Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime

From unit42.paloaltonetworks.com

DNS security and issues such as domain shadowing are represented by the caution sign within a folder structure. Image includes Palo Alto Networks and Unit 42 logos.

Cybercriminals compromise domain names to attack the owners or users of the domains directly, or use them for various nefarious endeavors, including phishing, malware distribution, and command and control (C2) operations. A special case of DNS hijacking is called domain shadowing, where attackers stealthily create malicious subdomains under compromised domain names. Shadowed domains do not affect the normal operation of the compromised domains, making it hard for victims to detect them. The inconspicuousness of these subdomains often allows perpetrators to take advantage of the compromised domain’s benign reputation for a long time.

Current threat research-based detection approaches are labor-intensive and slow as they rely on the discovery of malicious campaigns that use shadowed domains before they can look for related domains in various data sets. To address these issues, we designed and implemented an automated pipeline that can detect shadowed domains faster on a large scale for campaigns that are not yet known. Our system processes terabytes of passive DNS logs every day to extract features about candidate shadowed domains. Building on these features, it uses a high-precision machine learning model to identify shadowed domain names. Our model finds hundreds of shadowed domains created daily under dozens of compromised domain names.

Read more…

A TECHNICAL ANALYSIS OF THE LEAKED LOCKBIT 3.0 BUILDER

From cybergeeks.tech

This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022. The executable called “keygen.exe” can be used to generate the RSA public and private keys that are embedded in the encryptor and decryptor, respectively. The builder embedded 4 resources used to create executables or DLL files according to the command line parameters. As in the case of Conti leaks, we’ll probably encounter LockBit-forked ransomware because of the builder’s availability.

Read more…

Malicious OAuth applications used to compromise email servers and spread spam

From microsoft.com

A diagram of the attack chain. It presents the flow of activity from left to right, starting with the attacker gaining access to its target tenant and leading to spam messages being sent to targets.

Microsoft researchers recently investigated an attack where malicious OAuth applications were deployed on compromised cloud tenants and then used to control Exchange servers and spread spam. The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access. The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server. The actor then used the malicious inbound connector to send spam emails that looked like they originated from the targets’ domain. The spam emails were sent as part of a deceptive sweepstakes scheme meant to trick recipients into signing up for recurring paid subscriptions.

Read more…

Identifying file manipulation in system files

From gdatasoftware.com

Sometimes people send files to us that seem to be legitimate Microsoft system files at first glance, yet closer inspection reveals, that they have in fact been modified. Are those manipulations always malicious? And how can file manipulations be identified? Here are seven different ways to do that.

File modifications happen for a number of reasons, the most innocuous one being data corruption or inadvertent partial downloads. Both scenarios often result in non-working files. However, attackers and viruses manipulate original files in a manner that they still work, but additionally execute their own malicious code. In some cases the malicious code is not even there anymore because the files have been cleaned by antivirus software, but the indications of manipulation remain.

Regardless of the reason that these manipulations occur, being able to identify them is important to avoid instability, less secure systems and system infections.

Read more…

Okta: Credential stuffing accounts for 34% of all login attempts

From bleepingcomputer.com

password

Credential stuffing attacks have become so prevalent in the first quarter of 2022 that traffic surpassed that of legitimate login attempts from normal users in some countries.

This type of attack takes advantage of “password recycling,” which is the bad practice of using the same credential pairs (login name and password) across multiple sites.

Once the credential are leaked or brute-forced from one site, threat actors perform a credential stuffing attack that attempts to use the same leaked credentials at other sites to gain access to users’ accounts.

Read more…

Critical Flaws in Airplanes WiFi Access Point Let Attackers Gain Root Access

From gbhackers.com

Critical Flaws in Airplanes WiFi Access Point Let Attackers Gain Root Access

Two critical vulnerabilities have been found recently in the wireless LAN devices of Contec. These critical vulnerabilities were discovered by the cybersecurity analysts, Samy Younsi and Thomas Knudsen of Necrum Security Lab.

There are two models of the FLEXLAN FXA2000 and FXA3000 series from CONTEC which are primarily used in airplane installations as WiFi access points.

Read more…

Indonesia hunts for Bjorka, hacker selling 1.3b SIM card users’ data, taunting officials

From straitstimes.com

JAKARTA – Indonesia’s newly formed data protection task force is chasing down a hacker behind a series of data leaks related to 1.3 billion registered mobile phone numbers and 105 million voters, and a log of the President’s correspondence, among others.

The hacker, who goes by the pseudonym of Bjorka and claims to be based in Warsaw, Poland, has been selling stolen data, including that from Indonesian state-owned enterprises, mobile phone operators and general election commission, on hacking forum BreachForums in the past few weeks.

Read more…