A répondu dans un fil de discussion
@pmevzek @TheGibson
I would put more thought into how all of this can be attacked and/or abused.
It is always DNS. It is always BGP.
Recherches récentes
Options de recherche
#dns
37 messages33 participants1 message aujourd’hui
Fast Flux: Enabling Robust Malware, C2 and Phishing Networks
“Fast flux” is a technique that has been recently used by threat actors to obfuscate
the locations of malicious servers through rapidly changing Domain Name System
(DNS) records associated with a single domain name and establish robust C2
infrastructure capable of surviving attempts to dismantle it. Fast
Pulse ID: 67f42761b4cf9e873fd49513
Pulse Link: https://otx.alienvault.com/pulse/67f42761b4cf9e873fd49513
Pulse Author: cryptocti
Created: 2025-04-07 19:28:33
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
Is the sky fluxxing?! Last week a CISA advisory on DNS Fast Flux created a lot of buzz. We have an insider's take.
Fast Flux is a nearly 20 year old technique and is essentially the malicious use of dynamic DNS. It is critical that protective DNS services understand this -- and all other DNS techniques -- on that we agree.
What we also know as experts in DNS is that there are many ways to skin a cat, as they say.
#dns #threatintel #cisa #malware #phishing #threatintelligence #infobloxthreatintel #infoblox #cybercrime #cybersecurity #infosec
Infoblox Blog · Disrupting Fast Flux and more advanced tacticsA recent Cybersecurity Advisory (1) from the Cybersecurity and Infrastructure Security Agency (CISA) notified organizations, Internet service providers (ISPs), and cybersecurity service providers about the threat posed by fast flux enabled malicious activities.
En réponse à Stéphane Bortzmeyer
@bortzmeyer
Stub envoi la requette a un #dns authoritative (pas de récursion authorisée)
Forward -> open bar!
Je n'ai jamais réussi à retenir la différence entre stub et forward, je dois regarder la doc' à chaque fois.
"French Court Orders Cloudflare to ‘Dynamically’ Block MotoGP Streaming Piracy"
https://torrentfreak.com/french-court-orders-cloudflare-to-dynamically-block-motogp-streaming-piracy-250405/
Cloudflare's public #DNS resolver, 1.1.1.1, apparently did not implement it yet.
torrentfreak.comFrench Court Orders Cloudflare to 'Dynamically' Block MotoGP Streaming Piracy * TorrentFreakA French court has ordered Cloudflare to block several sites illegally streaming MotoGP, to protect the interests of rightsholder Canal+
PowerDNS Recursor Security Advisory 2025-01 (aka PowerDNS Recursor 5.2.1 Released)
https://blog.powerdns.com/2025/04/07/powerdns-recursor-5-2-1-released #dns #dnssec
blog.powerdns.comPowerDNS Recursor Security Advisory 2025-01PowerDNS Security Advisory 2025-01 Security Release of PowerDNS Recursor 5.2.1.
Somebody, somewhere must occasionally still be falling for the .cn domain name scam, one from simon@netdomains.net.cn inboxed here today.
See https://nxdomain.no/~peter/domain_name_scams_are_alive_and_well_thank_you.html for an overview of the shitheadery. #dns #scams #domainnamescam #cndomains #netdomains #cybercrime #spam
nxdomain.noDomain Name Scams Are Alive And Well, Thank You
A répondu dans un fil de discussion
@fleaz : it's not MultiMultiFactorAuthentication but 1FA max.
Assuming that you don't use those hardware keys to generate TOTP codes (which are pointless when confronted with the likes of #Evilginx2), but use WebAuthn instead (FIDO2 passkeys in hardware keys), everything depends on one factor: the domain name of the website.
DV-CERTS SUCK
It is not very common that certificates are issued to malicious parties, but it *does* happen now and then (https://infosec.exchange/@ErikvanStraten/112914050216821746).
SUBDOMAINS
Furthermore, sometimes organizations have "dangling" subdomain names. For example,
test.example.com
may point to the IP-adress of some cloud server no longer used by example.com. Anyone with write access to that server may install a fake "test.example.com" website and phish you to it. It *may* be used to phish your WebAuthm credentials *if* "example.com" does not explicitly *DENY* WebAuthn from "test.example.com".
