04 May 2022

1,2,3 >> DNS POISONING FLAW ...ISPs ordered to block the pirate websites "by any technological means available."

THREE REPORTS:

1 First discovered in 2008 by researcher Dan Kaminsky, DNS poisoning requires a hacker to first masquerade as an authoritative DNS server and then use it to flood a DNS resolver inside an ISP or device with fake lookup results for a trusted domain. When the fraudulent IP address arrives before the legitimate one, end users automatically connect to the imposter site. The hack worked because the unique transaction assigned to each lookup was predictable enough that attackers could include it in fake responses.

Gear from Netgear, Linksys, and 200 others has unpatched DNS poisoning flaw

Vulnerability in 3rd-party libraries can send devices users to malicious sites.

<div class=__reading__mode__extracted__imagecaption>EnlargeGetty Images

"Hardware and software makers are scrambling to determine if their wares suffer from a critical vulnerability recently discovered in third-party code libraries used by hundreds of vendors, including Netgear, Linksys, Axis, and the Gentoo embedded Linux distribution.

The flaw makes it possible for hackers with access to the connection between an affected device and the Internet to poison DNS requests used to translate domains to IP addresses, researchers from security firm Nozomi Networks said Monday. By feeding a vulnerable device fraudulent IP addresses repeatedly, the hackers can force end users to connect to malicious servers that pose as Google or another trusted site.

The vulnerability, which was disclosed to vendors in January and went public on Monday, resides in uClibc and uClibc fork uClibc-ng, both of which provide alternatives to the standard C library for embedded Linux. Nozomi said 200 vendors incorporate at least one of the libraries into wares that, according to the uClibc-ng maintainer, include the following:

[   ]

What's DNS poisoning, anyway?

DNS poisoning and its DNS cache-poisoning relative allow hackers to replace the legitimate DNS lookup for a site such as google.com or arstechnica.com—normally 209.148.113.38 and 18.117.54.175 respectively—with malicious IP addresses that can masquerade as those sites as they attempt to install malware, phish passwords, or carry out other nefarious actions . . ."

READ MORE >> https://arstechnica.com/information-technology/2022/05/gear-from-netgear-linksys-and-200-others-has-unpatched-dns-poisoning-flaw/

2 The three lawsuits were filed by Israeli TV and movie producers and providers against Doe defendants who operate the websites. Each of the three rulings awarded damages of $7.65 million. TorrentFreak pointed out the rulings in an article Monday.

Every ISP in the US has been ordered to block three pirate streaming services

ISPs ordered to block the pirate websites "by any technological means available."

<div class=__reading__mode__extracted__imagecaption>EnlargeGetty Images | gaby_campo

"A federal judge has ordered all Internet service providers in the United States to block three pirate streaming services operated by Doe defendants who never showed up to court and hid behind false identities.

The blocking orders affect Israel.tv, Israeli-tv.com, and Sdarot.tv, as well as related domains listed in the rulings and any other domains where the copyright-infringing websites may resurface in the future. The orders came in three essentially identical rulings (see here, here, and here) issued on April 26 in US District Court for the Southern District of New York.

Each ruling provides a list of 96 ISPs that are expected to block the websites, including Comcast, Charter, AT&T, Verizon, and T-Mobile. But the rulings say that all ISPs must comply even if they aren't on the list:

It is further ordered that all ISPs (including without limitation those set forth in Exhibit B hereto) and any other ISPs providing services in the United States shall block access to the Website at any domain address known today (including but not limited to those set forth in Exhibit A hereto) or to be used in the future by the Defendants ("Newly Detected Websites") by any technological means available on the ISPs' systems. The domain addresses and any Newly Detected Websites shall be channeled in such a way that users will be unable to connect and/or use the Website, and will be diverted by the ISPs" DNS servers to a landing page operated and controlled by Plaintiffs (the "Landing Page").

That landing page is available here and cites US District Judge Katherine Polk Failla's "order to block all access to this website/service due to copyright infringement."

"If you were harmed in any way by the Court's decision you may file a motion to the Federal Court in the Southern District of New York in the above case," the landing page also says.

[.   ] Rulings further target web hosts and banks. . .Financial institutions face similar bans on doing business with the blocked websites. The rulings directly target the defendants' monetary accounts, saying that plaintiffs "shall have the ongoing authority to serve this Order on any party controlling or otherwise holding such accounts" until they have "recovered the full payment of monies owed to them by any Defendant under this Order." This applies to PayPal, banks, and payment providers in general."

READ MORE >> https://arstechnica.com/tech-policy/2022/05/judge-rules-every-isp-in-us-must-block-pirate-sites-run-by-mysterious-defendants/

3 It’s not the kind of security discovery that happens often. A previously unknown hacker group used a novel backdoor, top-notch tradecraft, and software engineering to create an espionage botnet that was largely invisible in many victim networks.

Botnet that hid for 18 months boasted some of the coolest tradecraft ever

Once-unknown group uses a tunnel fetish and a chameleon's ability to blend in.

<div class=__reading__mode__extracted__imagecaption>Enlarge

". . .The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:

  • The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult.
  • Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
  • A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
  • An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol.

A tunneling fetish with SOCKS

In a post, Mandiant researchers Doug Bienstock, Melissa Derr, Josh Madeley, Tyler McLellan, and Chris Gardner wrote:

Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months.

The SOCKS tunnel allowed the hackers to effectively connect their control servers to a victim’s network where they could then execute tools without leaving traces on any of the victims' computers. . .

[.   ]

One of the ways the hackers maintain a low profile is by favoring standard Windows protocols over malware to move laterally. To move to systems of interest, UNC3524 used a customized version of WMIEXEC, a tool that uses Windows Management Instrumentation to establish a shell on the remote system.

Eventually, Quietexit executes its final objective: accessing email accounts of executives and IT personnel in hopes of obtaining documents related to things like corporate development, mergers and acquisitions, and large financial transactions. . ."

READ MORE >> https://arstechnica.com/information-technology/2022/05/how-hackers-used-smarts-and-a-novel-iot-botnet-to-plunder-email-for-months/

No comments: