This article has been indexed from CircleID: Cybercrime
A Domain Name System (DNS) blackhole is essentially a DNS server that gives false results for domain names. Also known as a “sinkhole server,” an “Internet sinkhole,” or a “DNS sinkhole,” threat actors sometimes use DNS blackholes to redirect users to potentially harmful sites or pages.
Companies that wish to maintain utmost protection against threats probably prefer to steer clear of DNS blackholes. This post looks into why this is the case using the SideWinder attack as an example and presents one of Threat Intelligence Platform (TIP)’s new capabilities.
Case Study: SideWinder Attack
Advanced persistent threat (APT) group SideWinder was seen actively targeting various government and military organizations in South Asia since last year. Cybersecurity researchers published a comprehensive list of indicators of compromise (IoCs) related to their campaign, which we analyzed for the presence of DNS blackholes.
As you may already know, APTs can be present in a target network for extended periods without getting detected. Such may be the case for SideWinder targets who have yet to discover the threat’s presence in their infrastructure.
Our analysis revealed DNS blackholes among the published IoCs. This post shows how the Threat Intelligence Platform (TIP) helped us uncover them and what our findings mean.
Uncovering Malicious DNS Blackholes with Threat Intelligence Platform
While careful scrutiny of a domain’s mail exchanger (MX) record then looking it up on a DNS blackhole list can aid in detecting malicious DNS blackholes, the process is time-consuming and may not be sustainable. A tool like TIP can, however, ease this process, giving cybersecurity analysts more time to do other critical tasks.
We’ll illustrate how using the SideWinder IoCs identified by Trend Micro and IBM. Among them are 98 domains that we used as TIP as search terms. Of these, four were identified as DNS blackholes indicated by MX alerts on their TIP results.
[…]Read the original article: SideWinder DNS Blackholes Uncovered with Threat Intelligence Platform