Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/7/2017
05:33 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

RIG Exploit Kit Takedown Sheds Light on Domain Shadowing

Threat actors hid tens of thousands of shadow domains behind legitimate domains to carry out malicious activity.

A coordinated effort to disrupt activities related to the RIG Exploit Kit has once again revealed how extensively threat actors abuse legitimate domains and websites to build the operational infrastructure for their criminal campaigns.

Researchers from RSA Security, domain registrar GoDaddy, and several other organizations worked together to recently take down over 40,000 active shadow domain resources that were being used as infrastructure for the RIG EK.

The campaign has resulted in a complete cessation of activity related to EITEST and PseudoDarkleech, two major RIG EK campaigns for distributing banking Trojans, ransomware, and other malware, says Alex Cox, director of RSA Research. "But it remains to be seen how that will affect the RIG ecosystem as a whole," he says.

Domain shadowing refers to the tactic by threat actors to create malicious subdomains behind a legitimate domain using credentials stolen from the domain registrant. Organizations often do not notice the activity because domain registrant accounts are rarely used or checked once the initial domain registration is completed. Criminals employ the technique to hide malware-laden pages and exploit kits behind legitimate domains, making it hard for defenders to spot and eradicate them.

"Domain shadowing is extremely effective because it allows malicious subdomains to leverage the good reputation of the parent domain, and thus bypass reputation based filters," says Shimon Modi, director of product at security intelligence sharing company TruStar Technology.

In the case of the RIG Exploit Kit, the threat actors used the shadow domains they created to host RIG landing pages. Most victims were directed to the landing pages from previously compromised websites injected with iframes. The landing pages were designed to inspect and exploit incoming client systems and to install a diverse set of malicious payloads on them.

The more than 40,000 RIG EK-related subdomains that RSA and the others succeeded in shutting down affected over 800 legitimate domains, many of them registered with GoDaddy. Most of the subdomains were being served out of near bulletproof hosting providers based in Eastern Europe. The hosting providers often had enough legitimate traffic not to be obvious candidates for blacklisting.

"A common way for defenders to attack these systems is to provide proof of malicious activities to the hosting providers, so they will suspend the systems," Cox says. Criminals understand that and deliberately seek out hosting providers that are willing to go along with or are negligent about the activity. "They’ll re-use these hosts until the defenders pinpoint them and then they’ll move onto others," Cox says.

An inspection of the DNS records associated with each of the shadow domains in the RIG Exploit Kit infrastructure showed that most of them were up for barely five to 10 days before being deleted. The duration for which they were actually used was likely closer to 24 and 48 hours according to RSA. Threat actors often rapidly rotate shadow domain to make it even harder for defender to get them.

There is little that was common among the compromised domains and most of them were likely just victims of opportunistic phishing and malware campaigns to steal login credentials to domain registrant accounts, Cox says.

The domain shadowing issue is a challenging problem to solve with 100% effectiveness, Modi says. "But a mix of block [and] tackle techniques and anomaly detection can help in detecting and preventing domain abuse," he says.

In order to ensure their domains are not being abused, organizations should make sure to monitor for unusual numbers of changes to DNS records, block bad IP address from their ISPs DNS systems and check for subdomains that have unusual alphanumeric character patterns, Modi says.

"Monitor organizational DNS records looking for unauthorized changes or additions on a regular, and preferably automated basis," adds Cox.  

Related content:

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DHorse2
50%
50%
DHorse2,
User Rank: Strategist
9/2/2019 | 9:21:36 PM
A solutions question.
Hi Mr. Vijayan. Your article led me to read a few others as I was puzzled. QUOTE: "The domain shadowing issue is a challenging problem to solve with 100% effectiveness, Modi says. "But a mix of block [and] tackle techniques and anomaly detection can help in detecting and preventing domain abuse," he says." END QUOTE. Yet you and your peers point out how limited that is. Heuristics seemed to the most effective. I use DDNS illegitimately BTW. MITIGATION MAYBE? Two step auth is widely accepted and would be needed. Which the industry could not coerce everyone to use I imagine. Yikes. Even then you would need to constrain changing contact information in creative ways to avoid costs and address a global simple system tweak. Even that isn't strictly required if you carefully watch domains where the two step contact info changed. If you got cooperation. Would you?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20907
PUBLISHED: 2020-07-13
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE-2020-14174
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
CVE-2019-20901
PUBLISHED: 2020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.