• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

From Dedicated to Compromised Domains: The Shift in Adversaries' MO to Deliver Exploit Kit Attacks

By Dhia Mahjoub
Posted on June 19, 2014
Updated on July 24, 2020

Share

FacebookTweetLinkedIn

Earlier this year, we covered results of a 5-month study (November 2013 to February 2014) on tracking Nuclear Exploit kit domains from a hosting IP infrastructure perspective [1]. We discussed the evasive methods of the bad actors, their abuse of hosting providers, and we elaborated on methods to predictively identify and block IP infrastructures set up by adversaries to deliver Exploit kit attacks. Since then, several elements have changed in the MO of bad actors.
In this blog, we discuss some results of a subsequent new 5-month study we conducted between February and June 2014. Earlier brief results were discussed at BSides Raleigh 2013 [2] (slides 27,28), and then we shared some preliminary results of the new study at the ISOI13 conference in March [3]. This work is still ongoing and we will cover more details at BlackHat [4] and VirusBulletin [5].
For this study, we designed a system to preemptively and effectively detect malicious subdomains injected under compromised domains (particularly GoDaddy domains) and track their IP infrastructure. The phenomena of compromised GoDaddy domains serving malware has been around for at least 2 years [6]. The compromise can happen through at least two methods: hacking GoDaddy accounts or injecting malicious redirection scripts into vulnerable GoDaddy websites. When the compromise is successful, subdomains (third level domains) are injected under the GoDaddy domains (second level domains), and these subdomains would resolve to malicious sites.

Most Abused ASNs

We have been monitoring this threat for the past 5 months (February to June 2014) and observed that the subdomains resolve to IPs serving Exploit kit attacks (typically Nuclear [7][8] and Angler [9][10]) and also browser-based ransomware. We recorded several hundred IPs hosting these malicious subdomains over the period of the study.
The top 5 abused ASNs are:

  • 16276 OVH SAS
  • 24961 myLoc managed IT AG
  • 15003 Nobis Technology Group, LLC
  • 41853 LLC NTCOM
  • 20473 Choopa, LLC

AS16276, which is OVH, hosted 18% of the total malicious IPs. In this specific case, as the abuse of OVH has been exposed since last year and up until February 2014 (particularly for hosting Nuclear Exploit domains [11]), bad actors have changed their MO: they switched temporarily to other hosting providers, and started using recycled IPs (not reserved exclusively for Exploit domains). Additionally, OVH took action by suspending rogue accounts.
However, by monitoring the compromised domains’ campaigns, we observed that OVH was still being abused by bad actors to host malicious content. These were the general changes in bad actors’ MO that we observed:

  • From a domain perspective, for a while, bad actors had been abusing various ccTLDs (e.g. .pw, .in.net, .ru, etc.) facilitated by rogue or victim registrars and resellers. Then, they supplemented that approach with using compromised domains, particularly GoDaddy domains under which they inject subdomains to host Exploit kit landing urls and browlock (Notice that using compromised domains for attacks goes further back in the past for other different campaigns).
  • From an IP perspective, bad actors used to bring the attack hosting IPs online in contiguous chunks, then they started bringing them up in randomized sets or one IP at a time.
  • The other notable fact is that bad actors used to abuse OVH Canada (attached to ARIN) where rogue customers were reserving re-assigned small ranges (/27, /28, /29, etc.). By consulting the ARIN Rwhois database, it was possible to correlate the rogue customers with the IP ranges they reserve and therefore predict and block the IP infrastructures they set up for Exploit kit attacks. As the adversaries changed MO, this method became less effective in tracking them.
  • The shift became clear when they started to more frequently use ranges on OVH’s European IP space (which is attached to RIPE) as well as other European providers. Typically, we saw small gaming hosting providers being abused among other platforms.

Additionally, although the standard geolocation of OVH European IP space maps to France (FR), the attack IP ranges were reserved from OVH’s server pools in various European countries (France, Belgium, Italy, UK, Ireland, Spain, Portugal, Germany, Netherlands, Finland, Czech Republic, and Russia).
This clearly shows that the adversaries are diversifying their hosting assets which provides them redundancy and evasive capabilities. Notice also that RIPE has stricter data protection laws so it would be more difficult to obtain information about customers, and that could explain the shift in hosting infrastructures by the bad actors.
More generally, we list a few of the small scale hosting providers involved in hosting the attack subdomains. These hosting providers could either be abused, complicit with the bad actors or simply lax about the maliciousness of the content they host. Notice the rogue providers among these will often switch prefixes by dropping dirty ones and reserving new ones from the backbone providers they are attached to.

  • http://king-servers.com/en/ This hoster has been observed to host Exploit kit domains (Angler, Styx), porn, dating sites, pharma sites [12]. It was also described by a comment on Web Of Trust as “Offers bulletproof hosting for Russian-Ukrainian criminals (malware distributors etc)” [13].

king_servers

  • http://evrohoster.ru/en/ hosted browlock through redirections from porn sites [14].

evrohoster

  • http://www.xlhost.com/ hosted Angler EK domains
  • https://www.ubiquityhosting.com/ hosted browlock.
  • http://www.qhoster.bg/ hosted Nuclear EK domains.
  • http://www.codero.com/
  • http://www.electrickitten.com/web-hosting/

String Analysis of Domain Names

During this study, we recorded 19,000+ malicious subdomains injected under 4200+ compromised GoDaddy 2LDs. By analyzing the strings used for the subdomains, we recorded 12,000+ different labels. We show the list of top 5 labels used: police, alertpolice, css, windowsmoviemaker, solidfileslzsr. police and alertpolice were the most used labels for hostnames serving browlock and the remaining labels were used for hostnames serving mainly Exploit kit attacks.
In the chart below, we show the frequency of number of occurrences for all used labels.
labels_occur

One single label occurred 746 times (police), 1 label occured 22 times (alertpolice), 1 label occurred 10 times (css), 15 labels occurred 6 times (windowsmoviemaker, solidfileslzsr are among them), and 11,727 distinct labels occurred a single time.
Stay tuned for more results at BlackHat [15] and VirusBulletin [16].

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella