Cybersecurity researchers have shed more light on a Chinese actor code-named SecShow that has been seen controlling the global Domain Name System (DNS) since at least June 2023.

According to Infoblox security researchers Dr. Renee Burton and Dave Mitchell, the adversary, China Education and Research Network (CERNET), a project funded by the Chinese government.

“This investigation seeks to explore and measure DNS response to open resolvers,” he said said In a report published last week. “The ultimate goal of SecShow operations is unknown, but the information that is collected can be used for malicious activities and is solely for the benefit of the actor.”

That said, there is some evidence to suggest that this may be linked to some sort of academic research “using IP address spoofing techniques to measure domains within”. Using the technique Closed resolver project.

However, it raises more questions than it answers – including when it comes to the full scope of the project, the purpose behind data collection, the choice of a generic Gmail address to collect feedback, and an overall lack of transparency.

Open resolvers refer to DNS servers that are capable of accepting and resolving redundant domain names for any party on the Internet, making them open to exploitation by bad actors to perform distributed denial of service. -can start off-service (DDoS) attacks such as a DNS amplification attack.

At the center of the investigation is the use of CERNET name servers to identify open DNS resolvers and compute DNS responses. This involves sending a DNS query from an as-yet-undetermined origin to an open resolver, causing the SecShow-controlled name server to return a random IP address.

Cyber ​​security

In an interesting twist, these nameservers are configured to return a new random IP address each time a query is made to a different open resolver, a behavior that drives queries to the Palo Alto Cortex Expanse product.

“Cortex Xpanse treats a domain name as a URL in a DNS query and tries to retrieve content from a random IP address of that domain name,” the researchers explained. “Firewalls, including Palo Alto and Checkpoint as well as other security devices, perform URL filtering when they receive a request from Cortex Xpanse.”

This filtering step initiates a new DNS query for the domain causing the name server to return a different random IP address.

It is important to note that some aspects of these scanning activities were previously disclosed. And Unit 42 Researchers During the last two months. SecShow name servers are no longer responsive until mid-May 2024.


SecShow is the second threat actor linked to China. Messy meerkat To perform large-scale DNS lookup activities on the Internet.

“Muddling Meerkat queries are designed to blend into global DNS traffic. [have] “Unnoticed for more than four years, the seq show queries are transparent encodings of IP addresses and measurement information,” the researchers said.

Rebirth Botnet offers DDoS services.

The development comes as a financially motivated threat actor has been found promoting a new botnet service called Rebirth to help facilitate it. DDoS attacks.

The DDoS-as-a-Service (DaaS) botnet is based on My Malware Familyand operators advertise their services through Telegram and an online store (rebirthltd.mysellix).[.]io),” Sysdig Threat Research Team said In a recent analysis.

The cybersecurity firm said Rebirth (aka Vulcan) is primarily focused on the video gaming community, which has been renting out botnets to other actors at varying prices to target game servers for financial gain. Early Evidence of Botnet Use in Wild Dates 2019


The cheapest plan, called Rebirth Basic, costs $15, while the Premium, Advanced, and Diamond tiers cost $47, $55, and $73, respectively. There is also a Rebirth API ACCESS plan that sells for $53.

The Rebirth malware supports functionality to launch DDoS attacks over TCP and UDP protocols, e.g TCP ACK Flood, TCP SYN floodAnd UDP Flood.

This is not the first time game servers have been targeted by DDoS botnets. In December 2022, Microsoft disclosed the details of another botnet name. MCCrash which is designed to target private Minecraft servers.

Cyber ​​security

Then in May 2023, Akamai detailed a DDoS for hire botnet known as Deep frost Which has been seen launching DDoS attacks against gaming companies, game server hosting providers, online streamers, and even other members of the gaming community.

Sysdig said, “With a botnet such as Rebirth, an individual is able to DDoS game servers or other players in a live game, either causing games to crash and slow down or lag other players’ connections. go or crash,” Sysdig said.

“This could be a financial incentive for users of streaming services such as Twitch, whose business model relies on a streaming player gaining followers; it primarily generates revenue through monetization of broken games. provides a form.”

The California-based company postulated that potential users of ReBirth could also use it to perform DDoS trolling (aka stressor trolling), attacks against gaming servers to disrupt the experience of legitimate players. are done.

Attack chains that distribute malware include exploiting known security flaws (eg, CVE-2023-25717) to deploy a bash script that takes care of downloading and executing DDoS botnet malware depending on the processor architecture.

gave Telegram channel Linked to Rebirth has been deleted to remove all old posts, with a message posted on May 30, 2024, stating “We’ll be back soon. [sic]About three hours later, they advertised a bulletproof hosting service called “Bulletproof Hosting”.[.]xyz.”

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.

Source link