About sangupta

Palo Alto Networks has added a new detection for DNS Security called Subdomain Reputation which is available as part of Grayware Category.     What is Subdomain Reputation and why does it matter?   Cybercriminals often leverage subdomains of popular web hosting or dynamic domain name system (DDNS) services to host and distribute malicious content. This method provides attackers a cheaper alternative to register their own domains  and easily evade traditional security defenses with reputable domains of these hosting services.    Given the benefits of this method, attackers are increasingly using subdomains of apex public domains to carry out targeted attacks like phishing, malware distribution and command and control.  As of December, 2022, Palo Alto Networks observed an alarming number of malicious domains (4.8%), which are the subdomains of well-known web hosting services.    Case Study: Roaming Mantis Campaign   The Roaming Mantis campaign is a  SMS Phishing campaign targeting mobile users across the globe. Attackers used several subdomains of dynamic DNS services, such as duckdns[.]org,  to distribute malware and steal credentials. Reference: https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/   Free Robux Generator:   Roblox is an online gaming platform that allows users to purchase Roblox currency – called Robux – to access certain perks in the Roblox virtual world. Since the middle of December 2022, our detection system has identified over 3,000 subdomains of Blogspot being abused to serve phishing campaign scamming Roblox users with free Robux upon performing tasks like installing software, entering a contest to win money, or using a tool to monitor credit scores.   How does a detection engine with ML models help identify, detect and prevent attacks due to Subdomain Reputation?   Identifying malicious subdomains requires new methods compared to traditional malicious domain detection that leverage tools like WHOIS for domain level information like when and who registered the domain but lacks similar information at subdomain level. Palo Alto Network’s new subdomain detector focuses on subdomains of a half dozen public apex domains chosen for evaluation largely based on how often their subdomains are reported by our other detectors. It identifies an average of over 300 high-risk subdomains per day. On these subdomains, we use advanced ML-powered analytics like domain reputation, distribution of characters in domain name, web page behavior like redirection and so on that enables us to detect and block with  high confidence subdomains used for malicious purposes.    When will the Subdomain Reputation detection be available in DNS Security?   Subdomain Reputation detection is released under the DNS Grayware category, which is part of the PAN-OS 10.0 release. So, customers with PAN-OS 10.0 or later are able to benefit from this new detection through simple content update. Customers can sinkhole, block, or alert this new detection based on their policy for handling Grayware. The default action for the Grayware category is “block” on the different NGFW form factors and “sinkhole” on Prisma Access.    There are no configuration changes or actions required by customers unless there is a need to change the default action of Grayware category.    Below is the snippet of how subdomain reputation entries appear in the threat log of the firewall:     Read more about DNS.   ... View more

  By offering industry leading coverage across every major DNS-layer attack category, Palo Alto Networks’ DNS security service is the most comprehensive DNS security solution available. With our Pan-OS Nebula release, we expanded our coverage against the latest and most sophisticated DNS-layer threats  and introduced a number of industry-first detections for threats such as Compromised DNS Zone, Strategically Aged Domains, Wildcard DNS Abuse, CNAME Cloaking, and DNS Infiltration.   In this post, we’ll take a deeper look into the Compromised DNS zone and how we can protect our customers against it.     What is a Compromised DNS Zone and why do attackers use it?   When using domains as part of an attack campaign, attackers commonly purchase new apex domains from domain registrars. They then set up malicious contents on these newly purchased domains. However, this practice has several disadvantages. Newly registered domains usually don’t have the reputation that would allow them to pass through security defenses, or they may even have a bad reputation and can then be easily blocked by reputation based detectors. Most of these domains have random characters or meaningless words in their names. This is to reduce the cost as adversaries usually need to register many domains for their attack campaign. But using these random pattern domains can come off as  suspicious traffic behavior which can be easily detected.    To avoid detection, attackers have recently started to adopt a new technique called domain shadowing. Instead of registering new domains, attackers start to compromise legitimate domains and create malicious subdomains under them. This has rendered existing detection systems ineffective because the shadowed subdomains inherit the reputation of the compromised legitimate parent domains. This gives attackers the ability to create an unlimited number of malicious subdomains with meaningful words at absolutely no cost to them. These domains are then used to launch phishing and malware attacks to gain access to unsuspecting users’ information.  What does a Compromised DNS Zone attack look like?   The first step in a generic malicious exploitation campaign is to gather as much user traffic as possible. Common methods include various forms of spam and malicious advertising (malvertisement). In case of malvertisement, a user visiting a benign website could be automatically redirected to a malicious landing page. In case of a spam email, users usually need to click on a link to be redirected to a malicious landing page. The malicious landing page then would host a phishing page or an exploit kit like Angler, an exploit Kit could be used for various nefarious purposes, including ransomware, click fraud and keyloggers.   In the case of a campaign distributing the Angler Exploit Kit, shadowed domains were used as intermediary redirector nodes between the malicious landing page and the initial page visited by users. They were used for a short time and were hard to detect by traditional detection techniques due to their inherited benign reputation. Additionally, shadowed domains can be used to host the malicious phishing or landing pages themselves.   Attackers can compromise DNS zones by either stealing the zone owners' access credentials at registrars or DNS services managing their zone. Alternatively, attackers can compromise the DNS servers hosting the zone files directly.   Reference: Angler Exploit Kit Continues to Evade Detection: Over 90,000 Websites Compromised Understanding Angler Exploit Kit - Part 1: Exploit Kit Fundamentals Talos ShadowGate Take Down: Global Malvertising Campaign Thwarted Cisco Talos Thwarts Access to Massive International Exploit Kit   How does a detection engine with ML models help identify, detect and prevent attacks due to compromised sub-domains?   Existing solutions building on reputation engines are ineffective for shadowed domains, and identifying domains by tracking malicious campaigns is too slow and labor-intensive. To address issues with current industry detection techniques, we developed a fully automated machine learning pipeline building on properties of shadowed domains.   We train a machine learning model using a list of known shadowed domains and a large number of benign domains. We generate over three hundred features about candidate shadowed domains processing tens of terabytes of DNS record logs (passive DNS dataset) every day. Examples of subdomain-related features are IP deviations from the root domain, length and entropy of subdomain, and the popularity of the subdomain. Features related to attacker’s IP include average IP deviation of subdomains using this IP,  subdomains’ similarity to each other, and ratio of apex to subdomain counts. Features related to the compromised zone include the average IP count for subdomains, average number of days created after the root domain and the average length of the subdomains. Leveraging these features, our classifier can distinguish benign and compromised subdomains with high precision and recall. Figure-1   To understand the thought process that goes behind building these detection engines, let’s go through a real life example. As shown in figure-1, App-garden.com is the compromised legitimate domain. Attackers host ransomware on a shadowed domain aaa.app-garden.com. In order to redirect users’ traffic to the shadowed domain, attackers can either compromise other well-known websites or use malicious advertisements. By inspecting the profile of the shadowed domain, we find that app-garden.com has been registered since 2011 and it will not expire until 2022. And the data from Internet archive shows that app-garden.com has been active at least since 2013. Therefore, we have a strong confidence to consider app-garden as a legitimate domain. Motivated by our observations from real life cases, we design and implement the domain shadowing detector based on a few key observations.     Figure-2   First, the shadowed domains are usually deviated from their legitimate siblings. Attackers use their own infrastructure to serve malicious code or webpages. As a result the attacker's IP address is likely different from the victim’s IP address so we can observe this difference in the IP addresses used and possibly in their geolocation. Second, a further look into shadowed IP addresses reveals that many other shadowed domains under multiple different apex domains are hosted on the same IP. Obviously, shadowed domains in the same campaigns are correlated. Third, many of these subdomains will be activated around the same time serving in the same malicious campaign. And finally, subdomains generated by attackers often follow a similar pattern and are quite different from benign subdomains.   All these advanced analytics come together to ensure that only malicious compromised sub-domains are blocked in real time with high confidence. When will Compromised DNS Zone detection be available in DNS Security?   Compromised DNS Zone detection is released in real-time under the DNS Malware category which is part of the PAN-OS 10.0 release. So, customers with PAN-OS 10.0 or later are able to benefit from this new detection. They can sinkhole, block, or alert this detection based on their policy for handling Malware.    Read more TechDocs: DNS Security Analytics   ... View more

  As part of PAN-OS 10.0 release, Palo Alto Networks will be adding a new DNS Security category called AdTracking and its subcategory adtracking_cname_cloaking.    ACTION: Action may be required. Please consider impact in alignment with organization policies.   What is AdTracking?   AdTracking is a new category created for CNAME cloaking techniques introduced as part of DNS security service. CNAME cloaking allows website trackers to hide the origin of a script or cookie using CNAME records. This allows the tracker to receive and set cookies in the first-party context, circumventing protection the browser might have against third-party tracking. Attackers can leverage this technique to steal sensitive user information. Our new detection engine can detect cloaked FQDN and add it as part of the AdTracking category for security administrators to take appropriate action.    When will the AdTracking category be available in DNS Security? This category will be available as part of a content-update in the  PAN-OS 10.0 release . It will go live through the content update released the week of June 20th, 2022. The default policy action will be set to "Allow" and default log severity will be "Informational" under the anti-spyware profile. Administrators can choose policy actions associated with this category — including Block, Allow or Sinkhole. Palo Alto Networks best practices recommendation is to Sinkhole.    On 9.0 and 9.1 releases, AdTracking category support is not available and DNS requests to this category will be allowed. For categories supported in those PAN-OS releases, please refer to the following documentation on DNS Security .   Are there test domains for the new category? Yes.   test-adtracking.testpanw.com   test-cname-cloaking.testpanw.com     Additional Information: DNS Security Signature Categories   ... View more

DNS Security introduced a new detection to block malicious domains that abuse wildcard DNS records to create malicious subdomains with high reputation that attackers can use to hide.   As DNS Security (Domain Name System) traffic becomes increasingly more of a target for hackers, it is crucial that security vendors stay up to date on the latest threats to ensure their customers do not fall victim to DNS attacks. That is why Palo Alto Networks recently launched a new detection that captures malicious domains abusing wildcard DNS records in real time to help identify penetration activities as soon as possible.   Wildcard records facilitate DNS management in many constructive operations; however the flexibility of wildcard records also provides attackers with a variety of options for executing attacks with greater efficiency. Distinguishing between domains using wildcard records for benign and malicious purposes poses a nontrivial challenge. This is where our new detector comes into play to protect our customers by efficiently flagging domains that use wildcard DNS records for questionable or malicious activity.   What is Wildcard DNS Abuse? DNS maps names to addresses so that computers can communicate. The directions within the DNS exist largely in records where a specific FQDN (fully qualified domain name) is mapped to pieces of data, such as an IP address. As the name suggests, wildcard DNS records are an exception to this pattern. Wildcard DNS abuse allows many domain names to be mapped to the same data, therefore allowing attackers to easily direct users to malicious hosts via an infinite number of domain names.   In recent weeks, we have been running this detector and have identified over 4,000 domains abusing wildcard DNS for questionable purposes, including black hat SEO(search engine optimization) campaigns, or to promote sites related to gambling, phishing, adult content or questionable video streaming sites.   How do we detect Wildcard DNS Misuse? We leverage a large passive DNS data set to effectively identify domains using wildcard DNS records while this new detection uses mechanisms such as ML-powered domain analysis, DNS full-zone analysis, web content analysis (rate at which web page content changes) to identify abused wildcard records.     When will Detection of Wildcard DNS abuse be available in DNS Security? Detections of Wildcard DNS abuse are released in real time under the Grayware category which is a part of the PAN-OS 10.0 release. Customers can then allow, block or alert these detections based on their policy for handling Greyware. Customers with PAN-OS 10.0 or later are able to benefit from this new detection. To learn more about how the our security services can protect your network traffic from threats, sign up for:   Security Lifecycle Review:  A simple, free cyber threat assessment of potential exposure to ransomware attacks, breaches, threats and risk. Best Practice Assessment:  Maximize your security postur e.   Additional Information Palo Alto Networks: Disrupt DNS-Based Attacks Unit 42—Play Your Cards Right: Detecting Wildcard DNS Abuse   ... View more

  As DNS threats become more and more sophisticated, adversaries are identifying DNS as a key threat vector to successfully attack organizations. This is why with Palo Alto Networks’ cloud-delivered DNS security service, we are constantly identifying new threats to secure your DNS traffic. Our latest protection identifies domains that have been intentionally aged to bypass security vendors reputation checks. We call it Strategically Aged Domains. Palo Alto Networks’ DNS security service proactively identifies strategically aged domains based on traffic distribution, domain analysis and characteristics of the subdomain.   What is a Strategically Aged Domain?   It’s well known that Newly Registered Domains (NRD) are widely used for various malicious activities. At Palo Alto Networks, we have mechanisms in place like monitoring DNS zone files and passive DNS data to detect these emerging malicious domains before a patient zero web threat appears. However, it’s not enough to focus on threats behind NRD only as threat actors are coming up with advanced  ways to evade existing protections.     Strategically Aged Domains are domains that are registered in advance. The d omains are reserved and left dormant for months or even years before using them for attacking campaigns to bypass security vendor reputation checks. Sometimes, it will take longer to detect when malicious activity begins as these domains have developed a benign reputation over time. Thereby, attackers gain an advantage from using these strategically aged domains for their attacks.    For example, Advanced Persistent Threat (APT) malware can stay dormant for years so they are deemed as benign, but then suddenly activate and produce a large amount of exploiting traffic through their command and control (C2) domains. TheSolarWinds supply chain attack with SUNBURST trojan in December of 2020 utilized strategically aged domains along with domain generation algorithms (DGA) to bypass security controls and exfiltrate identities of the compromised hosts.    How Strategically Aged Domain Detection works?   Our advanced cloud-based DNS security service leverages below filters to identify potential attacks using strategically aged domains:   Traffic Pattern Classifiers to identify abnormal burst of traffic  ML-powered Domain Analysis to monitor domain statistics, activity during dormant state and traffic profile Subdomain DGA Detection to recognize any significant amount of emerging DGA sub-domain that could be used to exfiltrate the data out.    When will Strategically Aged Domain Detection be available in DNS Security?   Strategically Aged Domain detection results are released in real time under the DNS Grayware category which is part of the Pan-OS 10.0 release. Customers can then allow, block, or alert these detections based on their policy for handling Grayware. Customers with PAN-OS 10.0 or later are able to benefit from this new detection.   To learn more about how the DNS security service can protect your DNS traffic from threats, sign up for:     A Security Lifecycle Review - A simple, free cyber threat assessment of potential exposure to ransomware attacks, breaches, threats and risk Best Practice Assessment - Maximize your security posture   Additional Information Palo Alto Networks DNS Security:  Disrupt DNS-Based Attacks Unit 42: Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends Unit 42: SolarStorm Supply Chain Attack Timeline   ... View more