Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » Vulnerabilities & Exploits » Chinese Actor SecShow Conducts Massive DNS Probing on Global Scale

Chinese Actor SecShow Conducts Massive DNS Probing on Global Scale

Chinese Actor SecShow Conducts Massive DNS Probing on Global Scale

https://firewall.firm.in/wp-content/uploads/2024/06/lcok.png

Cybersecurity researchers have shed more light on a Chinese actor codenamed SecShow that has been observed conducting Domain Name System (DNS) on a global scale since at least June 2023.

The adversary, according to Infoblox security researchers Dr. Renée Burton and Dave Mitchell, operates from the China Education and Research Network (CERNET), a project funded by the Chinese government.

“These probes seek to find and measure DNS responses at open resolvers,” they said in a report published last week. “The end goal of the SecShow operations is unknown, but the information that is gathered can be used for malicious activities and is only for the benefit of the actor.”

That said, there is some evidence to suggest that it may have been linked to some kind of academic research related to “performing measurements using IP Address Spoofing Techniques on domains within secshow.net” using the same technique as the Closed Resolver Project.

This, however, raises more questions than it answers – including when it comes to the full scope of the project, the purpose behind gathering the data, the choice of a generic Gmail address to collect feedback, and the overall lack of transparency.

Open resolvers refer to DNS servers that are capable of accepting and resolving domain names recursively for any party on the internet, making them ripe for exploitation by bad actors to initiate distributed denial-of-service (DDoS) attacks such as a DNS amplification attack.

At the heart of the probes is the use of CERNET nameservers to identify open DNS resolvers and calculate DNS responses. This entails sending a DNS query from an as-yet-undetermined origin to an open resolver, causing the SecShow-controlled nameserver to return a random IP address.

Cybersecurity

In an interesting twist, these nameservers are configured to return a new random IP address each time when the query is made from a different open resolver, a behavior that triggers an amplification of queries by the Palo Alto Cortex Xpanse product.

“Cortex Xpanse treats the domain name in the DNS query as a URL and attempts to retrieve content from the random IP address for that domain name,” the researchers explained. “Firewalls, including Palo Alto and Check Point, as well as other security devices, perform URL filtering when they receive the request from Cortex Xpanse.”

This filtering step initiates a new DNS query for the domain that causes the nameserver to return a different random IP address.

It’s important to note that some aspects of these scanning activities were previously disclosed by Dataplane.org and Unit 42 researchers over the past two months. The SecShow nameservers are no longer responsive as of mid-May 2024.

SecShow is the second China-linked threat actor after Muddling Meerkat to perform large-scale DNS probing activities on the internet.

“Muddling Meerkat queries are designed to mix into global DNS traffic and [have] remained unnoticed for over four years, while Secshow queries are transparent encodings of IP addresses and measurement information,” the researchers said.

Rebirth Botnet Offers DDoS Services

The development comes as a financially motivated threat actor has been found advertising a new botnet service called Rebirth to help facilitate DDoS attacks.

The DDoS-as-a-Service (DaaS) botnet is “based on the Mirai malware family, and the operators advertise its services through Telegram and an online store (rebirthltd.mysellix[.]io),” the Sysdig Threat Research Team said in a recent analysis.

The cybersecurity firm said Rebirth (aka Vulcan) is primarily focused on the video gaming community, renting out the botnet to other actors at various price points to target game servers for financial gain. The earliest evidence of the botnet’s use in the wild dates to 2019.

The cheapest plan, dubbed Rebirth Basic, costs $15, whereas the Premium, Advanced, and Diamond tiers cost $47, $55, and $73 respectively. There is also a Rebirth API ACCESS plan that’s sold for $53.

The Rebirth malware supports functionality to launch DDoS attacks over TCP and UDP protocols, such as TCP ACK flood, TCP SYN flood, and UDP flood.

This is not the first time game servers have been targeted by DDoS botnets. In December 2022, Microsoft disclosed details of another botnet named MCCrash that’s designed to target private Minecraft servers.

Cybersecurity

Then in May 2023, Akamai detailed a DDoS-for-hire botnet known as Dark Frost that has been observed launching DDoS attacks on gaming companies, game server hosting providers, online streamers, and even other gaming community members.

“With a botnet such as Rebirth, an individual is able to DDoS the game server or other players in a live game, either causing games to glitch and slow down or other players’ connections to lag or crash,” Sysdig said.

“This may be financially motivated for users of streaming services such as Twitch, whose business model relies on a streaming player gaining followers; this essentially provides a form of income through the monetization of a broken game.”

The California-based company postulated that prospective customers of Rebirth could also be using it to carry out DDoS trolling (aka stresser trolling), wherein attacks are launched against gaming servers to disrupt the experience for legitimate players.

Attack chains distributing the malware involve the exploitation of known security flaws (e.g., CVE-2023-25717) to deploy a bash script that takes care of downloading and executing the DDoS botnet malware depending on the processor architecture.

The Telegram channel associated with Rebirth has since been erased to remove all old posts, with a message posted on May 30, 2024, saying “Soon we back [sic].” Nearly three hours later, they advertised a bulletproof hosting service called “bulletproof-hosting[.]xyz.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket