The recently discovered campaign sends stolen data out of the network as part of a DNS query.
A new credential-theft attack campaign is using DNS to exfiltrate data. The campaign, which uses an illicit SSH client to gather the credentials, sends the purloined data to a pair of command-and-control (C2) servers.
Researchers at Alert Logic have found activity from this campaign dating back to August 9. In the attack, the malicious SSH client captures login credentials and sends the data to the C2 server as part of a DNS query, not likely to be automatically stopped by standard network protection systems.
According to the blog post announcing the discovery, the attack's hashes are not yet recognized by standard endpoint protection packages. The researcher recommends blocking all traffic to 164[.]132[.]181[.]85 and 194[.]99[.]23[.]199. to protect against the campaign.
For more, read here.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "'It Saved Our Community': 16 Realistic Ransomware Defenses for Cities."
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024