THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

Trending KB Articles

ThinkstockPhotos-511475207.jpg

DNS Beacons Connecting to Russian C2s

samanna
Adviser
Posts: 321
samanna

DNS Beacons Connecting to Russian C2s

Adviser ‎04-18-2023 09:14 PM - edited ‎04-19-2023 09:47 AM

KB Article #: 000008841 Apr 18, 2023Knowledge
 
Infoblox Threat Intelligence Advisory Alert: Newly Identified DNS Beacons Connecting to Russian C2s
 
Infoblox’s Threat Intelligence Group is the first to identify a set of beacons that exploit DNS to establish communications with C2 infrastructure located in Russia. The beacons have been active since at least April 2022 but are persistent, very low-profile, and hard to discover. While the attack vector is not known yet, the team believes that the bad actors are using a modified PuPy RAT (Remote Access Trojan), which allows the attacker to control the compromised device. While we are confident that the queries are a C2 communication, Infoblox is unable to verify the underlying cause. Infoblox is actively working with others across the security industry to understand the situation.

The team continues to research this threat and will publish more information next week. Follow us on social media to receive the full report (links below). We’re publishing these indicators such that organizations may take mitigating actions to prevent these C2 communications. We’ve identified the following C2 domains thus far: (please remove the [brackets] prior to loading URLs into a block list.  Brackets are used to ensure they are not clicked within this email)
 
  • claudfront[.]net
  • allowlisted[.]net
  • atlas-upd[.]com
  • ads-tm-glb[.]click
  • cbox4[.]ignorelist[.]com
  • hsdps[.]cc. 
As a specialized DNS based security vendor, Infoblox tracks adversary infrastructure and can see suspicious activity early in the threat lifecycle, when there is “intent to compromise '' and before the actual attack starts. Any indicators that are deemed suspicious are then included into Infoblox’s Suspicious domains feed to enable organizations to pre-emptively protect themselves from new and emerging threats. In this case, many of the Russian C2 domains were already discovered and included in the Suspicious domains feeds in BloxOne Threat Defense (Advanced) back in the fall of 2022. In addition to the Suspicious Domains feed, these domains have now been added to Infoblox’s anti-malware feed.

Infoblox recommends the following actions:
 

If you’re a BloxOne Threat Defense (Advanced) Customer

 
If you are a BloxOne Threat Defense (Essentials or Business On-premises) Customer
  • If you have applied the anti-malware feed to your RPZ policy configuration, the on-premise DNS servers will have already pulled the active data set including those indicators known to be related to this threat. If not, follow Infoblox recommendations to block with the suspicious domains and anti-malware feeds.  https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-infoblox-dns-fir...
  • Validate security events generated by the on-premise DNS appliances via the Infoblox Reporting server
 
If you are a BloxOne Threat Defense (Business Cloud) Customer
 
If you are not a BloxOne Threat Defense Customer If you find these in your traffic or would like more information please contact your account manager or email threat.alert@infoblox.com.

Follow the story on social media for ongoing updates

Additional Resources:

Labels:
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended Discussions

Re: NIOS DDI DHCP migration

Re: Option 121, how to?

Re: RegreSSHion vulnerability (CVE-2024-6387)

Re: Is NIOS affected by these four new ISC BIND CVEs?

Is NIOS affected by these four new ISC BIND CVEs?