Tag: Domains | Page 2

Microsoft Seizes Domains Used by a Chinese Hacking Group

December 8, 2021/in Internet Security

Microsoft said it has seized control of servers that a China-based hacking group was using to compromise targets that align with that country’s geopolitical interests.

The hacking group, which Microsoft has dubbed Nickel, has been in Microsoft’s sights since at least 2016, and the software company has been tracking the now-disrupted intelligence-gathering campaign since 2019. The attacks—against government agencies, think tanks, and human rights organizations in the US and 28 other countries—were “highly sophisticated,” Microsoft said, and used a variety of techniques, including exploiting vulnerabilities in software that targets had yet to patch.

Down but Not Out

Late last week, Microsoft sought a court order to seize websites Nickel was using to compromise targets. The US District Court for the Eastern District of Virginia granted the motion and unsealed the order on Monday. With control of Nickel’s infrastructure, Microsoft will now “sinkhole” the traffic, meaning it’s diverted away from Nickel’s servers and to Microsoft-operated servers, which can neutralize the threat and allow Microsoft to obtain intelligence about how the group and its software work.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Tom Burt, the company’s corporate vice president of customer security and trust, wrote in a blog post. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”

Targeted organizations included those in both the private and public sectors, including diplomatic entities and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. Often, there was a correlation between the targets and geopolitical interests in China.

Targeted organizations were located in other countries including Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech…

Source…

Microsoft calls blockchain domains ‘the next big threat’

October 24, 2021/in Internet Security

“The next big threat” is how Microsoft’s latest annual security report characterizes domain names written into a distributed ledger maintained across a constellation of computers instead of stored in a traditional, centralized registry.

Storing domain names on a blockchain can make them difficult to shut down or even trace to their owners. It also leaves them inaccessible without special software or settings.

“In recent years, we have observed blockchain domains integrated into cybercriminal infrastructure and operations,” the report says, nodding to Microsoft’s experience last spring disrupting a botnet called Necurs.

That botnet used a domain-generating algorithm to create new hosts in bulk—including under the .bit blockchain top-level domain, leaving them unable to be policed like a .com or other standards-compliant domain.

The potential for abuse led a group called OpenNIC, which promotes alternatives to the traditional domain-name system, to vote in 2019 to block the .bit domain lest the organization be “directly responsible for the creation of a whole new class of malware.”

Adds Microsoft’s report: “This trend of threats leveraging blockchain domains as infrastructure with the means to create an undisputable criminal network should be taken seriously.”

Can’t stop ’em

Among proponents of a decentralized internet, meanwhile, you’ll see a common response to the critique that blockchain domains can’t be taken down: Yes, that’s correct.

As the sales pitch on the homepage of one blockchain-domain registrar, Unstoppable Domains, reads: “Unlike traditional domains, Unstoppable Domains are fully owned and controlled by the user with zero renewal fees ever (you buy it once, you own it for life!).”

It quotes one-time registration fees ranging from $20 to $100 under such blockchain top-level domains as .crypto, .wallet, .coin, .888 and .x, although costs can escalate dramatically for shorter, more memorable domains. For example, potomacriver.x would cost $100 versus $7,500 for potomac.x.

Over email, Unstoppable Domains CEO Matthew Gould rejected the idea that his San Francisco-based company is an irresponsible actor. He noted the company’s…

Source…

LockFile Ransomware Encrypting Domains Via Exchange Hack

August 23, 2021/in Computer Security

A new ransomware operator is taking over Windows domains on networks around the world after exploiting a chain of Microsoft Exchange server vulnerabilities called ProxyShell.

The LockFile ransomware gang has taken advantage of the Microsoft Exchange ProxyShell and Windows PetitPotam vulnerabilities to hijack Windows domains and encrypt devices, security researcher Kevin Beaumont reported Saturday. More technical details were recently disclosed on the ProxyShell flaws, which allowed security researchers and threat actors to reproduce the exploit, BleepingComputer said.

“These vulnerabilities are worse than ProxyLogon, the Exchange vulnerabilities revealed in March – they are more exploitable, and organizations largely haven’t patched,” Beaumont wrote in a blog post. “They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come.”

[Related: Hackers ‘Abusing’ Microsoft Exchange Server Vulnerabilities: Huntress]

Microsoft didn’t immediately respond to a CRN request for comment Monday. The Redmond, Wash.-based software giant told CRN Friday that customers who’ve applied the latest Microsoft updates are already protected against the ProxyShell vulnerabilities.

When breaching a network, adversaries like LockFile will first access the on-premise Microsoft Exchange server using the ProxyShell flaws. From there, LockFile uses the incompletely patched PetitPotam vulnerability to gain access to the domain controller and then spread across the network, Symantec reported Friday. Once hackers control the Windows domain, it’s easy for them to deploy ransomware.

LockFile was first observed on the network of a U.S. financial organization on July 20, with its latest activity seen as recently as Friday, Symantec wrote in a blog post. Victims of LockFile are primarily based in the United States and Asia, and can be found in verticals such as manufacturing, financial services, engineering, legal, business services, and travel and tourism, according to Symantec.

“New surge in Microsoft Exchange server exploitation underway,” Rob Joyce, director of cybersecurity at the National Security Agency (NSA), wrote…

Source…

DOJ Seizes Domains, Claiming They Pushed Iranian Disinformation; Should Raise 1st Amendment Concerns

October 10, 2020/in Internet Security

For about a decade now we’ve been questioning why the government is allowed to seize domains over claims of illegal behavior happening on a website. It seems to us that seizing a website is the equivalent of seizing a printing press or books — both of which would be deemed clear 1st Amendment violations. Unfortunately, even when those seizures have proven to be for made up reasons, no one has been able to challenge the underlying ability of the government to seize domains. And now it seems to happen all the time. And even if you believe the websites in question are doing something bad, seizing the websites is problematic.

The latest such case is the Justice Department announcing that it had seized a bunch of domains pushing disinformation on behalf of Iran’s Islamic Revolutionary Guard Corps.

The United States has seized 92 domain names that were unlawfully used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to engage in a global disinformation campaign, announced the Department of Justice.

According to the seizure documents, four of the domains purported to be genuine news outlets but were actually controlled by the IRGC and targeted the United States for the spread of Iranian propaganda to influence United States domestic and foreign policy in violation of the Foreign Agents Registration Act (FARA), and the remainder spread Iranian propaganda to other parts of the world. In addition, the seizure documents describe how all 92 domains were being used in violation of U.S. sanctions targeting both the Government of Iran and the IRGC.

According to reporter Kevin Collier, who used the Wayback Machine to check out some of these sites, they seemed like mostly junk with little US social media presence.

There's a lot to go through, but my immediate read on the DOJ seizure of a bunch of sites that are allegedly part of IRGC disinformation campaigns is that they kinda suck. Not compelling news (I'm looking at samples on @internetarchive) & their US social media presence was low. pic.twitter.com/t2K6jknqqq

— Kevin Collier (@kevincollier) October 7, 2020

Even so, and even if we’re concerned about foreign disinformation campaigns targeting the US, it still makes me nervous when the US government feels that it can just go in and seize entire domains. It strikes me as the thing that can create blowback as well. The US has certainly been involved in foreign propaganda as well — and would we want foreign governments seizing the assets of, say, Voice of America?

Techdirt.

Tag Archive for: Domains

Can’t stop ’em