DNS provides a premier cybercrime route
According to CISA, more than 90% of successful cyber-attacks start with a link or webpage designed by bad actors to trick users into revealing their passwords or other sensitive information. To make these phishing attacks possible, DNS forms an ideal tool for adversaries. A legitimate-looking domain name, with a link (i.e., the IP address) to a host holding the malicious payload, provides bait and hook. While this threat scenario is one of the most popular tactics within the cybercrime ecosystem there is much more to it. DNS infrastructure and communications fit perfectly to the criminal mode of operation. In this blog we’ll dive deeper into how adversaries look at DNS, some recently discovered DNS-enabled attacks and how to stop them.
How actors operate: anonymous, intentional, stealthy, and opportunistic
The first element DNS offers to cybercriminals is anonymity. Very few security vendors track newly registered domains and the content behind them. This lack of DNS oversight gives cybercriminals a form of anonymity. It enables them to set up a nefarious infrastructure including the content bait, malicious payload, and victim data-capturing backend. Once setup, the actor can sit back, see how targets take the bait and harvest victim data while staying unidentifiable.
A second advantage adversaries find in DNS is the ability to intentionally target and aim at victims. Domain names can attract a specific group of interest, especially when associated with a trusted brand name or an abbreviated use case (e.g., shop-olympics.shop). However, there is much more that DNS offers. By combining multiple DNS servers, domain names can lure and redirect traffic to the right malicious content based on the victim’s environment. Just like advertisers, threat actors have developed ways to redirect users based on their originating region, browser in use, operating system, and much more. The goal behind the reader redirections is to target the most vulnerable audience while maximizing the ROI of their operation.
One of the most interesting adversarial advantages of DNS is, of course, stealth. The traffic redirection mentioned above not only enables finding the right target but also helps in keeping security scanners and detections away. Stealth can also be achieved within the DNS communication between clients and domain servers. When a client (PC or mobile device) sends a DNS request, the response can hold “special commands” for applications running on the client machine. This method is often used for Command and Control (C2) of malware, active on the client machine. Most importantly, by hiding commands in the DNS response, the C2 communication stays undetected by many security tools, allowing the adversary to continue their attack.
Finally, DNS allows actors to continue the path of least resistance and remain opportunistic when crafting an attack. DNS is a ubiquitous technology, mandatory when applications or devices connect over the network. As a result, it can be used in multiple cybercrime scenarios or attack steps. Tactics like social engineering (e.g., look-alike sites), credential theft (i.e., phishing links), unauthorized remote access, or data leakage can be facilitated by abusing DNS infrastructure or communications. In simple terms, DNS is the Swiss army knife for any actor and supports a broad spectrum of intrusion techniques.
Recently Infoblox discovered DNS weaponizations:
At Infoblox we are focused on discovering all ways threat actors are abusing DNS to conceal their criminal operations. Over the past year our team of experts discovered multiple DNS weaponizations. Here a brief overview:
- ACTOR “SAVVY SEAHORSE” LURES VICTIMS TO FAKE INVESTMENT PLATFORMS
Savvy Seahorse is a DNS threat actor who tricks victims into creating accounts on fake investment platforms. Victims are persuaded to deposit money into personal accounts, which are then transferred to a bank in Russia. This actor uses Facebook ads to lure users to their fake websites.
Savvy Seahorse’s campaigns are sophisticated, using advanced techniques like fake messages via SMS to convince users to enter personal information for supposed high-return investments. They exploit the Domain Name System (DNS) to control access to malicious content and dynamically update IP addresses, helping them evade detection by the security industry. - Chinese Organized Crime created DNS links to Sports Sponsorships:
Infoblox has discovered an advanced technology suite connected to Chinese organized crime, money laundering, and human trafficking in Southeast Asia. This suite includes software, DNS configurations, website hosting, payment mechanisms, mobile apps, and more, forming a complete cybercrime supply chain.
Numerous unrelated gambling brands, which also sponsor European sports teams, use this technology. The brands exploit residents in China and victims worldwide tapping into the $1.7 trillion illegal gambling economy.
The actor, known as “Vigorish Viper,” has developed highly sophisticated software and infrastructure. They use multiple, layered traffic distribution systems (TDSs) and JavaScript to create protective gates, extensively fingerprinting users by monitoring mouse movements and evaluating IP addresses. The most advanced software versions are reserved for Chinese brands. Vigorish Viper controls over 170,000 domain names and operates a malicious infrastructure linked to Hong Kong and China. - Olympics Scammers Take Their Marks, Get Set, and Go!
Among the many phishing and spear phishing lures related to the past summer games, ticket sale scams have been the most common. Fraudulent websites offering ticket sales, mobile recharge plans, and merchandise have been widespread leading up to the summer Olympic opening ceremonies.
Hundreds of domains claim to offer discounted tickets to the Paris Olympics. These websites are sophisticated, user-friendly, and appear so legitimate that it’s hard to distinguish them from real ones. Infoblox discovered over sixty domains with the same website title, aiming to gather victims’ personal information in exchange for “free” mobile service.
These DNS enabled attacks can affect everyone and present risk to consumers simply browsing the internet or reading their email. Common in all the adversarial tactics is that the cyber-criminal first carefully created the domain and malicious site sometimes months to a year in advance of the attack.
Outpace the adversary with DNS derived Threat Intelligence
Each time a cybercriminal sets up a domain they leave some information behind. Infoblox is one of the very few vendors to collect this information and detects user activity from when connecting to malicious domains. This telemetry in combination with decades of expertise in analyzing DNS usage results in highly valuable threat intelligence containing clues about imminent threats even those that have not reached victims yet.
By actioning the DNS derived threat intelligence and stopping users from taking the bait, many of these DNS sourced attacks can be easily deflected. Infoblox provides security teams with threat intelligence and the controls in place to stop the attacker with minimal efforts. Infoblox threat intelligence can also be seamlessly integrated into the security operations processes to investigate ongoing attacks to understand motivations and provide firm response.
DNS can give the attacker an advantage by deceiving the victims and automatically providing a malicious link. It is effectively used by many cyber criminals and can be extremely dangerous. Infoblox generates threat intelligence to proactively stop these attacks and efficiently protect businesses from costly incidents.
To learn more on how to protect brand and consumer trust using Infoblox threat intelligence go to https://www.infoblox.com/threat-intel/
