CyberSecurity news

FlagThis - #dns

Bill Mann@CyberInsider //

CISA Warns of Fast Flux DNS Evasion Technique - CISA, NSA, FBI, and international partners warn about increasing fast flux DNS technique used by cybercriminals to hide malicious servers, urging organizations to strengthen defenses.
CISA, along with the NSA, FBI, and international cybersecurity partners, has issued a joint advisory regarding the increasing use of the "fast flux" technique by cybercriminals and nation-state actors. This DNS evasion method allows attackers to rapidly change the DNS records associated with their malicious servers, making it difficult to track and block their activities. This tactic is used to obfuscate the location of malicious servers, enabling them to create resilient and highly available command and control infrastructures while concealing malicious operations.

Fast flux, characterized by quickly changing IP addresses linked to a single domain, exploits weaknesses in network defenses. The advisory, titled 'Fast Flux: A National Security Threat,' urges organizations, internet service providers (ISPs), and security firms to strengthen their defenses against these attacks. Service providers, especially Protective DNS providers (PDNS), are urged to track, share information, and block fast flux activity to safeguard critical infrastructure and national security.

Recommended read:
References :
  • CyberInsider: CISA Warns of ‘Fast Flux’ Technique Hackers Use for Evasion
  • The Register - Security: For flux sake: CISA, annexable allies warn of hot DNS threat
  • Industrial Cyber: Advisory warns of fast flux national security threat, urges action to protect critical infrastructure
  • Cyber Security News: Hackers Leveraging Fast Flux Technique to Evade Detection & Hide Malicious Servers
  • BleepingComputer: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • BleepingComputer: CISA warns of Fast Flux DNS evasion used by cybercrime gangs
  • The DefendOps Diaries: Understanding and Combating Fast Flux in Cybersecurity
  • bsky.app: CISA, the FBI, the NSA, and international cybersecurity agencies are calling on organizations and DNS providers to mitigate the "Fast Flux" cybercrime evasion technique used by state-sponsored threat actors and ransomware gangs.
  • www.csoonline.com: Cybersecurity agencies urge organizations to collaborate to stop fast flux DNS attacks
  • hackread.com: NSA and Global Allies Declare Fast Flux a National Security Threat
  • : National Security Agencies Warn of Fast Flux Threat Bypassing Network Defenses
  • www.itpro.com: Cybersecurity agencies have issued a stark message that too little is being done to sniff out malware hiding in corporate networks
  • Infoblox Blog: Disrupting Fast Flux with Predictive Intelligence
  • www.cybersecuritydive.com: Cybersecurity Dive on CISA FBI warn
  • Threats | CyberScoop: International intelligence agencies raise the alarm on fast flux
  • Infoblox Blog: Disrupting Fast Flux and Much More with Protective DNS
  • blogs.infoblox.com: Disrupting Fast Flux and Much More with Protective DNS
  • The Hacker News: Cybersecurity agencies from Australia, Canada, New Zealand, and the United States have published a joint advisory about the risks associated with a technique called fast flux that has been adopted by threat actors to obscure a command-and-control (C2) channel.
  • thecyberexpress.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international cybersecurity partners, has issued an urgent advisory titled “Fast Flux: A National Security Threat.†The advisory highlights the growing use of fast flux techniques by cybercriminals and potentially nation-state actors to evade detection and establish highly resilient and stealthy infrastructure for malicious activities.
  • Blog: Five Eyes warn threat actors increasing use of ‘fast flux’ technique
Fogerlog@Phishing Tackle //

Morphing Meerkat Phishing Attacks Exploit DNS Records - The 'Morphing Meerkat' phishing campaign exploits DNS MX records to deliver tailored phishing pages, targeting over 100 brands using open redirects and compromised WordPress sites.
References: The Hacker News , , Cyber Security News ...
A new sophisticated Phishing-as-a-Service (PhaaS) platform, dubbed "Morphing Meerkat," is exploiting DNS MX records to dynamically deliver tailored phishing pages, targeting over 100 brands. This operation enables both technical and non-technical cybercriminals to launch targeted attacks, bypassing security systems through the exploitation of open redirects on adtech servers and compromised WordPress websites. The platform's primary attack vector involves mass spam delivery and dynamic content tailoring, evading traditional security measures.

