Cybercrime, DNS and Information Security

MikroTik botnet relies on DNS misconfiguration to spread malware

Security Affairs

JANUARY 16, 2025

Researchers discovered a 13,000-device MikroTik botnet exploiting DNS flaws to spoof 20,000 domains and deliver malware. Infoblox researchers discovered a botnet of 13,000 MikroTik devices that exploits DNS misconfigurations to bypass email protections, spoof approximately 20,000 domains, and deliver malware.

DNS

DNS Malware Firmware Authentication

Morphing Meerkat phishing kits exploit DNS MX records

Security Affairs

MARCH 31, 2025

Morphing Meerkat phishing kits exploit DNS MX records to deliver spoofed login pages, targeting over 100 brands. Threat actors are exploiting DNS techniques to enhance phishing attacks, using MX records to dynamically serve spoofed login pages. By July 2023 kits could dynamically load phishing pages based on DNS MX records.

DNS

DNS Phishing Banking Passwords

Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm

Krebs on Security

DECEMBER 19, 2024

The makers of Acunetix, Texas-based application security vendor Invicti Security , confirmed Silent Push’s findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key. co — first came online in February 2023. 2023 on the forum Cracked.

Hacking

Hacking Cybercrime Advertising Data breaches

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

Security Affairs

MARCH 17, 2022

Researchers uncovered a new Linux botnet, tracked as B1txor20, that exploits the Log4J vulnerability and DNS tunnel. “In short, B1txor20 is a Backdoor for the Linux platform, which uses DNS Tunnel technology to build C2 communication channels. In this way, Bot and C2 achieve communication with the help of DNS protocol.”

DNS

DNS Malware Technology Encryption

U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog

Security Affairs

DECEMBER 6, 2024

The getresetstatus vulnerability in CyberPanel (before commit 1c0c6cb ) affects dns/views.py “getresetstatus in dns/views.py “getresetstatus in dns/views.py and ftp/views.py. Attackers can manipulate the statusfile property with shell metacharacters. and ftp/views.py ” reads the advisory. . and ftp/views.py

DNS

DNS Authentication Ransomware Hacking

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

Security Affairs

JUNE 24, 2024

The cybercrime group ExCobalt targeted Russian organizations in multiple sectors with a previously unknown backdoor known as GoRed. Positive Technologies researchers reported that a cybercrime gang called ExCobalt targeted Russian organizations in multiple sectors with a previously unknown Golang-based backdoor known as GoRed.

Cybercrime

Cybercrime Telecommunications DNS Technology

Chinese-speaking cybercrime gang Rocke changes tactics

Security Affairs

OCTOBER 15, 2019

Chinese-speaking cybercrime gang Rocke that carried out several large-scale cryptomining campaigns, has now using news tactics to evade detection. Chinese-speaking cybercrime gang Rocke, that carried out several large-scale cryptomining campaigns in past , has now using news tactics to evade detection. Pierluigi Paganini.

Cybercrime

Cybercrime DNS Malware Advertising

Local Networks Go Global When Domain Names Collide

Krebs on Security

AUGUST 23, 2024

A core part of the way these things find each other involves a Windows feature called “ DNS name devolution ,” a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources. ” Caturegli said setting up an email server record for memrtcc.ad

DNS

DNS Internet Internet Authentication

Roaming Mantis uses new DNS changer in its Wroba mobile malware

Security Affairs

JANUARY 22, 2023

Roaming Mantis threat actors were observed using a new variant of their mobile malware Wroba to hijack DNS settings of Wi-Fi routers. Researchers from Kaspersky observed Roaming Mantis threat actors using an updated variant of their mobile malware Wroba to compromise Wi-Fi routers and hijack DNS settings. Agent.eq (a.k.a

DNS

DNS Mobile Malware Hacking

Operation Lyrebird: Group-IB assists INTERPOL in identifying suspect behind numerous cybercrimes worldwide

Security Affairs

JULY 6, 2021

The alleged perpetrator, who turned out to be a citizen of Morocco, was arrested in May by the Moroccan police based on the data about his cybercrimes that was provided by Group-IB. According to the DNS data analysis, this name was used to register at least two domains, which were created using the email from the phishing kit.

Cybercrime

Cybercrime Phishing Banking Telecommunications

Sitting Ducks attack technique exposes over a million domains to hijacking

Security Affairs

AUGUST 1, 2024

Researchers warn of an attack vector in the DNS, called the Sitting Ducks, that exposes over a million domains to hackers’ takeover. Researchers from Eclypsium and Infoblox have identified an attack vector in the domain name system (DNS), dubbed the Sitting Ducks attack. ” continues the report.

DNS

DNS Accountability Risk Hacking

Cybercriminals Impersonate Dubai Police to Defraud Consumers in the UAE – Smishing Triad in Action

Security Affairs

DECEMBER 10, 2024

Based on available Passive DNS records, Resecurity identified over 144 domain names registered by the actors in the.com,om,site,top and.icu domain zones. Once the credit card details were entered, cybercriminals used them for much higher charges at the controlled merchants registered on money mules.A

Social Engineering

Social Engineering Phishing Banking DNS

Hackers hijacked the eScan Antivirus update mechanism in malware campaign

Security Affairs

APRIL 24, 2024

Mutex_ONLY_ME_V1 ), the malware searches for services.exe process and injects its next stage into the first one it can find Cleanup is performed, removing the update package GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses.

Antivirus

Antivirus Malware DNS Cryptocurrency

FBI and Interpol shut down some servers of Joker’s Stash carding marketplace

Security Affairs

DECEMBER 19, 2020

At the time of this writing the Joker’s Stash’s.bazar,lib,emc,coin domains, which are all those accessible via blockchain DNS, are simply showing a “Server Not Found” message. . SecurityAffairs – hacking, cybercrime). Pierluigi Paganini.

DNS

DNS Cybercrime Hacking Information Security

FBI, CISA alert warns of imminent ransomware attacks on healthcare sector

Security Affairs

OCTOBER 29, 2020

The government agencies receive information about imminent attacks, threat actors are using the TrickBot botnet to deliver the infamous ransomware to the infected systems. “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

Healthcare

Healthcare Ransomware Cybercrime Advertising

Usage of TLS in DDNS Services leads to Information Disclosure in Multiple Vendors

Security Affairs

MAY 24, 2024

The use of Dynamic DNS (DDNS) services embedded in appliances can potentially expose data and devices to attacks. The use of Dynamic DNS (DDNS) services embedded in appliances, such as those provided by vendors like Fortinet or QNAP, carries cybersecurity implications. It increases the discoverability of customer devices by attackers.

DNS

DNS Manufacturing Firewall Internet

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 29

Security Affairs

JANUARY 19, 2025

Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection Ransomware on ESXi: The mechanization of virtualized attacks FunkSec Alleged Top Ransomware Group Powered by AI Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C Malicious PyPI Package pycord-self Targets Discord Developers with Token Theft (..)

Malware

Malware Artificial Intelligence DNS Ransomware

TeamTNT group adds new detection evasion tool to its Linux miner

Security Affairs

JANUARY 28, 2021

The TeamTNT cybercrime group has improved its Linux cryptocurrency miner by implementing open-source detection evasion capabilities. The TeamTNT cybercrime group has upgraded their Linux cryptocurrency miner by adding open-source detection evasion capabilities, AT&T Alien Labs researchers warn. Set persistence through systemd.

Cryptocurrency

Cryptocurrency Cybercrime DNS Malware

Previously unseen Msupedge backdoor targeted a university in Taiwan

Security Affairs

AUGUST 20, 2024

The most notable feature of the backdoor is that it relies on DNS tunnelling to communicate with a C2 server. ” The code used by Msupedge for the DNS tunneling tool is based on the publicly available dnscat2 tool. . ” The code used by Msupedge for the DNS tunneling tool is based on the publicly available dnscat2 tool.

DNS

DNS Malware Hacking Cybercrime

Security Affairs newsletter Round 369 by Pierluigi Paganini

Security Affairs

JUNE 12, 2022

Ransomware gangs are exploiting CVE-2022-26134 RCE in Atlassian Confluence servers HID Mercury Access Controller flaws could allow to unlock Doors Iran-linked Lyceum APT adds a new.NET DNS Backdoor to its arsenal PACMAN, a new attack technique against Apple M1 CPUs Threat actors exploit recently disclosed Atlassian Confluence flaw in cryptomining campaign (..)

Ransomware

Ransomware DNS Cybercrime Hacking

Joker’s Stash, the largest carding site, is shutting down

Security Affairs

JANUARY 16, 2021

The administrator announced the decision via messages posted on various cybercrime forums. Joker’s Stash is one of the most longevous carding websites, it was launched in October 2014 and is very popular in the cybercrime underground due to the freshness of its cards and their validity. Image source FlashPoint.

Cybercrime

Cybercrime DNS Hacking Marketing

New Linux variant of BIFROSE RAT uses deceptive domain strategies

Security Affairs

MARCH 3, 2024

The researchers observed the malware trying to contact a Taiwan-based public DNS resolver with the IP address 168.95.1[.]1. The researchers observed the malware initiating a DNS query to resolve the domain download.vmfare[.]com com by using the public DNS resolver at 168.95[.]1.1.

DNS

DNS Malware Encryption Hacking

Black Hat USA 2021 Network Operations Center

Cisco Security

AUGUST 12, 2021

This requires a robust connection to the Internet (Lumen and Gigamon), firewall protection (Palo Alto Networks), segmented wireless network (Commscope Ruckus) and network full packet capture & forensics and SIEM (RSA NetWitness); with Cisco providing cloud-based security and intelligence support. Threat Grid (Secure Malware Analytics).

DNS

DNS Firewall Malware Mobile

Ransomware groups target Veeam Backup & Replication bug

Security Affairs

JULY 15, 2024

Experts observed that the Russian cybercrime group FIN7 has been exploiting the vulnerability since April 2023, while Researchers from BlackBerry reported that in June 2024, a threat actor targeted a Latin American airline with the Akira ransomware.

Backups

Backups Ransomware Antivirus DNS

Security Affairs newsletter Round 459 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs

FEBRUARY 18, 2024

Datacenter Proxies: Choosing the Right Option CISA adds Roundcube Webmail Persistent XSS bug to its Known Exploited Vulnerabilities catalog Canada Gov plans to ban the Flipper Zero to curb car thefts ExpressVPN leaked DNS requests due to a bug in the split tunneling feature 9 Possible Ways Hackers Can Use Public Wi-Fi to Steal Your Sensitive Data US (..)

Cybercrime

Cybercrime Ransomware Malware Data breaches

Cloudflare mitigated 2 Tbps DDoS attack, the largest attack it has seen to date

Security Affairs

NOVEMBER 15, 2021

The attack was launched by a Mirai botnet variant composed of 15,000 bots, it combined DNS amplification attacks and UDP floods. “This was a multi-vector attack combining DNS amplification attacks and UDP floods. The botnet included Internet of Things (IoT) devices and GitLab instances.

DDOS

DDOS DNS IoT Internet

TA505 Cybercrime targets system integrator companies

Security Affairs

NOVEMBER 12, 2019

The analysis of a malicious email revealed a possible raising interest of the TA505 cybercrime gang in system integrator companies. Building a re-directors or proxy chains is quite useful for attackers in order to evade Intrusion Prevention Systems and/or protections infrastructures based upon IPs or DNS blocks. Introduction.

Cybercrime

Cybercrime Computers and Electronics Penetration Testing Malware

New analysis of Diavol ransomware reinforces the link to TrickBot gang

Security Affairs

AUGUST 18, 2021

In July, researchers from Fortinet reported that a new ransomware family, tracked as Diavol, might have been developed by Wizard Spider , the cybercrime gang behind the TrickBot botnet. Anchor DNS ), except for the username field. SecurityAffairs – hacking, cybercrime). C3F3799FE69249579857D2039BBBAB11. Pierluigi Paganini.

Ransomware

Ransomware DNS Cybercrime Malware

Threat actors abuse public cloud services to spread multiple RATs

Security Affairs

JANUARY 13, 2022

“To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service. Threat actors can also sell the access to other cybercrime gangs, including ransomware affiliates. ” reads the analysis published by Talos.

Malware

Malware DNS Cybercrime Ransomware

FBI links the Diavol ransomware to the TrickBot gang

Security Affairs

JANUARY 20, 2022

In July, researchers from Fortinet first spotted the new ransomware family, tracked as Diavol, and speculated it might have been developed by Wizard Spider , the cybercrime gang behind the TrickBot botnet. The TrickBot Gang is also behind the development of the BazarBackdoor and Anchor backdoors. ” continues the report.

Ransomware

Ransomware Banking Malware Encryption

New Golang-based Zergeca Botnet appeared in the threat landscape

Security Affairs

JULY 5, 2024

The DDoS botnet Zergeca supports six attack methods and implements additional functionalities such as proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information. 54.51.82, has been associated with at least two Mirai botnets since September 2023.

DDOS

DDOS DNS Encryption Malware

GO#WEBBFUSCATOR campaign hides malware in NASA’s James Webb Space Telescope image

Security Affairs

AUGUST 31, 2022

Once executed, the malware makes unique DNS connections, experts determined that the binary was leveraging a DNS data exfiltration technique by sending unique DNS queries to a target C2 DNS server. “This technique works by sending an encrypted string appended to the DNS query set as a subdomain.

Malware

Malware DNS Antivirus Encryption

TeamTNT group uses Hildegard Malware to target Kubernetes Systems

Security Affairs

FEBRUARY 5, 2021

In January 2021, the cybercrime gang launched a new campaign targeting Kubernetes environments with the Hildegard malware, Palo Alto Networks warns. The malicious code also leverages other techniques to avoid detection, for example it modifies the system DNS resolvers and uses Google’s public DNS servers to bypass DNS monitoring tools.

Malware

Malware DNS Cryptocurrency Internet

One of the hackers behind EtherDelta hack also involved in TalkTalk hack

Security Affairs

SEPTEMBER 21, 2019

In December 2017, the popular cryptocurrency exchange EtherDelta was hacked, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789 at the time of the hack) as well as a large number of tokens. Once gained the access the Cloudflare account they were able to lock out any other employee of the company.

Hacking

Hacking DNS Cryptocurrency Accountability

Flaws in EA Games Login exposed accounts of 300 Million Gamers to hack

Security Affairs

JUNE 26, 2019

Experts at Check Point Research and Cyberint discovered multiple security flaws in EA Games’ login process that could allow an attacker to take over EA gamers’ accounts and steal sensitive data. ” reads the advisory published by CheckPoint.

Accountability

Accountability Hacking DNS Advertising

The kingpin behind Joker’s Stash retires with a billionaire exit

Security Affairs

FEBRUARY 14, 2021

The administrator announced the decision via messages posted on various cybercrime forums. Joker’s Stash is one of the most longevous carding websites, it was launched in October 2014 and is very popular in the cybercrime underground due to the freshness of its cards and their validity. Image source FlashPoint.

Cybercrime

Cybercrime Backups Hacking DNS

Two Linux botnets already exploit Log4Shell flaw in Log4j

Security Affairs

DECEMBER 12, 2021

During this process, a number of DNS requests are generated.” Experts pointed out that Muhstik uses the TOR network for its reporting mechanism. “Before accessing the TOR network, Muhstik queries relay.l33t-ppl.inf through some publicly available DoH services. ” reads the post published by NetLab 360.

DDOS

DDOS DNS Passwords Authentication

Threat actor has been targeting the aviation industry since at least 2018

Security Affairs

SEPTEMBER 18, 2021

Talos researchers believe that the group was able to remain under the radar using crypters that it bought on cybercrime forums. They abandon the C2 hostnames — which in this case are free DNS-based and they may change the crypter and initial vector, but they won’t stop their activity.

Malware

Malware Phishing DNS Cybercrime

Black Hat USA 2022 Continued: Innovation in the NOC

Cisco Security

AUGUST 29, 2022

25+ Years of Black Hat (and some DNS stats), by Alejo Calaoagan. Cisco is a Premium Partner of the Black Hat NOC , and is the Official Wired & Wireless Network Equipment, Mobile Device Management, DNS (Domain Name Service) and Malware Analysis Provider of Black Hat. CyberCrime Tracker. Unmistaken Identity, by Ben Greenbaum.

DNS

DNS Wireless Malware Firewall

FluBot malware continues to evolve. What’s new in Version 5.0 and beyond?

Security Affairs

JANUARY 8, 2022

The feature allows operators to elude DNS blocklists in an attempt to isolate the C2 infrastructure. the malware communicates with the C2 server through DNS Tunneling over HTTPS. . Once such a command is dispatched, FluBot stores the updated seed inside the shared preferences under “g” key.” In version 4.9,

Malware

Malware DNS Banking Hacking

Threat actor exploits MS ProxyShell flaws to deploy Babuk ransomware

Security Affairs

NOVEMBER 5, 2021

The analysis of DNS request distribution to the malicious domains revealed that most of the requests were coming from the U.S. The ransomware module encrypts the files in the victim’s server and appends a file extension.babyk to the encrypted files.” ” reads the analysis published by Talos.

