Domain Shadowing - DNS Compromise for Cybercrime

2 December 2022
| No comments
Domain Shadowing - DNS Compromise for Cybercrime

Share post

Cyber ​​criminals compromise domain names in order to attack domain owners or users directly, or use them for various nefarious ventures such as phishing, malware distribution, and command-and-control (C2) operations. A special case of DNS hijacking is known as domain shadowing, where attackers secretly create malicious subdomains under compromised domain names. 

Shadow domains do not affect the normal operation of the compromised domains, making them difficult to detect by victims. The inconspicuousness of this subdomain often enables the perpetrators to exploit the good reputation of the compromised domain over a long period of time.

Popular attack path for cyber attacks

Current threat-research-based detection approaches are labor-intensive and slow, relying on detecting malicious campaigns using shadowed domains before they can look across different datasets for related domains. To solve these problems, Palo Alto Networks designed and implemented an automated pipeline to discover shadowed domains faster and at scale for previously unknown campaigns.

The system processes terabytes of passive DNS logs daily to extract features about possible shadowing domains. Based on these characteristics, it uses a high-precision machine learning model to identify Schadow domain names. The model finds hundreds of shadow domains created daily among dozens of compromised domain names.

Discover shadowed domains

To illustrate how difficult it is to detect shadowed domains, researchers at Palo Alto Networks found that out of the 12.197 shadowed domains they automatically detected between April 25 and June 27, 2022, only 200 domains flagged as malicious by vendors on VirusTotal. As an example, a detailed report of a phishing campaign using 649 covert subdomains under 16 compromised domains such as bancobpmmavfhxcc.barwonbluff.com[.]au and carriernhoousvz.brisbanegateway[.]com. The perpetrators took advantage of this domain's good reputation to distribute fake login pages and collect login credentials. The VT Provider's performance is significantly better on this particular campaign: 151 of the 649 shadow domains were classified as dangerous, but still less than a quarter of all domains.

How domain shadowing works

Cyber ​​criminals use domain names for various illegal purposes, including communicating with C2 servers, spreading malware, fraud, and phishing. To support these activities, scammers can either buy domain names (malicious registration) or compromise existing domain names (DNS hijacking/compromising). Ways criminals can compromise a domain name include stealing the domain owner's credentials with the registrar or DNS service provider, compromising the registrar or DNS service provider, compromising the DNS server itself, or abusing dangling -Domains.

Domain shadowing is a subcategory of DNS hijacking in which attackers try to go unnoticed. First, the cyber criminals secretly insert subdomains under the compromised domain name. Second, they keep existing records to allow normal operation of services like websites, email servers, and other services using the compromised domain. By ensuring the uninterrupted operation of existing services, the criminals make the compromise invisible to the domain owners and the cleaning of the malicious entries unlikely. As a result, domain shadowing gives attackers access to virtually unlimited subdomains that take over the reputation of the compromised domain.

Attackers change DNS records of existing domain names

When attackers change the DNS records of existing domain names, they target the owners or users of those domain names. However, criminals often use shadow domains as part of their infrastructure to support efforts such as general phishing campaigns or botnet operations. In the case of phishing, criminals can use shadow domains as the starting domain in a phishing email, as an intermediate node in a malicious redirect (e.g. in a malicious traffic distribution system), or as a landing page hosting the phishing website. use. For example, in botnet operations, a shadow domain can be used as a proxy domain to obfuscate C2 communications.

How to recognize domain shadowing?

Threat-hunting-based approaches to shadow domain detection have problems such as: B. the lack of coverage, the delay in detection and the need for human labor. That's why Palo Alto Networks developed a detection pipeline that leverages passive DNS traffic protocols (pDNS). These features were used to train a machine learning classifier, which forms the core of the detection pipeline.

Design approach for the machine learning classifier

The characteristics fall into three groups: those related to the potential shadow domain itself, those related to the root domain of the potential shadow domain, and those related to the IP addresses of the potential shadow domain relate.

The first group is specific to the shadow domain itself. Examples of these characteristics at the FQDN level are:

  • IP address deviation from the IP address of the root domain (and its country/autonomous system).
  • Difference in date of first visit compared to date of first visit to root domain.
  • Whether the subdomain is popular.

The second set of characteristics describes the root domain of the shadow domain candidate. Examples for this are:

  • The ratio of popular to all subdomains of the root domain.
  • The average IP offset of the subdomains.
  • The average number of days the subdomains are active.

The third set of characteristics relates to the shadow domain candidate IP addresses, for example:

  • The ratio of apex domain to FQDN on the IP.
  • The average IP country offset of the subdomains using this IP.

Conclusion

Cyber ​​criminals use shadow domains for various illegal activities including phishing and botnet operations. It's difficult to spot shadow domains because VirusTotal's providers cover less than two percent of these domains. Since traditional threat research-based approaches are too slow and fail to detect the majority of shadow domains, an automated detection system based on pDNS data is recommended. A high-precision detector based on machine learning processes terabytes of DNS logs and discovers hundreds of shadowed domains every day.

More at PaloAltoNetworks.com

 

About Palo Alto Networks

Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.

 

Matching articles on the topic

IT security: NIS-2 makes it a top priority

Only in a quarter of German companies do management take responsibility for IT security. Especially in smaller companies ➡ Read more

Cyber ​​attacks increase by 104 percent in 2023

A cybersecurity company has taken a look at last year's threat landscape. The results provide crucial insights into ➡ Read more

Mobile spyware poses a threat to businesses

More and more people are using mobile devices both in everyday life and in companies. This also reduces the risk of “mobile ➡ Read more

Crowdsourced security pinpoints many vulnerabilities

Crowdsourced security has increased significantly in the last year. In the public sector, 151 percent more vulnerabilities were reported than in the previous year. ➡ Read more

Cybercriminals are learning

Security researchers have released the 2024 Incident Response Report, which paints a worrying picture of increasing cyber threats. The findings are based on ➡ Read more

Digital Security: Consumers trust banks the most

A digital trust survey showed that banks, healthcare and government are the most trusted by consumers. The media- ➡ Read more

Darknet job exchange: Hackers are looking for renegade insiders

The Darknet is not only an exchange for illegal goods, but also a place where hackers look for new accomplices ➡ Read more

Solar energy systems – how safe are they?

A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates. trend ➡ Read more

  • checklist
  • Adjusted button address and caption
  • Category selected - for partners plus partner company name as 2.
  • Image built-in or B2B standard thumb
  • Headline for new image as description & alternative text
  • Keywords - 4 to 6 from the text, starting with the company name (Sophos, IT security, attack....)
  • Ad settings: only tick both boxes for partners -> is then off
  • Next in the Yoast SEO box
  •  Clean and shorten the header in the meta description
  • Set the focus keyphrase – must be included in the headline and introductory text
  • Unfold premium SEO analysis whether the goodness of orange can easily be brought to green

 

 

Stories
, , , ,