As threat actors around the world become more sophisticated, there is one thing that remains constant: they use domain names, and therefore DNS, in almost all attacks.
This makes DNS a powerful control point, because connections to malicious content can be interrupted at the earliest point possible.
Infoblox Threat Intel is creating original threat intelligence by leveraging expertise in DNS and threat detection, combined with advanced data science. CybersecAsia finds out more from Dr. Renée Burton, VP of Threat Intelligence, Infoblox.
Please tell us a bit more about DNS threat intelligence.
Dr Burton: Because DNS is foundational for the operation of the internet, the threat intelligence used in a protective DNS system needs to be tuned for DNS. If it isn’t, it may cause a network outage.
Infoblox Threat Intel was created for exactly this reason: to maximize protection of customer networks through DNS while maintaining the performance of those same networks through negligible false positive rates.
Our team of DNS experts discover and track threat actors hiding in DNS by starting with suspicious domains, connecting the dots to identify actor infrastructure, and continually identifying new domains as they emerge to ensure our customers are always protected.
Our deep understanding of how malicious actors operate and how malware, phishing, and other threats manifest in DNS has led us to develop specialized systems to detect lookalike domains, DNS C2 malware, registered domain generation algorithms (RDGAs), and suspicious behavior.
Furthermore, we utilize machine learning and data science to analyze large volumes of DNS queries daily, providing near-real-time protection against data exfiltration, domain generation algorithms (DGAs), and a wide range of other threats. All this enables us to stop threats on an average of 63 days before an attack.
Who are the threat actors that the Infoblox Threat Intel recently uncovered, and what impact do these threat actors have on Asia?
Dr Burton: Over the past two years, Infoblox Threat Intel has uncovered Vextrio Viper, Decoy Dog, Loopy Lizard, Prolific Puma, Savvy Seahorse, Muddling Meerkat – and many others that are not published. The interconnected nature of our digital world means these threat actors are not tied to national boundaries, thus posing significant risks to Asia’s cybersecurity landscape as well.
- Muddling Meerkat is a Chinese actor that is capable of controlling China’s Great Firewall. Most notably, the actor elicits fake DNS MX records from the firewall, a technique not previously reported. Since October 2019, the actor has executed sophisticated operations that have similarities to Slow Drip DDoS attacks, but have mysterious motives. They leverage open DNS resolvers and cleverly use super-aged domains to blend with regular DNS traffic, evading detection and demonstrating a deep nuanced understanding of DNS and security measures.
- Savvy Seahorse is a DNS threat actor that specializes in investment scams that lure victims into creating accounts on fake investment platforms, making deposits into personal accounts, and then transferring these deposits to a bank in Russia. Savvy Seahorse delivers its campaigns through Facebook advertisements and incorporates fake ChatGPT and WhatsApp bots to urge users to enter personal information. It has spoofed legitimate companies such as Apple, Meta, Mastercard, Visa, and Google for investment opportunities.
- Prolific Puma is a threat actor that uses algorithmically generated domains to create shortened links for other malicious actors. The short links help bad actors to evade detection while they distribute phishing, scams and malware. Prolific Puma is the first actor to be identified as a malicious link-shortening service. They register hundreds to thousands of new domains daily and notably abuse the .US TLD.
- Loopy Lizard is a DNS threat actor that creates lookalike domains to financial institutions and government organizations for the purpose of phishing user credentials. They primarily target the United States and Australia but have also targeted Western Europe and Canada. Loopy Lizard was identified through DNS because of an anomalous name server configuration. Loopy Lizard was formerly called Open Tangle.
- Decoy Dog is a malware toolkit that uses DNS for command and control (C2), allowing compromised clients to communicate with an attacker via DNS queries through a purpose-built DNS name server. Discovered and dissected through DNS query logs, Decoy Dog is used by multiple actors and went undetected for over a year by the industry. It was first used in the Russia-Ukraine war, but as the number of actors has spread, it might be used beyond Eastern Europe.
- Vextrio Viper is a persistent actor operating a large criminal enterprise that uses a trifecta of traffic distribution systems (TDSs), lookalike domains and registered domain generation algorithms (RDGAs) to deliver malware, scams, and illegal content. Vextrio Viper is very adept at DNS. Their skills have enabled them to create and operate the largest known cybercriminal affiliate program with which they broker traffic for scores of other criminals. VexTrio Viper and their affiliates target users globally through many attack vectors. This is the single most pervasive threat actor that Infoblox has observed in customer networks.
Most cybercriminal actors – the ones that impact households and enterprises – are global. They are using toolkits that allow them to easily create lures in any language and prey on victims regardless of where they live. Many of the criminals work in large affiliate programs which are international.
Aside from common lures like banking and fake shops, many parts of Asia are also targeted through illegal content. Infoblox Threat Intel has uncovered several large traffic distribution systems (TDS) which are used exclusively in Asia to deliver pornography, gambling, and other illegal material. But these systems typically are not merely illegal content; they often are intricately tied to phishing, malware, and scams because the victims cannot complain.
How were these bad actors able to stay undetected for so long?
