Breaking Badness
Breaking Badness Cybersecurity Podcast - 181. Say My CNAME, Say My CNAME
Coming up this week on Breaking Badness: A Compromising Position, What’s in a CNAME?, and Gold, Guidance, and Grievances.
Here are a few highlights from each article we discussed:
A Compromising Position
- CISA cautions against using hacked Ivanti VPN gateways even after factory resets
- To start, let’s discuss who Ivanti is and their VPN gateways
- Ivanti is a pretty wide-ranging organization – they’re US-based and they provide VPN products. But they also have automation tools, endpoint management, and some supply chain management as well
- The article mentions that Ivanti used their Integrity Checker Tool (ICT), and it failed to detect a compromise while investigating multiple hacking incidents
- So how did they make the discovery if the ICT failed?
- There’s been a number of people that have been doing some research into this ever since the first disclosure that something might be wrong back in, we think January of this year
- They detected an incident where they found that the actor had chained a couple of different zero days, which is what we’re talking about here; kind of in the Ivanti Connect Secured Devices
- We’re not sure what scan they specifically did in order to find that, but they probably discovered it first because whatever they saw the actors doing as a result of gaining a foothold through these things
- VPN concentrators are one of the places you really don’t want bad actors to gain a foothold – nevertheless we saw that happen here and we’ve reported on some other compromises to devices
- Does every organization have its own ICT or is that Ivanti-specific?
- It’s not proprietary to them
- With some of these devices, you can use a command line and get root access and probably run tools of your own that way
- So yes, file integrity management, integrity checkers, etc. – it’s sort of a broad category of tools that ensure cryptographic check sums that files within an operating system or library have not been altered or manipulated, so it’s a good thing to have
- We mentioned that Ivanti’s ICT didn’t catch this compromise, but we think at this time, a newer version has been released that actually may be able to check for these kinds of compromises
- So how did they make the discovery if the ICT failed?
- CISA provides federal agencies with guidance after discovering signs of compromise – is that information available to the public?
- Yes – CISA exists to give government agencies this kind of guidance
- You can see from the advisory what it is they’re recommending in their official capacity to US federal agencies
- Using a factory reset might not fix this due to the potential threat of actors maintaining root persistence – what else can we do at this time to know if you’re an entity that’s affected?
- There’s nothing simple unfortunately
- It’s not trivial to set up a VPN and you can’t just bring in a box over the weekend, put all the user accounts in it, and away you go (at least not typically, and if you did do it quickly, that sounds risky)
- But there are other layers of security that you can put in place behind a VPN device
- That’s things like having a robust two-factor authentication for any of your internal apps or access to other network segments – so you could do additional network segmentation
- So there are things you can do – they’re just not trivial in order to make up for the kind of risk this poses – there’s no easy way out
What’s in a CNAME?
- We’re talking about the discovery Guardio Labs made regarding a large campaign of subdomain hacking, compromising over 8000 domains from well-known brands like MSN, VMWare, McAfee, eBay, and more
- What is a CNAME?
- It’s basically a form of an alias
- It’s a linkage and allows folks to move infrastructure without breaking things and provides a lot of flexibility
- We’ve seen similar schemes before – what makes this one so special?
- They noticed some interesting spam being delivered
- The domain name on the SPF record matched up and looked to be a legitimate MSN domain
- They identified that it was a Martha Stewart Sweepstakes domain where adversaries had discovered that there was a CNAME record sitting out there that was mapped as an MSN domain over this custom advertising domain that had been registered for the purposes of sending an email back in 2001/2002
- It’s rare to see an adversary go that far back, but in any event, this CNAME record was used for an advertising campaign and then was abandoned (as the majority of the domains in our data set have been at some point, right?)
- We can look back at this historical data, and adversaries can too
- The digital footprint of some of these brands expanded and then the folks who were using them stopped – they weren’t renewed, but the records were placed in to DNS to map things that still existed
- So long story short, it’s very interesting that these adversaries went so far back and are leveraging these old orphaned records
- They’re also doing discovery via querying and looking at the SPF records to see where things are tied to one another from a mail sending perspective
- So that combination and its duration are impressive to see
- Guardio is saying this particular adversary has been doing this for the last few years and they’ve gone back such a long period of time and they’re abusing a diverse amount of brands – reputable brands
- They’re also good at using an ephemeral structure, so they never sit on the same thing for too long and they’re always mixing and matching the various infrastructures to kind of fly under the radar while still handling a lot of volume
- How can folks be on the lookout for emails potentially connected to this campaign?
- There’s a checker where you can drop your domain in and they’ll look to see if there are potential vulnerabilities to this
- DNS hygiene is important here
This Week’s Hoodie/Goodie Scale
A Compromising Position
[Tim]: 8/10 Hoodies
[Taylor]: 8/10 Hoodies
What’s in a CNAME?
[Tim]: 5/10 Hoodies
[Taylor]: 4.5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