Ransomware

Ransomware Backups Encryption DNS

Security Affairs newsletter Round 404 by Pierluigi Paganini

Security Affairs

JANUARY 29, 2023

If you want to also receive for free the newsletter with the international press subscribe here.

DNS

DNS Data breaches Hacking Backups

Mozi P2P Botnet also targets Netgear, Huawei, and ZTE devices

Security Affairs

AUGUST 20, 2021

.” state researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT. “By infecting routers, they can perform man-in-the-middle (MITM) attacks—via HTTP hijacking and DNS spoofing—to compromise endpoints and deploy ransomware or cause safety incidents in OT facilities.

IoT

IoT DNS Manufacturing Firmware

Glupteba botnet is back after Google disrupted it in December 2021

Security Affairs

DECEMBER 19, 2022

The experts used passive DNS records to uncover Glupteba domains and hosts and analyzed the latest set of TLS certificates used by the bot to figure out the infrastructure used by the attackers. We also recommend monitoring DNS logs and keeping the antivirus software up to date to help prevent a potential Glupteba infection.”

DNS

DNS Antivirus Cryptocurrency Software

MikroTik botnet relies on DNS misconfiguration to spread malware

Morphing Meerkat phishing kits exploit DNS MX records

Trending Sources

Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm

B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog

ExCobalt Cybercrime group targets Russian organizations in multiple sectors

Chinese-speaking cybercrime gang Rocke changes tactics

Local Networks Go Global When Domain Names Collide

Roaming Mantis uses new DNS changer in its Wroba mobile malware

Operation Lyrebird: Group-IB assists INTERPOL in identifying suspect behind numerous cybercrimes worldwide

Sitting Ducks attack technique exposes over a million domains to hijacking

Cybercriminals Impersonate Dubai Police to Defraud Consumers in the UAE – Smishing Triad in Action

Hackers hijacked the eScan Antivirus update mechanism in malware campaign

FBI and Interpol shut down some servers of Joker’s Stash carding marketplace

FBI, CISA alert warns of imminent ransomware attacks on healthcare sector

Usage of TLS in DDNS Services leads to Information Disclosure in Multiple Vendors

SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 29

TeamTNT group adds new detection evasion tool to its Linux miner

Previously unseen Msupedge backdoor targeted a university in Taiwan

Security Affairs newsletter Round 369 by Pierluigi Paganini

Joker’s Stash, the largest carding site, is shutting down

New Linux variant of BIFROSE RAT uses deceptive domain strategies

Black Hat USA 2021 Network Operations Center

Ransomware groups target Veeam Backup & Replication bug

Security Affairs newsletter Round 459 by Pierluigi Paganini – INTERNATIONAL EDITION

Cloudflare mitigated 2 Tbps DDoS attack, the largest attack it has seen to date

TA505 Cybercrime targets system integrator companies

New analysis of Diavol ransomware reinforces the link to TrickBot gang

Threat actors abuse public cloud services to spread multiple RATs

FBI links the Diavol ransomware to the TrickBot gang

New Golang-based Zergeca Botnet appeared in the threat landscape

GO#WEBBFUSCATOR campaign hides malware in NASA’s James Webb Space Telescope image

TeamTNT group uses Hildegard Malware to target Kubernetes Systems

One of the hackers behind EtherDelta hack also involved in TalkTalk hack

Flaws in EA Games Login exposed accounts of 300 Million Gamers to hack

The kingpin behind Joker’s Stash retires with a billionaire exit

Two Linux botnets already exploit Log4Shell flaw in Log4j

Threat actor has been targeting the aviation industry since at least 2018

Black Hat USA 2022 Continued: Innovation in the NOC

FluBot malware continues to evolve. What’s new in Version 5.0 and beyond?

Threat actor exploits MS ProxyShell flaws to deploy Babuk ransomware

Security Affairs newsletter Round 404 by Pierluigi Paganini

Mozi P2P Botnet also targets Netgear, Huawei, and ZTE devices

Glupteba botnet is back after Google disrupted it in December 2021

Stay Connected