See https://github.com/w3ctag/design-reviews/issues/97#issuecomment-175766580 for how Google prevents "sites.google.com" from authenticating to "google.com".
DNS HACKED
It may not be neccessary to execute BGP-hijacks to redirect network traffic to an impostor: it also all depends on how reliable DNS records are protected against unauthorized access. If the dude in charge for DNS uses a stupid password only, or the DNS provider is easily fooled into believing "I forgot my creds", it's game over. The crooks will obtain a DV-cert in no time, no questions asked, for free.
All the bells and whistless are moot if there's an alternative way to log in (such as by using a 1FA rescue code) and the user is fooled into providing it (after they've been lied to that their WebAithn public key on the server became corrupted or was lost otherwise).
Cloudflare MitM's https connections (it's not a secret: https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/). The same applies to any server you log in to, which is accessible by untrustworthy personnel. They can steal your session cookie.
In the end MFA/2FA is a hoax anyway, because the session cookie (or JWT or whatever) is 1FA anyway.
Did I mention the risks of account lockout with hardware keys that cannot be backupped? And the mess it is to keep at least one other hardware key synchronized if it's in a vault? And the limitation of, for example, 25 WebAuthn accounts max? And (unpatcheable) vulnerabilities found in hardware keys? And their price? And how easy it is to forget or loose them?
Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒
🧵#3/3
Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents!
2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/)
2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots
2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/
2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the
2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents
2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/
2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis
2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518
🌘BACKGROUND INFO🌒
2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites
(Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/
2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee
Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident.
#DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
Grandoreiro Stealer Targeting Spain and Latin America: Malware Analysis and Decryption Insights
A new campaign utilizing the Brazilian stealer Grandoreiro has been detected targeting Spain and Latin American countries. The malware, active since 2017, aims to steal sensitive information, including banking credentials and personal data. It employs advanced evasion techniques such as string encryption and anti-sandbox measures. The campaign distributes Grandoreiro through phishing emails containing VBS files. Once executed, it performs various checks to evade detection and uses legitimate services for geolocation and DNS resolution. The report provides detailed insights into the malware's behavior and explains the string obfuscation and decryption techniques used in this campaign.
Pulse ID: 67f038fac3f02d82df0a9833
Pulse Link: https://otx.alienvault.com/pulse/67f038fac3f02d82df0a9833
Pulse Author: AlienVault
Created: 2025-04-04 19:54:34
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
LevelBlue Open Threat ExchangeLevelBlue - Open Threat ExchangeLearn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.
www.luadns.comBulk DNS Hosting - LuaDNSLuaDNS is a DNS hosting service which allows easy DNS management with Git and Lua scriptable configurations. Deploy your Bind and Lua zone files with Git.
#Shaarli: DNS over HTTPS and DNS over TLS - Serveurs DNS du fournisseur de VPN Mullvad.
Comprend plusieurs niveaux de blocage (publicités, malwares, etc.). : https://mullvad.net/fr/help/dns-over-https-and-dns-over-tls #dns #serveurs #menteurs
Mullvad VPNDNS over HTTPS and DNS over TLSOur public DNS service
#Shaarli: Changer les DNS Bouygues Telecom et imposer les DNS depuis la BBOX - PREMIUM OTT Officiel - Méthode pour forcer d'autres DNS sur la BBox que ceux par défaut, normalement pas remplaçables.
2 liens :
* https://mabbox.bytel.fr/firewall.html
* https://mabbox.bytel.fr/dhcp.html : https://ott-premium.com/fr/changer-les-dns-bouygues-telecom/ #dns #bbox
A répondu dans un fil de discussion
Tiens, c'est bizarre.
Le navigateur mobile Ironfox arrive à contourner le blocage DNS configuré sur PersonalDNSFilter 
, se comporte comme s'il n'existait pas du tout...
Fennec par contre ne le passe pas.
A répondu dans un fil de discussion
@YggTorrent
Ou pourquoi pas pour ceux de @mullvadnet.
Il y a le choix entre le DNS neutre et 5 autres options qui permettent de filtrer différents contenus : publicités, traqueurs, logiciels malveillants, porno, jeux d'argent et médias sociaux.
https://mullvad.net/fr/help/dns-over-https-and-dns-over-tls#specifications
