Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Over 1 million domains at risk of ‘Sitting Ducks’ domain hijacking technique.
(TLP: CLEAR) The article from The Hacker News reports that over 1 million domains are currently at risk due to a vulnerability in a widely used domain registration and management system. This flaw, identified in the DNS (Domain Name System) services, could potentially allow attackers to hijack domain names, disrupt website services, and access sensitive information.
(TLP: CLEAR) Comments: The issue stems from weaknesses in how DNS records are managed and propagated, making it critical for domain owners and administrators to apply security updates and patches promptly to mitigate the risk. The article emphasizes the urgency of addressing this vulnerability to prevent significant cyber threats and domain-based attacks.
(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-20: “SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)”: “Control:
“a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
“b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace.”
(TLP: CLEAR) Vercara: Vercara released a blog post called “Vercara’s Response to the ‘Sitting Ducks’ Domain Hijack Vulnerability” detailing this recent DNS vulnerability and how the UltraDNS provides several tools to help domain owners. For domains set up on UltraDNS, we provide a DNS Health Check Tool, which tests for delegated subdomains that can be hijacked in this manner.
Source: https://thehackernews.com/2024/08/over-1-million-domains-at-risk-of.html
Hackers distributing malicious python packages via popular developer Q&A platform.
(TLP: CLEAR) The Hacker News article discusses a recent wave of cyberattacks involving hackers distributing malicious Python packages. These packages, which are hosted on popular Python repositories, are designed to execute harmful actions on infected systems. The attackers are using sophisticated techniques to make these malicious packages appear legitimate and to bypass security measures.
(TLP: CLEAR) Comments: The article highlights the importance of vigilance when downloading and installing software from third-party sources and recommends that developers and users verify the authenticity of packages and use security tools to protect against such threats. Organizations should have a secure software design framework and conduct static code review as well as dynamic code review in a sandbox environment prior to placing new code onto production systems.
(TLP: CLEAR) Recommended best practices/regulations: NIST provides several frameworks that should be implemented in the development of software and code.
1) NIST SP 800-218: Secure Software Development Framework (SSDF):
- Planning: Incorporate security into all phases of the software development lifecycle. This includes requirements gathering, design, implementation, testing, and maintenance.
- Implementing: Follow secure coding standards and use static analysis tools to detect potential vulnerabilities in Python code.
- Verification: Regularly test the code for security issues, including automated testing and manual code reviews.
- Defect Management: Track and remediate vulnerabilities in a timely manner.
2) NIST Supply Chain Security:
- Vendor Assessment: Evaluate the security practices of third-party vendors and repositories where Python packages are sourced.
- Dependency Management: Use tools to manage dependencies and ensure that all packages are from trusted sources.
- Provenance: Verify the authenticity and integrity of Python packages using cryptographic signatures.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices and inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://thehackernews.com/2024/08/hackers-distributing-malicious-python.html
North Korea-linked malware targets developers on windows, linux, and macOS.
(TLP: CLEAR) The Hacker News article reports on a new wave of malware attacks linked to North Korean hackers, specifically targeting organizations in the aerospace and defense sectors. This malware, which has been sophisticatedly crafted to evade detection, is designed to steal sensitive information and disrupt operations. The article highlights the increasing focus of North Korean cyber activities on high-value industries and emphasizes the need for enhanced cybersecurity measures. Organizations are advised to implement robust security protocols and stay vigilant against these evolving threats to protect their critical data and infrastructure.
(TLP: CLEAR) Comments: State actors typically employ sophisticated malware in order to evade detection and have persistence within a targeted network. One of the attack vectors normally used is social engineering where malicious emails are sent to employees in hopes one individual will click on a malicious link, giving the state actors initial access into the network. It is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in realtime with previously-observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://thehackernews.com/2024/07/north-korea-linked-malware-targets.html
Black Basta develops custom malware in wake of Qakbot takedown.
(TLP: CLEAR) The Dark Reading article reports that the Black Basta ransomware group has developed new, custom malware following the takedown of QakBot, a previous tool they used for cyberattacks. This new malware is designed to enhance its capabilities and evade detection, reflecting the group’s adaptive strategies in response to law enforcement and cybersecurity measures.
(TLP: CLEAR) Comments: The article highlights the ongoing cat-and-mouse game between cybercriminals and security professionals, underscoring the need for continuous vigilance and advanced security measures to counteract emerging threats from sophisticated adversaries.
(TLP: CLEAR) Recommended best practices/regulations: Request For Comment 9424 “Indicators of Compromise (IoCs) and Their Role in Attack Defence” Section 3.4.2: “Deployment: IoCs can be particularly effective at mitigating malicious activity when deployed in security controls with the broadest impact. This could be achieved by developers of security products or firewalls adding support for the distribution and consumption of IoCs directly to their products, without each user having to do it, thus addressing the threat for the whole user base at once in a machine-scalable and automated manner. This could also be achieved within an enterprise by ensuring those control points with the widest aperture (for example, enterprise-wide DNS resolvers) are able to act automatically based on IoC feeds.”
Protective DNS solutions incorporate a wide variety of IoC feeds to detect and block malware and other abuse at the network level for many users.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.
Source: https://www.darkreading.com/threat-intelligence/black-basta-develops-custom-malware-in-wake-of-qakbot-takedown
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please contact us.
