KB Article #: 000008841 Apr 18, 2023•Knowledge
Infoblox Threat Intelligence Advisory Alert: Newly Identified DNS Beacons Connecting to Russian C2s
Infoblox’s Threat Intelligence Group is the first to identify a set of beacons that exploit DNS to establish communications with C2 infrastructure located in Russia. The beacons have been active since at least April 2022 but are persistent, very low-profile, and hard to discover. While the attack vector is not known yet, the team believes that the bad actors are using a modified PuPy RAT (Remote Access Trojan), which allows the attacker to control the compromised device. While we are confident that the queries are a C2 communication, Infoblox is unable to verify the underlying cause. Infoblox is actively working with others across the security industry to understand the situation.
The team continues to research this threat and will publish more information next week. Follow us on social media to receive the full report (links below). We’re publishing these indicators such that organizations may take mitigating actions to prevent these C2 communications. We’ve identified the following C2 domains thus far: (please remove the [brackets] prior to loading URLs into a block list. Brackets are used to ensure they are not clicked within this email)
Infoblox recommends the following actions:
The team continues to research this threat and will publish more information next week. Follow us on social media to receive the full report (links below). We’re publishing these indicators such that organizations may take mitigating actions to prevent these C2 communications. We’ve identified the following C2 domains thus far: (please remove the [brackets] prior to loading URLs into a block list. Brackets are used to ensure they are not clicked within this email)
- claudfront[.]net
- allowlisted[.]net
- atlas-upd[.]com
- ads-tm-glb[.]click
- cbox4[.]ignorelist[.]com
- hsdps[.]cc.
Infoblox recommends the following actions:
If you’re a BloxOne Threat Defense (Advanced) Customer
- If you have applied the Suspicious domains feed and the anti-malware feed to your security policy, you are already protected. If not, follow Infoblox recommendations to block on suspicious domains and anti-malware feeds. https://docs.infoblox.com/space/BloxOneThreatDefense/35403288/Adding+Policy+Rules+and+Setting+Preced.... We continue to monitor for more indicators that will be added to the suspicious domains feed.
- Ensure you are syncing NIOS IPAM metadata with DNS if you have configured Data Connector. This will enable operations teams to quickly identify those assets that may be attempting to interact with the adversary infrastructure https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-data-connector#p...
https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-collecting-ipam-... - Check the Security Activity report in the Cloud Services Portal (CSP) to access details of affected assets and events related to this threat.
If you are a BloxOne Threat Defense (Essentials or Business On-premises) Customer
- If you have applied the anti-malware feed to your RPZ policy configuration, the on-premise DNS servers will have already pulled the active data set including those indicators known to be related to this threat. If not, follow Infoblox recommendations to block with the suspicious domains and anti-malware feeds. https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-infoblox-dns-fir...
- Validate security events generated by the on-premise DNS appliances via the Infoblox Reporting server
If you are a BloxOne Threat Defense (Business Cloud) Customer
Follow the story on social media for ongoing updates
- If you have applied the anti-malware feed as part of the BloxOne Threat Defense policy you are already protected. If not, follow Infoblox recommendations to block using the anti-malware feed. https://docs.infoblox.com/space/BloxOneThreatDefense/35403288/Adding+Policy+Rules+and+Setting+Preced...
- Check the Security Activity report in the Cloud Services Portal (CSP) to access details of affected assets and events related to this threat.
If you are not a BloxOne Threat Defense Customer
- If you have our RPZ/DNS Firewall capability, create policies to block resolution of the domains listed above. https://docs.infoblox.com/space/nios90/154704908/Testing+RPZ+Feed+Rules. If not, please follow these guidelines to manually add these malicious domains to your block list. NOTE: as new indicators are identified you will need to manually add these additional domains to mitigate the threat. https://docs.infoblox.com/space/nios90/154704768/Configuring+Local+RPZs
Follow the story on social media for ongoing updates
- Mastodon (Updates from Renée Burton, Sr. Director of Threat Intelligence at Infoblox)
Additional Resources:
