Folks -- keep in mind that most threat intel reporting containing domains is NOT designed for blocking. I have received enough questions about the recent OSINT reporting on Ivanti that it's worth a comment. Mandiant reports -- while great and in-depth -- include established companies and dynamic DNS services. Domains on the CyberReason list include things that aren't even domains but somehow have been elevated in VirusTotal and elsewhere to DNS status, e.g. request.data. It takes a lot of work to validate domains to protect networks while ensuring their performance. I don't recommend grabbing every ioc list and shoving it into your DNS or any firewall, regardless of the reputation of the source. These companies are offering IR data not blocking ioc lists. #dns#threatintel#malware#ivanti#infoblox#cybersecurity
A few of the MFA lookalike domains we've detected recently. These target a large bank in the Czech Republic (csob[.]sk):
csob-sso-sk[.]net, online-csob-sso-sk-moja[.]com, csob-sso-sk[.]com
what's the word for when: the phishers who are stealing from the organized crime phishers that you are researching realize that you know they are fake (organized crime) and take down their entire infrastructure and social media presence in a few hours? i was going with "wow" but it doesn't seem quite the right word. i also tried "bummer". #dns#phishing#cybercrime#infoblox
Nice paper by AT&T on asyncRAT. We see a lot of domains from registered domain generation algoritihms (RDGAs), but not a ton of traditional DGAs these days… but this IS one! asyncRAT DGA is keeping a lower profile by not generating too many domain variants. We've seen 37 SLDs in our resolvers this month from the asyncRAT DGA, almost all of which were NXDOMAIN responses. Only 2ira57j063uauto[.]top resolved for us recently. We were blocking it already as suspicious. Pro tip: topTLD plus 15 char new domain.. block. ;)
But even more interesting is that with the actor using dedicated hosting through BitLaunch, we can see that aside from their DGA domains they have the sneaky lookalike:
akamai-cdn[.]top registered on Decemeber 18th. Block that one!
Hi. This is Renée, the head of Infoblox Threat Intel (@knitcode). Myself and a few of my researchers are sharing this Mastodon account. Our plan is to toot about suspicious and malicious activity in DNS. Our team tends to write very in-depth papers and want to use Mastodon to complement that with nuggets we've seen, updates on the DNS threat actors or TTPs we are seeing, and articles we are reading. Here goes! #dns#threatintel#malware#phishing#cybersecurity#infosec#infoblox#introduction
Last year’s highlights…my team started to come out of our shell with a commitment to publishing high end original research on topics related to DNS threats
that were not covered by others…we’ve got big plans for 2024!
Decoy Dog was the first time an APT DNS malware was detected and reverse engineered from DNS query-response data…we got the actors to respond to us, and picked up some file samples later but this was a DNS story through and through
Open Tangle was the first publication of a dedicated lookalikes phishing DNS threat actor operating for over 4 years
We introduced the DNS threat actor technique of registered domain generation algorithms (RDGA) to evade detection
Prolific Puma was the first report of a malicious link shortener (and they use RDGA)
and we discovered that they had circumvented of the usTLD privacy regulations to boot…