Researchers Hunted Malicious Stockpiled Domains DNS Records

Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-.
While all these domains are often kept unused initially to evade detection, and then later they are activated by the threat actors when needed to:-.
Recently, the cybersecurity researchers at Palo Alto Networks' Unit 42 hunted malicious stockpiled domains while analyzing the DNS records.
Attacker automation leaves several types of traces in diverse data sources, which are detectable by security defenders in locations like:-.
Researchers used info bits to create a stockpiled domain detector with benefits like wider malicious domain coverage and early detection.
A vast knowledge base on malicious and benign domains helped in the following key things:-.
To detect the stockpiled domain names, researchers collect the following six categories of features:-.
More than 9,000 malicious domains were detected by Unit 42's detector in a redirection campaign.
This detection rate shows the advanced capabilities of the detector that outperformed VirusTotal's 31.7% detection rate.
Unit 42 detected them 32.3 days earlier on average.
Despite Cloudflare use complicating pDNS ID, researchers traced random domain generation with shared characteristics.
Victims in the campaign faced redirection to adware or scam pages featuring:-.
According to a report by Palo Alto, a phishing campaign was discovered that targeted users in Italy and Germany.
The detector found related domains in this campaign.
There was another campaign that impersonated USPS. In this case, over 30 domains were used on the same day between June 17 and August 28, 2023.
The report notes that these domains were registered and certified under four certificates.
The aggregation of domains and synchronized creation suggest automated threat actor involvement.
One campaign with more than 17 domains was focused on high-yield investment scams, using commonalities like-.
Threat actors actively automate their setups in domain wars the bulk registration leaves several detectable traces.
The success relies on defenders merging datasets to unveil malicious campaigns.


This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 04 Jan 2024 10:31:28 +0000


Cyber News related to Researchers Hunted Malicious Stockpiled Domains DNS Records

Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains - The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use. As of July 2023, our detection pipeline has found 1,114,499 ...
1 year ago Unit42.paloaltonetworks.com
How to Prevent DNS Attacks: DNS Security Best Practices - To protect against attack, best practices must be applied to protect the DNS protocol, the server on which the DNS protocol runs, and all access to the DNS processes. Implementing these best practices will not only protect DNS but also network ...
1 year ago Esecurityplanet.com
Researchers Hunted Malicious Stockpiled Domains DNS Records - Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-. While all these domains are often kept unused initially to evade detection, and then later ...
1 year ago Cybersecuritynews.com
DNS Tunneling Abuse Expands to Tracking & Scanning Victims - Attackers are taking malicious manipulation of DNS traffic to the next level, abusing DNS tunneling to scan a victim's network infrastructure as well as track victims' online behavior. Researchers from Palo Alto Networks' Unit 42 have identified ...
9 months ago Darkreading.com
Electronic Frontier Foundation - We're not just talking about the ballot box, but the everyday power we all have to demand government agencies make their records and data available to public scrutiny. At every level of government in the United States, there are laws that empower the ...
1 year ago Eff.org
Attacks abuse Microsoft DHCP to spoof DNS records The Register - A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers. We're told the attacks - which are ...
1 year ago Go.theregister.com
Understanding DNS Zones: A Comprehensive Guide - DNS stands for Domain Name System, and it is one of the most important components of the Internet. It is a network of servers that coordinates the registration, updating and resolution of domain names, so that users can easily access websites and ...
2 years ago Heimdalsecurity.com
Hackers use DNS tunneling for network scanning, tracking victims - Threat actors are using Domain Name System tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. DNS tunneling is the encoding of data or commands that are sent ...
9 months ago Bleepingcomputer.com
Researchers Uncovered an Active Directory DNS spoofing exploit - In the intricate web of our interconnected world, the Domain Name System stands as a linchpin, directing users to their online destinations. Even this vital system is not impervious to the dark art of malicious manipulation. In a recent revelation by ...
1 year ago Gbhackers.com
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
1 year ago Akamai.com
KeyTrap attack: Internet access disrupted with one DNS packet - A serious vulnerability named KeyTrap in the Domain Name System Security Extensions feature could be exploited to deny internet access to applications for an extended period. Tracked as CVE-2023-50387, KeyTrap is a design issue in DNSSEC and impacts ...
1 year ago Bleepingcomputer.com CVE-2023-50387
Data Breaches in US Schools Exposed 37.6M Records - Since 2005, educational institutions in the United States have experienced 3713 data breaches, impacting over 37.6m records. According to new data by Comparitech, 2023 marked a record year, with 954 breaches recorded - a dramatic rise from 139 in ...
9 months ago Infosecurity-magazine.com
CVE-2024-7715 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
6 months ago
CVE-2024-7828 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, ...
6 months ago
CVE-2024-7829 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, ...
6 months ago
CVE-2024-7830 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, ...
6 months ago
CVE-2024-7831 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
6 months ago
CVE-2024-7832 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
6 months ago
CVE-2024-7849 - ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, ...
6 months ago
CVE-2024-7922 - A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to ...
6 months ago
CVE-2024-8127 - A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and ...
6 months ago
CVE-2024-8128 - A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
6 months ago
CVE-2024-8129 - A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, ...
6 months ago
CVE-2024-8130 - A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to ...
6 months ago
CVE-2024-8131 - A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to ...
6 months ago

Cyber Trends (last 7 days)