2019, DNS and Information Security - Cyber Security Informer

Muddling Meerkat, a mysterious DNS Operation involving China’s Great Firewall

Security Affairs

MAY 1, 2024

The China-linked threat actors Muddling Meerkat are manipulating DNS to probe networks globally since 2019. Infoblox researchers observed China-linked threat actors Muddling Meerkat using sophisticated DNS activities since 2019 to bypass traditional security measures and probe networks worldwide.

DNS

DNS Firewall DDOS Hacking

Iran-linked Lyceum APT adds a new.NET DNS Backdoor to its arsenal

Security Affairs

JUNE 11, 2022

Iran-linked Lyceum APT group uses a new.NET-based DNS backdoor to target organizations in the energy and telecommunication sectors. The Iran-linked Lyceum APT group, aka Hexane or Spilrin, used a new.NET-based DNS backdoor in a campaign aimed at companies in the energy and telecommunication sectors, ZScaler researchers warn.

DNS

DNS Telecommunications Malware Phishing

DHS CISA urges government agencies to fix SIGRed Windows Server DNS bug within 24h

Security Affairs

JULY 17, 2020

US DHS CISA urges government agencies to patch SIGRed Windows Server DNS vulnerability within 24h due to the likelihood of the issue being exploited. on the CVSS scale and affects Windows Server versions 2003 to 2019. The SigRed flaw was discovered by Check Point researcher Sagi Tzaik and impacts Microsoft Windows DNS.

DNS

DNS Government Advertising Engineering

CVE-2019-0604 SharePoint Remote code execution (RCE) vulnerability

Security Affairs

FEBRUARY 18, 2020

Having said that I found Income Tax Department India and MIT Sloan was also vulnerable to CVE-2019-0604 a remote code execution vulnerability which exists in Microsoft SharePoint. To verify this I’ve sent a crafted payload which enable the remote server (incometaxindia.gov.in) to perform a DNS lookup on my burp collaborator.

DNS

DNS Advertising Government Hacking

Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm

Krebs on Security

DECEMBER 19, 2024

The makers of Acunetix, Texas-based application security vendor Invicti Security , confirmed Silent Push’s findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key. ” Orn advertising Araneida Scanner in Feb. 2023 on the forum Cracked.

Hacking

Hacking Cybercrime Advertising Data breaches

NCSC report warns of DNS Hijacking Attacks

Security Affairs

JULY 14, 2019

The UK’s National Cyber Security Centre (NCSC) issued a security advisory to warn organizations of DNS hijacking attacks and provided recommendations this type of attack. “In January 2019 the NCSC published an alert to highlight a large-scale global campaign to hijack Domain Name Systems (DNS).”

DNS

DNS Social Engineering Accountability Advertising

Microsoft fixes critical wormable RCE SigRed in Windows DNS servers

Security Affairs

JULY 14, 2020

on the CVSS scale and affects Windows Server versions 2003 to 2019. The SigRed flaw was discovered by Check Point researcher Sagi Tzaik and impacts Microsoft Windows DNS. An attacker could exploit the SigRed vulnerability by sending specially-crafted malicious DNS queries to a Windows DNS server.

DNS

DNS Advertising Malware Hacking

Godlua backdoor, the first malware that abuses the DNS over HTTPS (DoH)

Security Affairs

JULY 4, 2019

Researchers at Network Security Research Lab of Qihoo 360 discovered a Lua-based backdoor dubbed Godlua that targets both Linux and Windows systems. The peculiarity of this new piece of malware is the ability to communicate with C2 servers via DNS over HTTPS ( DoH ). com domain. ” states the analysis. Pierluigi Paganini.

DNS

DNS Malware Advertising DDOS

Mozilla Introduces Mechanism to Hijack all DNS Traffic in the Name of Privacy

PerezBox Security

SEPTEMBER 16, 2019

In September of 2019 Mozilla will begin releasing DNS over HTTPS (DOH) in Firefox via their Trusted Recursive Resolver (TRR) program. A primer on DNS Security. The post Mozilla Introduces Mechanism to Hijack all DNS Traffic in the Name of Privacy appeared first on PerezBox. The change is based.

DNS

DNS Information Security

Cyber Defense Magazine – September 2019 has arrived. Enjoy it!

