🔐 CISA: Fast Flux DNS Is a National Security Threat

Cyber actors are escalating use of fast flux DNS—a tactic that rapidly changes IP addresses and name servers tied to malicious domains—to evade detection and maintain resilient command-and-control infrastructure.

CISA’s latest advisory, backed by the NSA, FBI, and allies from Australia, Canada, and New Zealand, warns that this technique is:
・🔁 Difficult to block with traditional defenses
・💣 Used in attacks by Hive, Gamaredon, and other advanced threats
・💡 Critical for botnet survival and ransomware delivery

ISPs and DNS providers are being called on to:
・Deploy Protective DNS (PDNS) services
・Develop analytics to detect fast flux behavior
・Share threat intelligence across sectors

This is a call to arms for defenders: if you’re not watching your DNS traffic closely, you’re blind to one of the most elusive forms of modern infrastructure abuse.

👉 https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a

#CyberSecurity #CISA #DNS #FastFlux #NationalSecurity #Botnets #ThreatDetection #InfoSec #PDNS

Malicious actors have taken notice of news about the US Social Security System. We've seen multiple spam campaigns that attempt to phish users or lure them to download malware.

Emails with subjects like "Social Security Administrator.", "Social Security Statement", and "ensure the accuracy of your earnings record" contain malicious links and attachments.

One example contained a disguised URL that redirected to user2ilogon[.]es in order to download the trojan file named SsaViewer1.7.exe.

Actors using social security lures are connected to malicious campaigns targeting major brands through their DNS records.

Block these:

user2ilogon[.]es
viewer-ssa-gov[.]es
wellsffrago[.]com
nf-prime[.]com
deilvery-us[.]com
wllesfrarqo-home[.]com
nahud[.]com.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #malware #scam #ssa

Last week, while reviewing detected lookalike domains, one in particular stood out: cdsi--simi[.]com. A quick search pointed him to a legitimate U.S. military contractor, CDSI, which specializes in electronic warfare and telemetry systems. It's legitimate domain cdsi-simi[.]com features a single hyphen, whereas the lookalike domain uses two hyphens.

Passive DNS revealed a goldmine: a cloud system in Las Vegas hosting Russian domains and other impersonations of major companies.

Here are a few samples of the domains:

- reag-br[.]com Lookalike for Reag Capital Holdings, Brazil.
- creo--ia[.]com Lookalike for an industrial fabrication firm in WA State.
- admiralsmetal[.]com Lookalike for US based metals provider.
- ustructuressinc[.]com Lookalike Colorado based Heavy Civil Contractor.
- elisontechnologies[.]com Typosquat for Ellison Technologies machine fabrication.

#dns #lookalikes #lookalikeDomain #threatintel #cybercrime #threatintelligence #cybersecurity #infoblox #infobloxthreatintel #infosec #pdns #phishing #malware #scam #dod

Dear Fediverse,

PowerDNS-Admin appears to be deprecated in favour of pda-next which hasn't seen any work in nigh on a year. NixOS is keeping it limping along; but there're more and more cracks appearing.

Does anyone have a recommendation for an alternative web interface for administering PowerDNS ?

#askfedi #powerdns #pdns

「 #インドネシア #政府 を襲った #ランサムウェア の #犯人 が #謝罪 、 #暗号化キー を引き渡す 」： The Register

「インドネシアの臨時国立データセンター（ #PDNS ）にハッキングし、同国のサービスを妨害した責任のあるグループ、 #ブレイン・サイファー は、その行為について謝罪し、暗号化キーを政府に公開したようだ。

そのキーは 54 kb の ESXi ファイルの形式でした。 その有効性はまだ確認されていません。

「インドネシア国民の皆さん、すべての人に影響を与えたことをお詫びします」とチームは、 シンガポールに本拠を置くダークウェブ諜報機関 #ステルス・モール が共有した 声明の中で述べた。

ブレイン・サイファーは声明の中で、法執行機関や他の機関に促されることなく、自らの意思で復号ツールを公開したと詳細に述べた。 しかし、その寛大な行動に対する国民の感謝を求め、寄付を受け取れる口座も提供した。 」

https://www.theregister.com/2024/07/04/hackers_of_indonesian_government_apologize/

#prattohome #TheRegister

「 #インドネシア 政府は、DR が唯一の選択肢だったため、 #ランサムウェア に感染したデータの #バックアップ を持っていませんでした 」： The Register

「インドネシアにはバックアップ計画がないという監査と暴露は、 6月20日に発生しデジタルサービスの広範な混乱をもたらした同国の臨時国立データセンター（ #PDNS ）に対する ランサムウェア攻撃の余波を受けて行われた。
データは1,310億ルピア（800万米ドル）の #人質 に取られている。通信・情報大臣ブディ・アリエ・セティアディは 記者団に対し、 政府は支払うつもりはないと語った。

当局は代わりにデータの復号化を試みています。 」

バックアップデータは隔離して。

https://www.theregister.com/2024/07/01/indonesian_president_orders_datacenter_audit/

#prattohome #TheRegister

Glad to see that Verisign plans ahead for a #DNSSEC algorithm rollover for the com. TLD. The plan is to discard algorithm 8 (RSA/SHA256) and instead deploy algorithm 13 (ECDSA/SHA-256). Great to see that the largest TLD of planet earth moving towards algorithms with smaller key sizes.

I checked my #pdns database of my public resolvers. To give a comparison for the size reduction (and the reduction of DNS R/A potential):

com., signed with algorithm 8 returned close to 936 bytes of data.
nl., signed with algorithm 13 returns 289 bytes of data.

This is a reduction of ~70% of the response sizes for DNSSEC validation.

The rollover is to be expected on or around December 07. More on it in their blog.

#dns #tld #ddos

in case you missed it on the bird website. I've written a funky little chrome plugin (other browsers coming soon) that will harvest your DNS requests out of your browser and fire them to an API which in turn will log them in Elasticsearch all local, but could be turned into something much much better.

I'm looking to go down the road of a crowd pDNS collection platform that respects privacy by doing as much as possible to separate you from your data, no email/phone based accounts, submissions over a baked in Tor client and the ability to filter hosts out by keywords before anything is pushed to the API (this already exists, right click > options)

There is scope to write a couple of binary clients to pop a collector on your egress firewalls or even your Android device

https://github.com/olihough86/pdnscollect

tags

#infosec #threatintel #github #help #dns #pdns #cybersecurity