image of breaking badness
Breaking Badness
Breaking Badness

Breaking Badness Cybersecurity Podcast - 180. I-Sooner or Later

Coming up this week on Breaking Badness: Cache for Cash, Wait a DNSSEC, and Gold, Guidance, and Grievances.


Here are a few highlights from each article we discussed:

Cache for Cash

  • China has increasingly turned to private companies in campaigns to hack foreign governments and control its domestic population
  • There was a leak on GitHub last week of kind of a treasure trove of data from inside of a company that is called iSoon
    • They are a Chinese technology company 
    • They do security training, but under that veneer, they do other things 
    • There was a large number of red team operations going on that the information was leaked onto a GitHub repo by what appeared to be maybe like a disgruntled employee or disgruntled competitor – it’s not entirely clear who put those things out there, but we suppose that’s the whole point of a leak, right? 
    • It was confirmed to be a legitimate source for the leak, but how do we confirm that?
      • You can’t really know with 100% certainty – it’s a lot of grain of salt stuff 
      • You can look at the external indicators or historical indicators that line up with research to gain some confidence 
      • There’s details on the remote access trojans they use for Mac and for iOS and Android devices
      • There’s also historical artifacts on the infrastructure they were using for their fishing campaigns 
  • What’s the benefit of China contracting this out to the private sector?
    • If you view these things as long-term sustained operations, but want some type of plausible deniability, the separation between official channels and the private sector can be enticing 
    • It might be cheaper this way, but who knows?
      • But that’s part of some of the discussions – the internal chats that have been translated here contain folks complaining about pay and what they do
        • Some examples include $15,000 for access to a private website for traffic police in Vietnam or a couple hundred thousand dollars for social media access
  • Who is being targeted in these campaigns?
    • Vietnam, South Korea, Taiwan, Hong Kong, Malaysia, India and they claimed access to telcos in Kazakhstan, Mongolia, Vietnam, Hong Kong
    • China’s own citizens are also implicated by this
      • There’s an interest in controlling narratives and in studying the discourse (tone of discourse) 
      • There are external spots to your narrative – more decentralized things like Telegram and WhatsApp chats – you’ll see a lot of effort in trying to get into those channels to see what’s being pushed out by other folks and the drive to create their own narrative
  • Are there any implications at this time to the US/Chinese relations?
    • In a post Volt Typhoon world, that might be tougher to do 
    • This feels more local to the region 
    • Right now, this looks wholly separate from Volt Typhoon – this is focused on living off the land and deeply embedding themselves into critical infrastructure workflows, using targeted phishing, root kits, etc. 

Wait a DNSSEC

  • We discuss what is being described as “the worst attack on DNS ever discovered.”
  • Most listeners are probably familiar with DNS (or have some level of familiarity), but it is the mechanism that translates domain names into IP addresses
  • DNSSEC, aka Domain Name System Security Extensions, is an upgrade for DNS in that it uses cryptography to help ensure the results of queries aren’t tampered with, for example by malicious actors who want to redirect traffic to servers that they control
  • While it uses cryptography, that doesn’t mean that the DNSSEC lookups are encrypted. Rather, what it’s doing is ensuring that what you’re connecting to is what you’re expecting to be connecting to and that you’re going to receive legitimate resolutions
  • The research team known as ATHENE made the discovery of this attack and called it KeyTrap – what is the makeup of this attack?
    • KeyTrap involves sending a specially-crafted packet as part of the “RRset” (the resource records set, ie the response from the authoritative server, in this case a server the malicious actor is running)
    • This is basically a denial of service. It is not directly destructive, but is disruptive because it basically makes the resolver unavailable. When the resolver is unavailable, basically the Internet is down for any clients that rely on that resolver. Most individuals don’t know how to configure different DNS resolvers, and they’d need to make sure they were picking one that wasn’t also compromised by this attack
    • Relies on the victim making a DNS lookup for a domain controlled by the threat actor. It seems like the attack would not require said domains to push malicious payloads—the whole point is to trigger the DNS lookup, because the target is the DNS resolver, not the victim’s device
    • The flaw has been present since at least August of 2000, possibly earlier than that
      • This is a long time for such a deep vulnerability to go undiscovered!
  • The article from The Register stated that as of December 2023, 31% of web clients worldwide used DNSSEC-validating DNS resolvers and would feel the effects of a KeyTrap attack. Even though 31% is in the minority, can that still impact the 69% of web clients that don’t use DNSSEC-validating resolvers?
    • That’s not quite clear. From a direct perspective, they would not be affected. The question is whether any web-based services that people access would themselves be affected, causing disruptions of availability of some services. But this is speculative on our part.
  • There’s no evidence of exploitation at this time
    • Exploiting this depends on whether bad actors are able to discover the exact construction of the malicious RRsets
    • The assumption is that ATHENE is not disclosing enough specific detail to make it easy for a malicious actor to figure it out
  • There is movement for patching
    • Any amount of patching helps, because the indirect/ripple effects for systems that are not reliant on DNSSEC-validating resolvers are not clear and may in many cases not be severe
    • But this is a race against the clock, with the clock being the time between now and when bad actors do figure out how to use this

This Week’s Hoodie/Goodie Scale

Cache for Cash

[Tim]: 0/10 Hoodies
[Taylor]: 4.5/10 Hoodies

Wait a DNSSEC

[Tim]: 7/10 Hoodies
[Taylor]: 3.75/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!