Security Affairs

SEPTEMBER 4, 2019

Cyber Defense Magazine September 2019 Edition has arrived. In addition, we’re shooting for 7x24x365 uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs) around the Globe, Faster and More Secure DNS and CyberDefenseMagazineBackup.com up and running as an array of live mirror sites.

DNS

DNS Advertising Firewall Mobile

Cyber Defense Magazine – August 2019 has arrived. Enjoy it!

Security Affairs

AUGUST 1, 2019

Cyber Defense Magazine August 2019 Edition has arrived. In addition, we’re shooting for 7x24x365 uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs) around the Globe, Faster and More Secure DNS and CyberDefenseMagazineBackup.com up and running as an array of live mirror sites.

DNS

DNS Advertising Firewall Mobile

Cyber Defense Magazine – July 2019 has arrived. Enjoy it!

Security Affairs

JULY 1, 2019

Cyber Defense Magazine July 2019 Edition has arrived. Cyber Defense Magazine July 2019 Edition has arrived. Tips, tricks, ideas, secrets and insider information on the best practices in cybersecurity. The post Cyber Defense Magazine – July 2019 has arrived. appeared first on Security Affairs.

DNS

DNS Advertising Firewall Mobile

Chinese StormBamboo APT compromised ISP to deliver malware

Security Affairs

AUGUST 4, 2024

Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda , Daggerfly , and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations. The company linked the attacks to StormBamboo APT group.

Malware

Malware DNS Firewall Software

Black Hat USA 2021 Network Operations Center

Cisco Security

AUGUST 12, 2021

This requires a robust connection to the Internet (Lumen and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Commscope Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based security and intelligence support. DNS traffic at Record Low.

DNS

DNS Firewall Malware Mobile

Crooks social-engineered GoDaddy staff to take over crypto-biz domains

Security Affairs

NOVEMBER 24, 2020

Crooks were able to trick GoDaddy staff into handing over control of crypto-biz domain names in a classic DNS hijacking attack. Crooks were able to hijack traffic and email to various cryptocurrency-related websites as a result of a DNS hijacking attack on domains managed by GoDaddy. SecurityAffairs – hacking, DNS hijacking).

Social Engineering

Social Engineering Engineering DNS Accountability

China-linked APT group Salt Typhoon compromised some U.S. internet service providers (ISPs)

Security Affairs

SEPTEMBER 26, 2024

In August, Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda , Daggerfly , and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations. The company linked the attacks to StormBamboo APT group.

Internet

Internet Internet DNS Telecommunications

For nearly a year, Brazilian users have been targeted with router attacks

Security Affairs

JULY 13, 2019

This year, security experts at Avast have blocked more than 4.6 The campaign uncovered by Avast aimed at silently modifying the Brazilian users’ Domain Name System (DNS) settings to redirect victims to malicious websites mimicking legitimate ones. Most recently, Netflix became a popular domain for DNS hijackers.”

DNS

DNS Passwords Advertising Banking

New Ttint IoT botnet exploits two zero-days in Tenda routers

Security Affairs

OCTOBER 5, 2020

The experts are monitoring the Mirai-based botnet since November 2019 and observed it exploiting two Tenda router 0-day vulnerabilities to spread a Remote Access Trojan (RAT). ” When the botnet was first detected in 2019, experts noticed it was exploiting the Tenda zero-day flaw tracked as CVE-2020-10987.

IoT

IoT Firmware Advertising DNS

Russia-linked APT28 has been scanning vulnerable email servers in the last year

Security Affairs

MARCH 20, 2020

In May 2019, the experts noticed that the group started using hacked email addresses of numerous high-profile targets to send credential spam messages. The group was observed using this scheme between 2019 and 2020, and according to the experts, most of the compromised email accounts belong to defense companies in the Middle East.

Phishing

Phishing Accountability Advertising DNS

Chinese-speaking cybercrime gang Rocke changes tactics

Security Affairs

OCTOBER 15, 2019

The cybercrime organization was first spotted in April 2018 by researchers at Cisco Talos, earlier 2019 researchers from Palo Alto Networks Unit42 found new malware samples used by the Rocke group for cryptojacking that uninstalls from Linux servers cloud security and monitoring products developed by Tencent Cloud and Alibaba Cloud.

