Iranian hackers target energy sector with new DNS backdoor
Bleeping Computer
JUNE 10, 2022
The Iranian Lycaeum APT hacking group uses a new.NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors. [.].
This site uses cookies to improve your experience. By viewing our content, you are accepting the use of cookies. To help us insure we adhere to various privacy regulations, please select your country/region of residence. If you do not select a country we will assume you are from the United States. View our privacy policy and terms of use.
Bleeping Computer
JUNE 10, 2022
The Iranian Lycaeum APT hacking group uses a new.NET-based DNS backdoor to conduct attacks on companies in the energy and telecommunication sectors. [.].
Security Affairs
JUNE 11, 2022
Iran-linked Lyceum APT group uses a new.NET-based DNS backdoor to target organizations in the energy and telecommunication sectors. The Iran-linked Lyceum APT group, aka Hexane or Spilrin, used a new.NET-based DNS backdoor in a campaign aimed at companies in the energy and telecommunication sectors, ZScaler researchers warn.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Heimadal Security
JANUARY 10, 2024
DNS hijacking and traffic redirection that leads to man-in-the-middle attacks are among their cyber espionage techniques. Their goal is to collect economic and political intelligence […] The post Sea Turtle Hackers Spy on Dutch ISPs and Telecommunication Companies appeared first on Heimdal Security Blog.
Security Boulevard
SEPTEMBER 15, 2022
Last month, a large Canadian telecommunications provider suffered a catastrophic outage for more than 18 hours. The post Why You Need a Secondary DNS appeared first on Security Boulevard. Many Canadians found themselves disconnected when cellular networks and the internet failed to respond—at home or at work.
Security Boulevard
JUNE 9, 2022
Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on.NET based malwares. The threat actor then leverages the AutoClose() function to drop the DNS backdoor onto the system. Lyceum.NET DNS backdoor.
Krebs on Security
FEBRUARY 18, 2019
” The DNS part of that moniker refers to the global “ D omain N ame S ystem ,” which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage. PASSIVE DNS.
Security Affairs
JANUARY 10, 2019
Security expert uncovered a DNS hijacking campaign targeting organizations in various industries worldwide and suspects Iranian APT groups. It is interesting to note that FireEye confirmed that this campaign is different from other operations carried out by Iranian APT groups due to the use of DNS hijacking at scale.
Security Affairs
SEPTEMBER 26, 2024
In August, Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda , Daggerfly , and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations. The company linked the attacks to StormBamboo APT group.
Security Affairs
JANUARY 23, 2019
DHS has issued a notice of a CISA emergency directive urging federal agencies of improving the security of government-managed domains (i.e.gov) to prevent DNS hijacking attacks. The notice was issued by the DHS and links the emergency directive Emergency Directive 19-01 titled “Mitigate DNS Infrastructure Tampering.”.
SecureList
DECEMBER 18, 2020
In the initial phases, the Sunburst malware talks to the C&C server by sending encoded DNS requests. These requests contain information about the infected computer; if the attackers deem it interesting enough, the DNS response includes a CNAME record pointing to a second level C&C server. Low-level details. avsvmcloud[.]com”
Security Affairs
SEPTEMBER 23, 2024
Earth Baxia primarily targeted government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand. The EAGLEDOOR backdoor can communicate with C2 via DNS, HTTP, TCP, and Telegram.
Security Affairs
MAY 1, 2024
The malicious code can also perform DNS and HTTP hijacking within private IP spaces. “What makes this malware family so insidious is the ability to perform HTTP and DNS hijacking for connections to private IP addresses. Additionally, it can interact with other devices on the LAN and transfer data or deploy new agents.
Security Affairs
OCTOBER 20, 2021
A China-linked hacking group, tracked as LightBasin (aka UNC1945 ), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.
Security Affairs
SEPTEMBER 21, 2022
Russia-linked APT group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware. Russia-linked cyberespionage group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware. ” reads the report published by Recorded Future.
CyberSecurity Insiders
OCTOBER 22, 2021
Interestingly, the findings state that the threat actors, probably funded by a government, were hiding in the external DNS servers of telcos and conducting espionage through General Packet Radio Services (GPRS) networks. The post What is Telecom LightBasin Cyber Attack appeared first on Cybersecurity Insiders.
Security Affairs
FEBRUARY 24, 2019
“The Internet Corporation for Assigned Names and Numbers ( ICANN ) believes that there is an ongoing and significant risk to key parts of the Domain Name System ( DNS ) infrastructure. The notice was issued by the DHS and links the emergency directive Emergency Directive 19-01 titled “Mitigate DNS Infrastructure Tampering.”.
Security Affairs
JUNE 24, 2024
Over the past year, ExCobalt targeted Russian organizations in the the following industries: Metallurgy Telecommunications Mining Information technology Government Software development The Cobalt’s hallmark was the use of the CobInt tool , the same tool that ExCobalt began using in 2022.
Krebs on Security
OCTOBER 31, 2023
is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. “We’re always looking at the end malware or phishing page, but what we’re finding here is that there’s this middle layer of DNS threat actors persisting for years without notice.”
SecureList
OCTOBER 18, 2021
As in the older DanBot instances, both variants supported similar custom C&C protocols tunneled over DNS or HTTP. Our investigation into Lyceum has shown that the group has evolved its arsenal over the years and shifted its usage from the previously documented.NET malware to new versions, written in C++.
Security Affairs
NOVEMBER 10, 2024
“Do NOT conduct CFPB work using mobile voice calls or text messages,” reads the email sent to the employees referencing a recent government statement acknowledging the telecommunications infrastructure attack. The threat actors targeted insecure software update mechanisms to install malware on macOS and Windows victim machines.
Security Affairs
DECEMBER 12, 2019
The Microsoft Threat Intelligence Center (MSTIC) warns of GALLIUM threat group targeting global telecommunication providers worldwide. The Microsoft Threat Intelligence Center (MSTIC) warns of GALLIUM threat group targeting global telecommunication providers worldwide. ” reads the warning published by Microsoft.
Security Affairs
JANUARY 7, 2024
Between 2017 and 2019, the APT group mainly used DNS hijacking in its campaigns. The group targets government entities, Kurdish (political) groups like PKK, telecommunication, ISPs, IT-service providers (including security companies), NGO, and Media & Entertainment sectors; Over the years, the group enhanced its evasion capabilities.
CyberSecurity Insiders
APRIL 12, 2023
The report stems from a detailed analysis of attacks targeting StormWall’s clientele, which spans various sectors such as finance, e-commerce, telecommunications, entertainment, transportation, education, and logistics. Telecommunications continued to be a popular target, enduring 16% of attacks and a 47% YoY increase.
Security Affairs
JULY 13, 2019
The campaign uncovered by Avast aimed at silently modifying the Brazilian users’ Domain Name System (DNS) settings to redirect victims to malicious websites mimicking legitimate ones. In some cases the router is reconfigured to use rogue DNS servers, which redirect victims to phishing pages that closely look like real online banking sites.
eSecurity Planet
SEPTEMBER 3, 2022
For example, the 2016 DDoS attack on the Dyn managed domain name service (DNS) caused the DNS service to fail to respond to legitimate DNS inquiries and effectively shut down major sites such as PayPal, Spotify, Twitter, Yelp, and many others. Also read: How to Secure DNS. Types of DDoS Attacks. Harden infrastructure.
Security Affairs
AUGUST 10, 2020
In March 2020, The Ministry of Telecommunications (MoTC) issued a directive to all operators in Myanmar with a secret list of 230 sites to be blocked due to the nature of the content; adult content and fake news. Our findings show that both Telenor and MPT block websites using DNS tampering. Original post at: [link].
Security Affairs
APRIL 23, 2019
Security expert Marco Ramilli published the findings of a quick analysis of the webmask project standing behind the DNS attacks implemented by APT34 (aka OilRig and HelixKitten ). The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries.
Malwarebytes
MAY 10, 2022
The group is known to focus on the financial, governmental, energy, chemical, and telecommunication sectors. Calls the “eNotif’ function which is used to send a notification of each steps of macro execution to its server using the DNS protocol. If the performed DNS request fails, the next stage is SLEEP.
Security Affairs
JANUARY 13, 2023
The C2 infrastructure used by the group was primarily hosted on the Bulgarian telecommunications company Neterra. Experts observed threat actors also using No-IP Dynamic DNS services. GitHub removed the accounts after SentinelOne reported the abuse to the company. The current C2 server is zig35m48zur14nel40[.]myftp.org
Security Affairs
NOVEMBER 11, 2022
The researchers observed C2 infrastructure relying on dynamic DNS domains masquerading as Ukrainian telecommunication service providers. From August 2022, Recorded Future researchers observed a rise in command and control (C2) infrastructure used by Sandworm (tracked by Ukraine’s CERT-UA as UAC-0113).
Security Affairs
MAY 2, 2019
Indeed we might observe a File-based command and control (a quite unusual solution) structure, a VBS launcher, a PowerShell Payload and a covert channel over DNS engine. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries.
Security Affairs
DECEMBER 24, 2019
The authorities want to ensure that the access to Russian Internet resources will be maintained also under attack, to do this, Russian experts are thinking a sort of DNS managed by Moscow. Currently, among the 12 organizations that oversee DNS base servers worldwide there isn’t an entity in Russia.
Security Affairs
AUGUST 27, 2019
reported that Hexane is targeting organizations in the oil and gas industry and telecommunication providers. The malware uses DNS and HTTP-based communication mechanisms. The activity of the Lyceum APT group was first documents earlier of August by researchers at ICS security firm Dragos that tracked it as Hexane.
Security Boulevard
JANUARY 12, 2022
MuddyWater (also known as TEMP.Zagros, Static Kitten, Seedworm, and Mercury) is a threat group that primarily targets telecommunications, government, oil, defense, and finance sectors in the Middle East, Europe, and North America. MITRE ATT&CK T1572 Protocol Tunneling. MuddyWater APT Group Attacks in Picus Threat Library.
Security Affairs
JANUARY 29, 2019
Early January, security experts at FireEye uncovered a DNS hijacking campaign that was targeting government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe.
Security Boulevard
JULY 15, 2024
Actor IP: 113.164.33.127 ISP: Vietnam Posts and Telecommunications Group ASN: AS45899 Country: Vietnam Most recent known C2 activity: 2024/07/09 16:41:17 UTC Ongoing StealC campaigns HYAS Insight provides access to malware detonation details and the HYAS Threat Intelligence Team is tracking a relatively high volume of StealC activity.
eSecurity Planet
JULY 29, 2021
Vishing attacks are also similar to phishing and smishing, but these attacks target VoIP and telecommunications services rather than text-based mediums. Usually this is accomplished either by deploying malware that changes the target computer’s host files, or by using a technique known as DNS cache poisoning.
SC Magazine
FEBRUARY 17, 2021
.” Quad9 is a non-profit offering a free recursive DNS service that does not log user data. and Google Public DNS. The company received a finding of law from the Swiss government that it will not be treated as a telecommunications provider, exempting it from laws that would mandate data collection. are wary of U.S.
Security Affairs
NOVEMBER 29, 2019
The past months have shown that the most dangerous hacks involved DNS hijacking, which helped attackers manipulate DNS records for MITM attacks. The most common objective of such attacks is cyberespionage and disruption of major telecommunications companies’ work. The telecommunications sector: Are providers ready for 5G?
eSecurity Planet
AUGUST 22, 2023
History of MSSPs As internet service providers (ISPs) and telecommunications companies (telecoms) began offering commercial access to the internet in the late 1990s, they began to also offer firewall appliances and associated managed services. assets (endpoints, servers, IoT, routers, etc.), Outsourcing U.S. companies may trust U.S.
Security Affairs
JULY 6, 2021
According to the DNS data analysis, this name was used to register at least two domains, which were created using the email from the phishing kit. The alleged perpetrator, who turned out to be a citizen of Morocco, was arrested in May by the Moroccan police based on the data about his cybercrimes that was provided by Group-IB.
Security Affairs
AUGUST 7, 2019
The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. T1094) mainly developed using DNS resolutions (which is actually one of the main characteristic of the attacker group).
eSecurity Planet
JANUARY 26, 2022
Spun off from the telecommunications vendor JDS Uniphase in 2015, Viavi Solutions is a newer name, but it has four-plus decades of IT services experience. Catchpoint Features. Dynatrace offers a full-stack application performance monitoring and digital experience platform for modern hybrid environments. VIAVI Solutions.
SecureList
JUNE 2, 2022
It primarily goes after targets located in China, such as foreign diplomatic organizations established in the country, members of the academic community, or companies from the defense, logistics and telecommunications sectors. Full control over the DNS, meaning they can provide responses for non-existent domains.
Expert insights. Personalized for you.
We have resent the email to
Are you sure you want to cancel your subscriptions?
Let's personalize your content