DNS Errors and Malware Builders Turning on Attackers
In this episode of Breaking Badness, we analyze two fascinating cybersecurity incidents that expose both corporate misconfigurations and hacker missteps.
DNS Errors: Security researcher Philippe Caturegli discovered a typo in MasterCard’s DNS records, which left the company open to traffic hijacking and data exposure. This long-overlooked flaw, dating back years, could have been exploited by attackers to redirect users, intercept data, and manipulate services.
When Hackers Get Hacked – The Script Kiddie Trap: In a turn of events that underscores the “no honor among thieves” trope, a threat actor baited low-skilled hackers (script kiddies) with a fake malware builder. Instead of gaining hacking capabilities, they unwittingly installed a backdoor on their own machines, allowing the original attacker to steal their data and take control of their systems.
DNS Errors: The Sitting Ducks Attack
What Happened?
Security researcher Philippe Caturegli discovered a typo in MasterCard’s DNS settings, where a misconfigured subdomain pointed to an unregistered domain (Akam.ne instead of Akam.net). This mistake went unnoticed for years, potentially allowing an attacker to:
- Intercept sensitive traffic
- Redirect users to malicious sites
- Monitor and manipulate data flow
How Was It Discovered?
Philippe purchased the unused .ne domain (a ccTLD from Niger) to test its potential impact. Due to round-robin DNS settings, his new domain started receiving traffic meant for MasterCard’s Azure cloud services. This proved that a cybercriminal could have hijacked MasterCard’s traffic and data.
Key Takeaways
- Historical DNS records should be audited regularly to prevent domain hijacking
- Misconfigured cloud services can introduce severe security risk
- Typos in DNS records can have critical security implications – the “sitting ducks” problem
Resources
Read Brian Krebs’ coverage on DNS misconfigurations
When Hackers Get Hacked: The Script Kiddie Backdoor Scam
What Happened?
A threat actor lured low-skilled hackers (script kiddies) into downloading a fake malware builder. Instead of getting a functional hacking tool, they unknowingly installed a backdoor that:
- Stole their credentials and personal data
- Gave the attacker remote control of their systems
- Allowed the attacker to exfiltrate sensitive information
How Was the Attack Carried Out?
The malware disguised itself as Xworm, a well-known Remote Access Trojan (RAT). However, when script kitties tried to use it, the software:
- Installed a hidden backdoor instead of a hacking to
- Sent data to the attacker via Telegram C2 (Command & Control
- Allowed remote exploitation of infected machin
How It Was Stopped
Cybersecurity researchers disrupted the malware’s kill chain by:
- Identifying unique victim IDs through Telegram lo
- Pushing an uninstall command to remove the malware from infected machin
Key Takeaways
- Even cybercriminals need to be cautious about their download
- Telegram is increasingly used as a C2 infrastructure for cybercrime
- Security researchers can sometimes turn the tables on attack
Read CloudSek’s full report on the fake malware builder
Watch on YouTube
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!