Open resolvers are DNS servers that are ready for malicious actors to use to launch distributed denial-of-service (DDoS) attacks, like DNS amplification attacks, because they can receive and resolve domain names recursively for any party on the internet. Utilizing CERNET nameservers to locate open DNS resolvers and compute DNS replies is the fundamental component of the probes. This means that an open resolver receives a DNS query from an unknown origin, and the SecShow-controlled nameserver responds with an IP address at random.

The Palo Alto Cortex Xpanse product amplifies inquiries because to the peculiar configuration of these nameservers, which is set to deliver a random IP address each time a query is sent from a different open resolver. In a study that was released last week, they stated that these probes look for and measure DNS responses at open resolvers. Cortex Xpanse tries to extract material from the random IP address associated with the domain name by treating the domain name in the DNS query as a URL. When security devices like firewalls get a request from Cortex Xpanse, they execute URL filtering.

This filtering step causes Cortex Xpanse to repeat the process, thereby turning a single SecShow query into an infinite cycle of searches across networks. It also causes the nameserver to deliver a different random IP address in response to the subsequent DNS query for the domain. It's important to remember that over the preceding two months, researchers have previously disclosed certain portions of these scanning efforts. As of mid-May 2024, the SecShow nameservers are no longer reachable.

Xpanse is currently functioning as expected, thus there is little to no known impact on any customer networks other than a slight increase in DNS resolution activity to check if the domain in issue is malicious. Exclusion of particular domains is possible with Xpanse, and it stops scanning newly discovered C2s. Researchers have found pertinent domains, which will continue to be closely monitored and added to the ban list.

After Muddling Meerkat, SecShow is the second threat actor associated with China that conducts extensive DNS probing operations online. The revelation coincides with the discovery of a financially motivated threat actor promoting Rebirth, a brand-new botnet service designed to aid in DDoS attacks. Based on the Mirai malware family, the DDoS-as-a-Service (DaaS) botnet's operators promote their services via Telegram and an online store.

Impact

• Exposure of Sensitive Data
• Cyber Espionage
• Denial of Service

Indicators of Compromise

Domain Name

• secshow.online
• secshow.net
• secdns.site
• prey.fit
• attacker.fit
• nameserver.fit
• victim.fit
• savme.xyz

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.