9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
Low
0.957 High
EPSS
Percentile
99.4%
Cybersecurity researchers have shed more light on a Chinese actor codenamed SecShow that has been observed conducting Domain Name System (DNS) on a global scale since at least June 2023.
The adversary, according to Infoblox security researchers Dr. RenΓ©e Burton and Dave Mitchell, operates from the China Education and Research Network (CERNET), a project funded by the Chinese government.
βThese probes seek to find and measure DNS responses at open resolvers,β they said in a report published last week. βThe end goal of the SecShow operations is unknown, but the information that is gathered can be used for malicious activities and is only for the benefit of the actor.β
That said, there is some evidence to suggest that it may have been linked to some kind of academic research related to βperforming measurements using IP Address Spoofing Techniques on domains within secshow.netβ modeled on the same approach as the Closed Resolver Project.
This, however, raises more questions than it answers β including when it comes to the full scope of the project, the purpose behind gathering the data, the choice of a generic Gmail address to collect feedback, and the overall lack of transparency.
Open resolvers refer to DNS servers that are capable of accepting and resolving domain names recursively for any party on the internet, making them ripe for exploitation by bad actors to initiate distributed denial-of-service (DDoS) attacks such as a DNS amplification attack.
At the heart of the probes is the use of CERNET nameservers to identify open DNS resolvers and calculate DNS responses. This entails sending a DNS query from an as-yet-undetermined origin to an open resolver, causing the SecShow-controlled nameserver to return a random IP address.
In an interesting twist, these nameservers are configured to return a new random IP address each time when the query is made from a different open resolver, a behavior that triggers an amplification of queries by the Palo Alto Cortex Xpanse product.
βCortex Xpanse treats the domain name in the DNS query as a URL and attempts to retrieve content from the random IP address for that domain name,β the researchers explained. βFirewalls, including Palo Alto and Check Point, as well as other security devices, perform URL filtering when they receive the request from Cortex Xpanse.β
This filtering step initiates a new DNS query for the domain that causes the nameserver to return a different random IP address, which, in turn, causes Cortex Xpanse to repeat the process again, effectively turning a single SecShow query into an endless cycle of queries across networks.
Itβs important to note that some aspects of these scanning activities were previously disclosed by Dataplane.org and Unit 42 researchers over the past two months. The SecShow nameservers are no longer responsive as of mid-May 2024, although Burton said that they have observed the actor take up and down infrastructure.
βAt this time, there is little to no known impact on any customer networks due to Xpanse working as intended, beyond a minimal increase in DNS resolution activity to determine whether the domain in question is malicious,β Palo Alto Networks told The Hacker News when reached for a comment.
βXpanse has the capability to exclude specific domains and as new C2βs are identified, Xpanse no longer scans them. We will continue to carefully monitor and add to the block list relevant domains as identified by researchers.β
SecShow is the second China-linked threat actor after Muddling Meerkat to perform large-scale DNS probing activities on the internet.
βMuddling Meerkat queries are designed to mix into global DNS traffic and [have] remained unnoticed for over four years, while Secshow queries are transparent encodings of IP addresses and measurement information,β the researchers said.
The development comes as a financially motivated threat actor has been found advertising a new botnet service called Rebirth to help facilitate DDoS attacks.
The DDoS-as-a-Service (DaaS) botnet is βbased on the Mirai malware family, and the operators advertise its services through Telegram and an online store (rebirthltd.mysellix[.]io),β the Sysdig Threat Research Team said in a recent analysis.
The cybersecurity firm said Rebirth (aka Vulcan) is primarily focused on the video gaming community, renting out the botnet to other actors at various price points to target game servers for financial gain. The earliest evidence of the botnetβs use in the wild dates to 2019.
The cheapest plan, dubbed Rebirth Basic, costs $15, whereas the Premium, Advanced, and Diamond tiers cost $47, $55, and $73 respectively. There is also a Rebirth API ACCESS plan thatβs sold for $53.
The Rebirth malware supports functionality to launch DDoS attacks over TCP and UDP protocols, such as TCP ACK flood, TCP SYN flood, and UDP flood.
This is not the first time game servers have been targeted by DDoS botnets. In December 2022, Microsoft disclosed details of another botnet named MCCrash thatβs designed to target private Minecraft servers.
Then in May 2023, Akamai detailed a DDoS-for-hire botnet known as Dark Frost that has been observed launching DDoS attacks on gaming companies, game server hosting providers, online streamers, and even other gaming community members.
βWith a botnet such as Rebirth, an individual is able to DDoS the game server or other players in a live game, either causing games to glitch and slow down or other playersβ connections to lag or crash,β Sysdig said.
βThis may be financially motivated for users of streaming services such as Twitch, whose business model relies on a streaming player gaining followers; this essentially provides a form of income through the monetization of a broken game.β
The California-based company postulated that prospective customers of Rebirth could also be using it to carry out DDoS trolling (aka stresser trolling), wherein attacks are launched against gaming servers to disrupt the experience for legitimate players.
Attack chains distributing the malware involve the exploitation of known security flaws (e.g., CVE-2023-25717) to deploy a bash script that takes care of downloading and executing the DDoS botnet malware depending on the processor architecture.
The Telegram channel associated with Rebirth has since been erased to remove all old posts, with a message posted on May 30, 2024, saying βSoon we back [sic].β Nearly three hours later, they advertised a bulletproof hosting service called βbulletproof-hosting[.]xyz.β
(The story was updated after publication to include responses from Infoblox and Palo Alto Networks.)
Found this article interesting? Follow us on Twitter ο and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
Low
0.957 High
EPSS
Percentile
99.4%