Researchers have discovered that Morphing Meerkat queries DNS MX records using Cloudflare DoH or Google Public DNS to customize fake login pages based on the victim's email service provider. This technique allows the platform to map these records to corresponding phishing HTML files, featuring over 114 unique brand designs. This personalized phishing experience significantly increases the likelihood of successful credential theft. The phishing kit also uses code obfuscation and anti-analysis measures to hinder detection, supporting over a dozen languages to target users globally.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands.
  • : Morphing Meerkat PhaaS Platform Spoofs 100+ Brands
  • www.scworld.com: More than 100 brands' login pages have been spoofed by the newly emergent Morphing Meerkat phishing-as-a-service platform through the exploitation of Domain Name System mail exchange records, The Hacker News reports.
  • Cyber Security News: Hackers Use DNS MX Records to Generate Fake Login Pages for Over 100+ Brands
  • The DefendOps Diaries: Morphing Meerkat: A Sophisticated Phishing-as-a-Service Threat
  • www.techradar.com: This new phishing campaign can tailor its messages to target you with your favorite businesses
  • Christoffer S.: Morphing Meerkat: Advanced Phishing-as-a-Service Platform Using DNS MX Records for Tailored Attacks
  • hackread.com: Details advanced phishing operation exploiting DNS vulnerabilities.
  • Infoblox Blog: Threat actors are increasingly adept at leveraging DNS to enhance the effectiveness of their cyber campaigns. We recently discovered a DNS technique used to tailor content to victims.
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Cyber Security News: A sophisticated phishing operation has emerged that creatively leverages DNS mail exchange (MX) records to dynamically serve fake login pages tailored to victims' email providers.
  • gbhackers.com: The platform, which has been operational since at least January 2020, employs a range of advanced techniques to evade detection and target users globally.
  • securityaffairs.com: A PhaaS platform, dubbed 'Morphing Meerkat,' uses DNS MX records to spoof over 100 brands and steal credentials, according to Infoblox Threat Intel
  • www.scworld.com: 'Morphing Meerkat' spoofs 114 brands via DNS mail exchange records
  • Blog: Cybersecurity researchers are tracking a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that employs DNS over HTTPS (DoH) to avoid detection.
  • : Phishing kits going to great lengths to personalise attacks
  • Malwarebytes: Infoblox researchers discovered a new phishing-as-a-service (PhaaS) platform, called Morphing Meerkat, that generates multiple phishing kits and spoofs login pages of over 100 brands using DNS mail exchange (MX) records.
  • securityaffairs.com: Morphing Meerkat phishing kits exploit DNS MX records
  • bsky.app: A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection.
  • Talkback Resources: Morphing Meerkat phishing kits exploit DNS MX records
  • Security Risk Advisors: 🚩Morphing Meerkat’s Phishing-as-a-Service Leverages DNS MX Records for Targeted Attacks
  • Talkback Resources: New Morphing Meerkat PhaaS platform examined
  • Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.
  • Phishing Tackle: Phishing-as-a-Service Exposed: DNS-over-HTTPS Fuels the Morphing Meerkat Attack
  • Virus Bulletin: An Infoblox report looks into a DNS technique used to tailor content to victims. A phishing kit developed by the Morphing Meerkat actor creatively employs DNS mail exchange (MX) records to dynamically serve fake, tailored login pages, spoofing over 100 brands.
info@thehackernews.com (The@The Hacker News //

Fake Captcha PDFs Distribute Lumma Stealer Malware - A large-scale phishing campaign distributes Lumma Stealer malware via fake CAPTCHA images in PDF documents, targeting sensitive information in browsers and cryptocurrency wallets.
Cybersecurity researchers have uncovered a large-scale phishing campaign distributing the Lumma Stealer malware. Attackers are using fake CAPTCHA images embedded in PDF documents hosted on Webflow's content delivery network (CDN) to redirect victims to malicious websites. These malicious actors are employing SEO tactics to trick users into downloading the PDFs through search engine results, ultimately leading to the deployment of the information-stealing malware. The Lumma stealer is designed to steal sensitive information stored in browsers and cryptocurrency wallets.

Netskope Threat Labs identified 260 unique domains hosting 5,000 phishing PDF files, affecting over 1,150 organizations and 7,000 users. The attacks primarily target users in North America, Asia, and Southern Europe, impacting the technology, financial services, and manufacturing sectors. Besides Webflow, attackers are also utilizing GoDaddy, Strikingly, Wix, and Fastly to host the fake PDFs. Some PDF files were uploaded to legitimate online libraries like PDFCOFFEE and Internet Archive to further propagate the malware.

Recommended read:
References :
  • Infoblox Blog: DNS Early Detection – Fast Propagating Fake Captcha distributes LummaStealer
  • Talkback Resources: Fake CAPTCHA PDFs Spread Lumma Stealer via Webflow, GoDaddy, and Other Domains
  • The Hacker News: Fake CAPTCHA PDFs Spread Lumma Stealer via Webflow, GoDaddy, and Other Domains
  • gbhackers.com: Netskope Threat Labs uncovered a sprawling phishing operation involving 260 domains hosting approximately 5,000 malicious PDF files.
  • Talkback Resources: Sticky Werewolf Uses Undocumented Implant to Deploy Lumma Stealer in Russia and Belarus [mal]
  • gbhackers.com: Beware! Fake CAPTCHA Hidden LummaStealer Threat Installing Silently
  • Cyber Security News: Beware! Fake CAPTCHA Scam That Silently Installs LummaStealer
  • gbhackers.com: Lumma Stealer Using Fake Google Meet & Windows Update Sites to Launch “Click Fixâ€� Style Attack
@krebsonsecurity.com //

MasterCard DNS Error Existed For Five Years - MasterCard had a critical DNS error for five years due to a typo, which could have allowed attackers to redirect traffic, and was fixed by a security researcher.
MasterCard recently corrected a critical DNS error that had gone unnoticed for nearly five years. A misconfiguration in one of their domain name server settings, used to direct internet traffic, could have allowed malicious actors to intercept or divert traffic for the company. The error was a typo where one of their DNS servers was incorrectly configured to use "akam.ne" instead of the correct "akam.net". This mistake potentially exposed them to cyberattacks, as the misconfigured domain could be used to redirect traffic and intercept emails.

The error was discovered by security researcher Philippe Caturegli, founder of Seralys, who noticed the domain "akam.ne" was unregistered. He spent $300 to register it with the top-level domain authority in Niger to prevent cybercriminals from exploiting it. After registering the domain, Caturegli found hundreds of thousands of DNS requests hitting his server daily indicating widespread misconfigurations by others. Caturegli alerted MasterCard about the error, who have since fixed the typo, stating there was no risk to their systems.

Recommended read:
References :
  • Kevin Beaumont: Incredible situation where somebody managed to gain access to Mastercard DNS by registering a domain name - and now there’s a campaign to silence the researcher under the banner “responsible disclosureâ€�.
  • krebsonsecurity.com: MasterCard DNS Error Went Unnoticed for Years
  • malware.news: The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name.
  • www.linkedin.com: MasterCard DNS Error Went Unnoticed for Years

Posts

Blogs

Research Tools