS services utilized for resolving the addresses of servers hosting the group’s malicious artifacts.

Phishing 98

Phishing Energy and Utilities Malware Banking 98

Security Affairs

SEPTEMBER 8, 2018

— Privacy 1st (@privacyis1st) August 20, 2018. Patrick Wardle by redirecting DNS resolution was able to capture the exfiltrated data: The history.zip file is exfiltrated to a remote to dscan.yelabapp.com that is hosted on Amazon AWS servers, but the analysis of the DNS entries confirms that it is administered by an entity in China.

Adware 63

Adware DNS Malware Advertising 63

Troy Hunt

JULY 19, 2018

pic.twitter.com/WPez1SXYmD — Troy Hunt (@troyhunt) June 27, 2018. Onto the next piece and per the title, it's going to involve DNS rollover. As such, I need to roll DNS to go from pointing to one Function app to another one. for you guys to do 54M searches against a repository of half a billion passwords ??

DNS 129

DNS Passwords Firewall Authentication 129

Fox IT

JANUARY 12, 2021

observed Q2 2017 Cobalt Strike v3.12, observed Q3 2018 Cobalt Strike v3.14, observed Q2 2019. This research project covers the fingerprinting of Cobalt Strike servers and is described in Fox-IT blog “ Identifying Cobalt Strike team servers in the wild ”. The DNS-responses weren’t logged. Command and control (TA0011).

VPN 68

VPN Accountability Passwords DNS 68

Security Affairs

DECEMBER 20, 2018

Security firms such as Proofpoint and Eset analyzed other samples of the same threat targeting the Australian landscape back in May 2018 and, more recently, in Italy. Further data, including IoCs and Yara rules, decide in the report published on the Yoroi blog. Conclusion. Dissecting the Danabot Paylaod Targeting Italy.

Banking 91

Banking Malware Internet Internet 91

Security Affairs

JANUARY 25, 2019

The usage of the VPN service hides the real location of the attacker, however, the specific IP isn’t new to the threat intel community, it has been abused since october 2018. Further details, including IoCs and Yara Rules, are reported in the analysis published on the Yoroi blog. The Story of Manuel’s Java RAT.

Malware 96

Malware VPN Advertising InfoSec 96

McAfee

SEPTEMBER 29, 2021

One vendor surveyed IT professionals at the RSA conference in 2018. Security investigators will use a multitude of data, threat intelligence, log files, DNS activity, and much more to identify the exact nature of the potential breach and determine the best response playbook to use. 1] [link]. [2]

DNS 67

DNS Manufacturing Data breaches Risk 67

Troy Hunt

JANUARY 10, 2018

agarwal_mohit) January 5, 2018. I think the URL is right but it seems inaccessible from other countries: [link] — Troy Hunt (@troyhunt) January 9, 2018. Security /= George blocking — Vatsalya Goel (@vatsalyagoel) January 9, 2018. — Khas Mek (@KhasMek) January 10, 2018. FergusInLondon) January 10, 2018.

Hacking 279

Hacking Government Encryption Risk 279

Security Affairs

MAY 2, 2019

Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. According to Duo, “ OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. It is not a TXT request.

DNS 103

DNS Computers and Electronics Penetration Testing Government 103

Security Boulevard

JUNE 20, 2024

Passive DNS: The Context of IP Addresses When threat actors target financial institutions using ransomware, they deploy it via multiple IP addresses. (If Passive DNS — automatic, continuous monitoring of potential threats — is (and should be) a feature of complete DNS protection solutions. Download the use cases 1.

Cyber Attacks 67

Cyber Attacks DNS Phishing Cyber threats 67

Security Affairs

AUGUST 6, 2019

Few weeks ago, Unit42 discovered another active campaign , compatible with the Roma225 one we tracked on December 2018, pointing to some interesting changes into the attackers TTPs. Since December 2018, we are following the tracks of this ambiguous cyber criminal group, internally referenced as TH-173. Conclusion.

Malware 69

Malware Advertising DNS Education 69

eSecurity Planet

DECEMBER 3, 2021

Krebs wrote for The Washington Post between 1995 and 2009 before launching his current blog KrebsOnSecurity.com. Facebook Plans on Backdooring WhatsApp [link] — Schneier Blog (@schneierblog) August 1, 2019. — Jack Daniel (@jack_daniel) October 10, 2018. jaysonstreet) March 3, 2018. Dave Kennedy | @hackingdave.

Accountability 139

Accountability Cybersecurity Penetration Testing InfoSec 139

SecureList

FEBRUARY 7, 2022

We have been tracking Roaming Mantis since 2018, and published five blog posts about this campaign: Roaming Mantis uses DNS hijacking to infect Android smartphones. Roaming Mantis dabbles in mining and phishing multilingually. Roaming Mantis, part III. Roaming Mantis, part IV. Roaming Mantis, part V.

Phishing 92

Phishing DNS Mobile Malware 92

Malwarebytes

APRIL 6, 2023

Act IV: The Cloud Age (2017 - 2018) The year 2017 marked a turning point as Malwarebytes unveiled Nebula 1.0, In 2018, we expanded our portfolio with Endpoint Protection for Mac, Endpoint Detection and Response (EDR) for Windows endpoint s, EDR Ransomware Rollback, and EDR Endpoint Isolation. But wait, there's more!

Cybersecurity 67

Cybersecurity Malware Cyber threats Small Business 67

CyberSecurity Insiders

MARCH 5, 2021

According to SaveBreach , Security Researcher Vinoth Kumar discovered a password that belongs to SolarWinds update server has been leaked to Github since 2018. The enterprises need to deploy a good NTA (NDR) solution that is capable of logging important metadata from the traffic of DNS and other important L7 application protocols.

DNS 138

DNS Education Malware Telecommunications 138

Security Boulevard

APRIL 4, 2022

ACME v2 is the current version of the protocol, published in March 2018. On September 15, 2021, the DNS records for acme-v01.api.letsencrypt.org You can read all about the key points of how ACME works in this blog. Today the protocol has become a standard ( RFC 8555 ). api.letsencrypt.org were removed. UTM Medium. UTM Source.

Encryption 52

Encryption Authentication DNS Risk 52

Security Boulevard

AUGUST 12, 2022

The CA will issue challenges (DNS or HTTPS) requiring the agent to take an action that demonstrates control over said domain(s). For that reason, having a backup CA is always a good idea,” he explains in a blog of his. . ACMEv2 was released on March 13, 2018 and is not backward compatible with v1.

Encryption 52

Encryption DNS Backups Internet 52

SecureList

APRIL 27, 2021

In November and December 2020, two public blog posts were published about this campaign. Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented.NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose.

Malware 144

Malware Spyware Government Social Engineering 144

SecureList

MAY 27, 2022

Since 2018, we have been tracking Roaming Mantis – a threat actor that targets Android devices. The group uses various malware families, including Wroba, and attack methods that include phishing, mining, smishing and DNS poisoning. Roaming Mantis reaches Europe.

Phishing 120

Phishing Spyware Firmware Malware 120

SecureList

APRIL 27, 2022

We had initially analyzed this Delphi malware in April 2018. In July 2021, we reported the previously unknown Tomiris Golang backdoor , deployed against government organizations within a CIS country through DNS hijacking. We exposed similarities between DarkHalo’s SunShuttle backdoor and the Tomiris implant.

Malware 140

Malware Firmware Government Phishing 140

Security Boulevard

APRIL 13, 2022

To prevent the attack techniques noted in this blog post, disable the “Allow connection fallback to NTLM” client push installation setting, which is enabled by default in SCCM. If dynamic DNS updates are also supported, tools such as Invoke-DNSUpdate can be used to create a DNS entry for the new system that points to an arbitrary IP address.

Authentication 52

Authentication Accountability Penetration Testing Software 52

SecureList

FEBRUARY 16, 2021

The DTLS (Datagram Transport Layer Security) protocol is used to establish secure connections over UDP, through which most DNS queries, as well as audio and video traffic, are sent. However, we are becoming increasingly convinced that the DDoS market has stopped growing, having completely stabilized after the decline in 2018.

DDOS 139

DDOS Cryptocurrency Marketing Internet 139

Fox IT

JUNE 23, 2020

During 2018, Evil Corp had a short lived partnership with TheTrick group; specifically, leasing out access to BitPaymer for a while, prior to their use of Ryuk. The majority of victims were in North America (mainly USA) with a smaller number in Western Europe and instances outside of these regions being just scattered, individual cases.

Ransomware 45

Ransomware Encryption Malware Architecture 45

SecureList

OCTOBER 26, 2021

In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar.

Malware 144

Malware Government Surveillance Spyware 144

Lenny Zeltser

MAY 3, 2019

Lock down domain registrar and DNS settings. I formulated the advice above mostly based on the tactics used against 2016 and 2018 election campaigns in the United States, as publicly described by the news media, cybersecurity companies, and the U.S. Tighten your domain configuration. the G Suite security checklist ). government.

Cybersecurity 111

Cybersecurity Social Engineering Authentication Software 111