Cyber Security News — Past 24 hours | 16.05.2021

TsuNAME Vulnerability Allows DoS Attacks Against DNS Servers

A team of researchers has recently shared insights into TsuNAME vulnerability risking DNS servers. As they observed, exploiting the vulnerability potentially allows an adversary to conduct denial-of-service (DoS) attacks against target servers.Explaining the details of TsuNAME in a research paper, the researchers stated that the vulnerability affects DNS servers due to cyclic dependency. This error arises due to misconfiguration with NameServer (NS) records that define the authoritative servers for a domain.

Under normal circumstances, NS records let the DNS resolver fetch results by pointing to the authority servers. However, if two delegations in NS records point to each other, a misconfiguration occurs, resulting in the DNS resolver failing to find the authoritative server and the IP address.That’s where TsuNAME flaw resides. Upon detecting misconfiguration in the cyclic dependent NS records, the DNS resolver begins to loop, eventually falling into a DoS state. Exploiting TsuNAME allows an adversary to conduct DDoS attacks against top-level domains (TLDs) and authoritative DNS servers. Alongside the research paper, the researchers have also shared the details of the vulnerability on a dedicated web page.

Following their report, Google and Cisco — two prominent public DNS resolver developers — addressed the bug. Whereas, NLnetLabs and PowerDNS also responded to the matter in their advisories. Besides, the vulnerability still risks old resolver software. Thus, the researchers have also publicly shared “CycleHunter” — a tool that authoritative server operators may use to detect and remove cyclic dependencies in DNS zones. This tool is available at GitHub. The researchers have also released a detailed advisory on TsuNAME and the recommended mitigation for all resolver operators.

Source —

FingerprintJS experts devised a fingerprinting technique, named scheme flooding, that could allow identifying users across different desktop browsers, including the Tor Browser.

FingerprintJS experts devised a new fingerprinting technique, named scheme flooding, that could allow identifying users while browsing websites using different desktop browsers, including the Tor Browser.

The technique allows to profile users while visiting websites with an ordinary browser, such as Safari, Chrome, and Firefox, and identify their online activity even when they attempt to protect their anonymity using the Tor browser. The scheme flooding technique leverages custom URL schemes to determine the applications installed by the users. The scheme flooding vulnerability could be exploited by an attacker to generate a 32-bit cross-browser device identifier that tests the presence of a list of 32 popular applications on the visitors’ system.

Experts pointed out that the analysis of the list of installed applications on your device can allows to discover your habits and other info like occupation and age. The experts could check if an application is installed using built-in custom URL scheme handlers, for example, by entering skype:// in the address bar of the browser is possible to check the installation of Skype. Even if most browsers implements safety mechanisms to prevent such exploits, a combination of CORS policies and browser window features can be used to bypass them.

The experts successfully tested the technique on Chrome 90 (Windows 10, macOS Big Sur), Firefox 88.0.1 (Ubuntu 20.04, Windows 10, macOS Big Sur), Safari 14.1 (macOS Big Sur), Tor Browser 10.0.16 (Ubuntu 20.04, Windows 10, macOS Big Sur), Brave 1.24.84 (Windows 10, macOS Big Sur), Yandex Browser 21.3.0 (Windows 10, macOS Big Sur), and Microsoft Edge 90 (Windows 10, macOS Big Sur). Opera was not tested.“The exact steps to make the scheme flooding vulnerability possible may vary by browser, but the end result is the same. Getting a unique array of bits associated with a visitor’s identity is not only possible, but can be used on malicious websites in practice. Even Tor Browser can be effectively exploited by tricking a user into typing one character per application we want to test.” concludes the experts.

Source —

Magecart Hackers Now hide PHP-Based Backdoor In Website Favicons

These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores,» Malwarebytes Jérôme Segura said in a Thursday write-up. While injecting skimmers typically work by making a client-side request to an external JavaScript resource hosted on an attacker-controlled domain when a customer visits the online store in question, the latest attack is a little different in that the skimmer code is introduced into the merchant site dynamically at the server-side. Skimming has become so prevalent and lucrative a practice that the Lazarus Group, a collective of state-sponsored hackers affiliated with North Korea, attacked websites that accept cryptocurrency payments with malicious JavaScript sniffers to steal bitcoins and ether in a new campaign called «BTC Changer» that started early last year.

Source —

Pakistan-Linked Hackers Added New Windows Malware to Its Arsenal

The attacks have been linked to a group called Transparent Tribe, also known as Operation C-Major, APT36, and Mythic Leopard, which has created fraudulent domains mimicking legitimate Indian military and defense organizations, and other fake domains posing as file-sharing sites to host malicious artifacts. «While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting,» researchers from Cisco Talos said on Thursday. «While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal». In expanding its victimology, switching up its malware arsenal, and designing convincing lures, the threat actor has exhibited a clear willingness to lend its operations a veneer of legitimacy in hopes that doing so would increase the likelihood of success.

«Transparent Tribe’s tactics, techniques, and procedures have remained largely unchanged since 2020, but the group continues to implement new lures into its operational toolkit,» the researchers said. «The variety of maldoc lures Transparent Tribe employs indicates the group still relies on social engineering as a core component of its operations».

Source —

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store