Cybercrime

Cybercrime DNS Malware Advertising

Flaws in the BlueStacks Android emulator allows remote code execution and more

Security Affairs

JUNE 27, 2019

In April, the researcher Nick Cano discovered that BlueStacks versions prior than v4.90.0.1046 are affected by a DNS rebinding vulnerability that allowed attackers to gain access to the emulator’s IPC functions. BlueStacks addressed the flaw with the release 4.90.0.1046 available since May 27th, 2019.

DNS

DNS Backups Advertising Authentication

InvisiMole group targets military sector and diplomatic missions in Eastern Europe

Security Affairs

JUNE 18, 2020

They use DNS tunneling for stealthier C&C communications, and place execution guardrails on the malicious components to hide the malware from security researchers.” Experts also observed attackers using a DNS downloader that was designed for long-term, covert access to the target machine.

DNS

DNS Advertising Spyware Software

REvil ransomware demands 500K ransom to Managed.com hosting provider

Security Affairs

NOVEMBER 19, 2020

Impacted systems included WordPress and DotNetNuke managed hosting platforms, online databases, email servers, DNS servers, RDP access points, and FTP servers. Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity.”

Ransomware

Ransomware DNS Encryption Hacking

Critical zero-days discovered in VxWorks RTOS, billions of devices at risk

Security Affairs

JULY 30, 2019

An attacker can intercept the TCP connection in different ways, for example using DNS changer malware, targeting DNS servers and carrying out Man-in-The-Middle attacks. “As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions.

Risk

Risk IoT Firewall DNS

Mozi P2P Botnet also targets Netgear, Huawei, and ZTE devices

Security Affairs

AUGUST 20, 2021

Mozi is an IoT botnet that borrows the code from Mirai variants and the Gafgyt malware , it appeared on the threat landscape in late 2019. According to the researchers, in the last months of 2019, the botnet was mainly involved in DDoS attacks. .”

IoT

IoT DNS Manufacturing Firmware

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

Security Affairs

JUNE 24, 2024

For secure communication, operators employ DNS/ICMP tunneling, WSS, and QUIC protocols. GoRed is capable of obtaining credentials from compromised systems and collecting various types of system information, including active processes, host names, network interfaces, and file system structures.

Cybercrime

Cybercrime Telecommunications DNS Technology

TrickBot operators employ Linux variants in attacks after recent takedown

Security Affairs

OCTOBER 28, 2020

At the end of 2019, researchers spotted a new TrickBot backdoor framework dubbed Anchor that was using the DNS protocol for C2 communications. Stage 2 Security researcher Waylon Grange first spotted the new Linux variant of Anchor_DNS in July and called it “Anchor_Linux.” ” explained Grange.

DNS

DNS Banking Advertising Malware

Pink Botnet infected over 1.6 Million Devices, it is one of the largest botnet ever seen

Security Affairs

NOVEMBER 1, 2021

The number of infected devices is impressive, on 2019-11-30 a trusted security partner in the US informed Qihoo 360’s Netlab Cybersecurity reported to have observed 1,962,308 unique daily active IPs from the Pink botnet targeting its systems.

Architecture

Architecture DDOS Advertising DNS

FBI, CISA alert warns of imminent ransomware attacks on healthcare sector

Security Affairs

OCTOBER 29, 2020

In early 2019, researchers spotted a new TrickBot backdoor framework dubbed Anchor that was using the anchor_dns tool for abusing the DNS protocol for C2 communications. TrickBot is a popular banking Trojan that has been around since October 2016, its authors have continuously upgraded it by implementing new features.

Healthcare

Healthcare Ransomware Cybercrime Advertising

Microsoft July 2020 Security Updates address 123 vulnerabilities

Security Affairs

JULY 15, 2020

on the CVSS scale and affects Windows Server versions 2003 to 2019. Today we released an update for CVE-2020-1350 , a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. Non-Microsoft DNS Servers are not affected.”

DNS

DNS Advertising Engineering Internet

Operation Spalax, an ongoing malware campaign targeting Colombian entities

Security Affairs

JANUARY 14, 2021

The attacks share some similarities with other campaigns targeting Colombian entities, in particular a campaign detailed in February 2019, by QiAnXin. The threat actors also used dynamic DNS services to manage a pool of 70 different domain names (and also register new ones on a regular basis) that are dynamically assigned to IP addresses.

Malware

Malware Surveillance Phishing Government

Security Affairs newsletter Round 230

Security Affairs

SEPTEMBER 8, 2019

Hi folk, let me inform you that I suspended the newsletter service, anyway I’ll continue to provide you a list of published posts every week through the blog. Cisco addresses CVE-2019-12643 critical flaw in virtual Service Container for IOS XE. Malspam campaign bypasses secure email gateway using Google Docs.

IoT

IoT Data breaches Advertising DNS

Group-IB presents its annual report on global threats to stability in cyberspace

Security Affairs

NOVEMBER 29, 2019

Group-IB, has analyzed key recent changes to the global cyberthreat landscape in the “Hi-Tech Crime Trends 2019/2020” report. According to Group-IB’s experts, the most frustrating trend of 2019 was the use of cyberweapons in military operations. As for 2019, it has become the year of covert military operations in cyberspace.

Banking

Banking Telecommunications Marketing Internet

Security firm accidentally exposed an unprotected database with 5 Billion previously leaked records

Security Affairs

MARCH 22, 2020

The expert Bob Diachenko has discovered an unsecured Elasticsearch install belonging to a UK security firm that contained 5 billion records of data leaked in previous incidents that took place between 2012 and 2019. ” wrote Security Discovery’s researcher Bob Diachenko.

Data breaches

Data breaches Advertising DNS Engineering

Lyceum APT made the headlines with attacks in Middle East

Security Affairs

AUGUST 27, 2019

Security experts at Dragos Inc. According to Dragos, the Hexane group has been active since at least the middle of 2018, it intensified its activity since early 2019 with an escalation of tensions within the Middle East. The malware uses DNS and HTTP-based communication mechanisms. ” continues the analysis.

DNS

DNS Passwords Penetration Testing Social Engineering

DDoS Attack on Amazon Web Services caused intermittently outage

Security Affairs

OCTOBER 25, 2019

We're investigating reports of intermittent DNS resolution errors with Route 53 & our external DNS providers. — AWS Support (@AWSSupport) October 22, 2019. According to the company status page, hackers were targeting the AWS DNS servers flooding them with junk network traffic.

DDOS

DDOS DNS Advertising Engineering

GALLIUM Threat Group targets global telcos, Microsoft warns

Security Affairs

DECEMBER 12, 2019

” The GALLIUM threat actor is active, but its activity was more intense between 2018 and mid-2019. link] — bk (Ben K) (@bkMSFT) December 12, 2019. The operators leverage on low cost and easy to replace infrastructure using dynamic-DNS domains and regularly reused hop points. ” continues the analysis.

Telecommunications

Telecommunications DNS Malware Advertising

Glupteba botnet is back after Google disrupted it in December 2021

Security Affairs

DECEMBER 19, 2022

Researchers believe that at least five different merchants and exchanges were used to fund the Glupteba addresses since 2019. The experts used passive DNS records to uncover Glupteba domains and hosts and analyzed the latest set of TLS certificates used by the bot to figure out the infrastructure used by the attackers.

DNS

DNS Antivirus Cryptocurrency Software

China-Linked APT15 group is using a previously undocumented backdoor

Security Affairs

JULY 23, 2019

Attackers also noticed that systems infected with the above two families were also targeted with the RoyalDNS malware that uses DNS to communicate with the C&C server. Once executed the command the backdoor returns output through DNS. “The Ke3chang APT group (a.k.a.

DNS

DNS Malware Advertising Manufacturing

Turkish Sea Turtle APT targets Dutch IT and Telecom firms

Security Affairs

JANUARY 7, 2024

Between 2017 and 2019, the APT group mainly used DNS hijacking in its campaigns. The researchers believe that the Turkey-linked APT Sea Turtle has been active since at least 2017. The Sea Turtle APT group focuses primarily on targeting organizations in Europe and the Middle East.

Media

Media Accountability Telecommunications Government

Backdoored Webmin versions were available for download for over a year

Security Affairs

AUGUST 19, 2019

It allows users using web browsers to set up user accounts, Apache, DNS, file sharing and much more. News of the day is that Webmin contained a remote code execution vulnerability, tracked as CVE-2019-15107, for more than a year. I'ill share detailed information about my presentation and vulnerabilities very soon!

Passwords

Passwords System Administration Advertising DNS

Let’s Encrypt CA is revoking over 3 Million TLS certificates due to a bug

Security Affairs

MARCH 4, 2020

The CAA security feature allows domain owners to prevent Certificate Authorities (CAs) to issue certificates for their domains. Domain owners can add a “CAA field” to their domain’s DNS records, this implies that only the CA included in this field can issue a TLS certificate for that domain.

Encryption

Encryption Advertising DNS Software

PurpleFox botnet variant uses WebSockets for more secure C2 communication

Security Affairs

OCTOBER 20, 2021

“After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments.

Encryption

Encryption DNS Architecture Firewall

Roboto, a new P2P botnet targets Linux Webmin servers

Security Affairs

NOVEMBER 21, 2019

“Fast forwarded to October 11, 2019, our Anglerfish honeypot captured another suspicious ELF sample, and it turned out to be the Downloader of the previous suspicious ELF sample.” It allows users using web browsers to set up user accounts, Apache, DNS, file sharing and much more.

DDOS

DDOS Advertising System Administration DNS

Muddling Meerkat, a mysterious DNS Operation involving China’s Great Firewall

Iran-linked Lyceum APT adds a new.NET DNS Backdoor to its arsenal

Trending Sources

DHS CISA urges government agencies to fix SIGRed Windows Server DNS bug within 24h

CVE-2019-0604 SharePoint Remote code execution (RCE) vulnerability

Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm

NCSC report warns of DNS Hijacking Attacks

Microsoft fixes critical wormable RCE SigRed in Windows DNS servers

Godlua backdoor, the first malware that abuses the DNS over HTTPS (DoH)

Mozilla Introduces Mechanism to Hijack all DNS Traffic in the Name of Privacy

Cyber Defense Magazine – September 2019 has arrived. Enjoy it!

Cyber Defense Magazine – August 2019 has arrived. Enjoy it!

Cyber Defense Magazine – July 2019 has arrived. Enjoy it!

Chinese StormBamboo APT compromised ISP to deliver malware

Black Hat USA 2021 Network Operations Center

Crooks social-engineered GoDaddy staff to take over crypto-biz domains

China-linked APT group Salt Typhoon compromised some U.S. internet service providers (ISPs)

For nearly a year, Brazilian users have been targeted with router attacks

New Ttint IoT botnet exploits two zero-days in Tenda routers

Russia-linked APT28 has been scanning vulnerable email servers in the last year

Chinese-speaking cybercrime gang Rocke changes tactics

Flaws in the BlueStacks Android emulator allows remote code execution and more

InvisiMole group targets military sector and diplomatic missions in Eastern Europe

REvil ransomware demands 500K ransom to Managed.com hosting provider

Critical zero-days discovered in VxWorks RTOS, billions of devices at risk

Mozi P2P Botnet also targets Netgear, Huawei, and ZTE devices

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

TrickBot operators employ Linux variants in attacks after recent takedown

Pink Botnet infected over 1.6 Million Devices, it is one of the largest botnet ever seen

FBI, CISA alert warns of imminent ransomware attacks on healthcare sector

Microsoft July 2020 Security Updates address 123 vulnerabilities

Operation Spalax, an ongoing malware campaign targeting Colombian entities

Security Affairs newsletter Round 230

Group-IB presents its annual report on global threats to stability in cyberspace

Security firm accidentally exposed an unprotected database with 5 Billion previously leaked records

Lyceum APT made the headlines with attacks in Middle East

DDoS Attack on Amazon Web Services caused intermittently outage

GALLIUM Threat Group targets global telcos, Microsoft warns

Glupteba botnet is back after Google disrupted it in December 2021

China-Linked APT15 group is using a previously undocumented backdoor

Turkish Sea Turtle APT targets Dutch IT and Telecom firms

Backdoored Webmin versions were available for download for over a year

Let’s Encrypt CA is revoking over 3 Million TLS certificates due to a bug

PurpleFox botnet variant uses WebSockets for more secure C2 communication

Roboto, a new P2P botnet targets Linux Webmin servers

Stay Connected