#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

DNS hijacking | Breaking Cybersecurity News | The Hacker News

VexTrio: The Uber of Cybercrime - Brokering Malware for 60+ Affiliates

VexTrio: The Uber of Cybercrime - Brokering Malware for 60+ Affiliates
Jan 23, 2024 Malware / Cyber Threat
The threat actors behind ClearFake, SocGholish, and dozens of other e-crime outfits have established partnerships with another entity known as  VexTrio  as part of a massive "criminal affiliate program," new findings from Infoblox reveal. The latest development demonstrates the "breadth of their activities and depth of their connections within the cybercrime industry," the company said , describing VexTrio as the "single largest malicious traffic broker described in security literature." VexTrio, which is believed to be have been active since at least 2017, has been attributed to  malicious campaigns  that use domains generated by a dictionary domain generation algorithm ( DDGA ) to propagate scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content. This includes a 2022 activity cluster that  distributed the Glupteba malware  following an earlier attempt by Google to take down a significant chunk of its infrastru

Sea Turtle Cyber Espionage Campaign Targets Dutch IT and Telecom Companies

Sea Turtle Cyber Espionage Campaign Targets Dutch IT and Telecom Companies
Jan 06, 2024 Cyber Espionage / Supply Chain Attack
Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as  Sea Turtle . "The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents," Dutch security firm Hunt & Hackett  said  in a Friday analysis. "The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals." Sea Turtle, also known by the names Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was  first documented  by Cisco Talos in April 2019, detailing  state-sponsored attacks  targeting public and private entities in the Middle E

Hands-on Review: Myrror Security Code-Aware and Attack-Aware SCA

Hands-on Review: Myrror Security Code-Aware and Attack-Aware SCA
Feb 09, 2024Static Code Analysis
Introduction The modern software supply chain represents an ever-evolving threat landscape, with each package added to the manifest introducing new attack vectors. To meet industry requirements, organizations must maintain a fast-paced development process while staying up-to-date with the latest security patches. However, in practice, developers often face a large amount of security work without clear prioritization - and miss a significant portion of the attack surface altogether. The primary issue arises from the detection and prioritization methods used by traditional Static Code Analysis (SCA) tools for vulnerabilities. These methods lack the organizational-specific context needed to make an informed scoring decision: the score, even if critical, might not  actually  be critical for an organization because its infrastructure works in a unique way - affecting the actual impact the vulnerability might have.  In other words, since these tools depend on a relatively naive methodol

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks

Iranian Hackers Spotted Using a new DNS Hijacking Malware in Recent Attacks
Jun 13, 2022
The Iranian state-sponsored threat actor tracked under the moniker Lyceum has turned to using a new custom .NET-based backdoor in recent campaigns directed against the Middle East. "The new malware is a .NET based DNS Backdoor which is a customized version of the open source tool 'DIG.net,'" Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar  said  in a report published last week. "The malware leverages a DNS attack technique called 'DNS Hijacking' in which an attacker-controlled DNS server manipulates the response of DNS queries and resolves them as per their malicious requirements." DNS hijacking is a  redirection attack  in which DNS queries to genuine websites are intercepted to take an unsuspecting user to fraudulent pages under an adversary's control. Unlike  cache poisoning , DNS hijacking targets the DNS record of the website on the nameserver, rather than a resolver's cache. Lyceum , also known as Hexane, Spirli

The Critical State of AI in the Cloud

cyber security
websiteWiz.ioArtificial Intelligence / Cloud Security
Wiz Research reveals the explosive growth of AI adoption and what 150,000+ cloud accounts revealed about the AI surge.

Malicious USB Drives Infect 35,000 Computers With Crypto-Mining Botnet

Malicious USB Drives Infect 35,000 Computers With Crypto-Mining Botnet
Apr 24, 2020
Cybersecurity researchers from ESET on Thursday said they took down a portion of a malware botnet comprising at least 35,000 compromised Windows systems that attackers were secretly using to mine Monero cryptocurrency. The botnet, named "VictoryGate," has been active since May 2019, with infections mainly reported in Latin America, particularly Peru accounting for 90% of the compromised devices. "The main activity of the botnet is mining Monero cryptocurrency," ESET said . "The victims include organizations in both public and private sectors, including financial institutions." ESET said it worked with dynamic DNS provider No-IP to take down the malicious command-and-control (C2) servers and that it set up fake domains (aka sinkholes) to monitor the botnet's activity. The sinkhole data shows that between 2,000 and 3,500 infected computers connected to the C2 servers on a daily basis during February and March this year. According to ESET res

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains
Jan 23, 2019
The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking , which security researchers with "moderate confidence" believe originated from Iran. Domain Name System (DNS) is a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com). What is DNS Hijacking Attack? DNS hijacking involves changing DNS settings of a domain, redirecting victims to an entirely different attacker-controlled server with a fake version of the websites they are trying to visit, often with an objective to steal users' data. "The attacker alter

GhostDNS: New DNS Changer Botnet Hijacked Over 100,000 Routers

GhostDNS: New DNS Changer Botnet Hijacked Over 100,000 Routers
Oct 01, 2018
Chinese cybersecurity researchers have uncovered a widespread, ongoing malware campaign that has already hijacked over 100,000 home routers and modified their DNS settings to hack users with malicious web pages—especially if they visit banking sites—and steal their login credentials. Dubbed GhostDNS , the campaign has many similarities with the infamous DNSChanger malware that works by changing DNS server settings on an infected device, allowing attackers to route the users' internet traffic through malicious servers and steal sensitive data. According to a new report from cybersecurity firm Qihoo 360's NetLab, just like the regular DNSChanger campaign, GhostDNS scans for the IP addresses for routers that use weak or no password at all, accesses the routers' settings, and then changes the router's default DNS address to the one controlled by the attackers. GhostDNS System: List of Modules and Sub-Modules The GhostDNS system mainly includes four modules:

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan
Apr 16, 2018
Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users' sensitive information, login credentials and the secret code for two-factor authentication. In order to trick victims into installing the Android malware, dubbed Roaming Mantis , hackers have been hijacking DNS settings on vulnerable and poorly secured routers . DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more. Hijacking routers' DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher —both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers. Discovered by security researchers at Kaspersk

New Point-of-Sale Malware Steals Credit Card Data via DNS Queries

New Point-of-Sale Malware Steals Credit Card Data via DNS Queries
Feb 09, 2018
Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect. A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems. Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS . Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind. Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn —a legitimate remote desktop control service used to manage computers and other systems remo

Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users

Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users
Jan 12, 2018
A security researcher has revealed details of a new piece of undetectable malware targeting Apple's Mac computers—reportedly first macOS malware of 2018. Dubbed OSX/MaMi , an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012. DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information. First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend's computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses. After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a ' DNS Hijacker, ' which also invokes security tools to install a new root certificate in an attempt to intercept encrypte

New Android Malware Hijacks Router DNS from Smartphone

New Android Malware Hijacks Router DNS from Smartphone
Dec 28, 2016
Another day, another creepy malware for Android users! Security Researchers have uncovered a new Android malware targeting your devices, but this time instead of attacking the device directly, the malware takes control over the WiFi router to which your device is connected to and then hijacks the web traffic passing through it. Dubbed " Switcher ," the new Android malware, discovered by researchers at Kaspersky Lab, hacks the wireless routers and changes their DNS settings to redirect traffic to malicious websites. Over a week ago, Proofpoint researchers discovered similar attack targeting PCs, but instead of infecting the target's machines, the Stegano exploit kit takes control over the local WiFi routers the infected device is connected to. Switcher Malware carries out Brute-Force attack against Routers Hackers are currently distributing the Switcher trojan by disguising itself as an Android app for the Chinese search engine Baidu (com.baidu.com), and as

Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)

Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)
Feb 17, 2016
A highly critical vulnerability has been uncovered in the GNU C Library (glibc) , a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them. Just clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more. The vulnerability is similar to the last year's  GHOST vulnerability (CVE-2015-0235) that left countless machines vulnerable to remote code execution (RCE) attacks , representing a major Internet threat. GNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware. The recent flaw, which is indexed as CVE-2015-7547 , is a stack-based buffer overflow vulnerability in glibc's D

Have a D-Link Wireless Router? You might have been Hacked

Have a D-Link Wireless Router? You might have been Hacked
Feb 03, 2015
The popular DSL wireless router model from D-Link are allegedly vulnerable to a software bug that could allow remote hackers to modify the DNS (Domain Name System) settings on affected routers and to hijack users' traffic. The main goal of DNS hijacking is to secretly redirect user's traffic from a legitimate websites to a malicious one controlled by hackers. The vulnerability might also affects other devices because it is located in the same, widely-used wireless router firmware used by different manufacturers. Bulgarian security researcher Todor Donev discovered the flaw which exists in a widely deployed ZynOS firmware from ZyXEL Communications Corporation, that is used in network hardware from TP-Link Technologies, ZTE and D-Link. According to the security researcher, D-Link's popular DSL2740R wireless router and a number of other D-Link routers, particularly the DLS-320B, are vulnerable. Late last year, similar router vulnerability was discovered in the

GoDaddy Vulnerability Allows Domain Hijacking

GoDaddy Vulnerability Allows Domain Hijacking
Jan 21, 2015
An Internet domain registrar and web hosting company GoDaddy has patched a Cross-Site Request Forgery ( CSRF or XSRF) vulnerability that allowed hackers and malicious actors to hijack websites registered with the domain registration company. The vulnerability was reported to GoDaddy on Saturday by Dylan Saccomanni, a web application security researcher and penetration testing consultant in New York. Without any time delay, the company patched the bug in less than 24 hours after the blog was published. While managing an old domain registered on GoDaddy, Saccomanni stumbled across the bug and noticed that there was absolutely no protection against CSRF vulnerability at all on many GoDaddy DNS management actions. Cross-Site Request Forgery (CSRF) is a method of attacking a website in which an attacker need to convince the victim to click on a specially crafted HTML exploit page that will make a request to the vulnerable website on their behalf. This common but rathe

Millions of Vulnerable Routers aiding Massive DNS Amplification DDoS Attacks

Millions of Vulnerable Routers aiding Massive DNS Amplification DDoS Attacks
Apr 03, 2014
The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex with the increase in the skills of attackers and so, has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet and till now nearly every big site had been a victim of this attack. Since 2013, Hackers have adopted new tactics to boost the sizes of Distributed Denial of Service ( DDoS ) attack known as ' Amplification Attack ', leveraging the weakness in the UDP protocols. One of the commonly used by hacker is (Domain Name System) DNS Reflection Denial of Service (DrDoS). WHAT IS DrDoS ATTACK? The DNS Reflection Denial of Service (DrDoS) technique exploits security weaknesses in the Domain Name System (DNS) Internet protocol. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to the target and the target of the attack receives re

Google Public DNS intercepted by Turkish ISPs

Google Public DNS intercepted by Turkish ISPs
Mar 30, 2014
I know we all have freedom of speech, but unfortunately it's not free, especially in the countries govern by the governments where they are ready to kill our voice anyhow, even by censoring the social media. The same happened few days before, when Twitter , the biggest Social Media platform, was banned by the Turkey government after an audio clip was leaked on YouTube and Twitter about the massive corruption of Turkey Prime Minister Recep Tayyip Erdoğan instructing his son to dispose of large amounts of cash in the midst of a police investigation. The Prime minister of the country, Erdoğan has full control on the old media, the television and the printing press, but he failed to stop the Ten Million Turkish citizen on twitter from sharing the audio all over the social media site, when Twitter itself reportedly refused to delete the incriminating audio of him. But it doesn't work very well, since the users have all way out. Millions of Turkey users began using Google's DNS servi

Google Public DNS Server Traffic Hijacked

Google Public DNS Server Traffic Hijacked
Mar 17, 2014
The Internet is becoming a dangerous place day-by-day and especially for those innocent web users who rely on 3rd party services. The latest bad news is that the World's largest and most widely used Google's free public DNS (Domain name system) resolvers  raised   security red flags yesterday. DNS is the master address list for the Internet, which translates IP addresses into human readable form and vice versa. According to Internet monitoring firm BGPmon , Google's DNS server 8.8.8.8 /32 was hijacked yesterday for 22 minutes. The Google's DNS server handles around 150 billion queries a day and during the 22 minutes of hijacking, millions of Internet users, including Financial institutions , Governments were redirected to BT's (British multinational telecommunications services company) Latin America division in Venezuela and Brazil. It is suspected that Hackers exploited a well-known  vulnerability in the so-called Border Gateway Protocol ( BGP) , which
Cybersecurity Resources