What is the purpose of hackers and why do they use such unusual methods?
Cybersecurity researchers have uncovered the activities of a Chinese group codenamed SecShow, which has been conducting global attacks through the domain name System (DNS) since June 2023.
According to Infoblox experts, SecShow operates through the Chinese Education and Research Network (CERNET), which is actively funded by the local government.
"These attacks are aimed at detecting and measuring DNS responses on open resolvers," the report says. "The ultimate goal of SecShow operations is unknown. The information collected now may be used for malicious purposes, but so far it is only useful for the attackers themselves."
There are suggestions that the operation may be related to scientific research involving measurements using IP spoofing on secshow domains.] net", similar to the Closed Resolver Project. However, this raises even more questions, including the purpose of data collection and the meaning of using a shared Gmail address for feedback.
Open resolvers are DNS servers that can accept and process domain names from any user on the Internet, making them vulnerable to DDoS attacks such as DNS Amplification.
The attacks are based on the use of CERNET name servers to identify open DNS resolvers and calculate DNS responses. The process involves sending a DNS request from an undefined source to an open resolver, forcing the SecShow nameserver to return a random IP address.
Interestingly, these nameservers are configured to return a new random IP address every time a request is made from a different open resolver, which causes an increase in the number of requests thanks to Palo Alto's Cortex Xpanse software product.
"Cortex Xpanse treats a domain name in a DNS query as a URL and tries to get content from a random IP address for that domain name," the researchers explain. "Firewalls such as Palo Alto and Check Point, as well as other security devices, perform URL filtering when receiving a request from Cortex Xpanse."
This filtering process initiates a new DNS query for the domain, which causes the name server to return a different random IP address, creating an endless loop of queries.
Some aspects of these scans have already been uncovered by researchers. Dataplane.org and Unit 42. At the same time, SecShow's nameservers have been unresponsive since mid-May 2024.
"At the moment, there is no known impact on customer networks, except for a slight increase in DNS resolution activity to determine whether a domain is malicious," Palo Alto Networks experts said. "Xpanse has the ability to exclude certain domains, and as new command servers are identified, they are added to the block list. We will continue to monitor closely and add relevant domains to the block list."
SecShow is the second Chinese group of attackers, after Muddling Meerkat, to carry out large-scale DNS attacks. "Muddling Meerkat queries were mixed with global DNS traffic and went unnoticed for more than four years, while SecShow queries are transparent and include information about IP addresses and measurement information," the researchers explained.
Cybersecurity researchers have uncovered the activities of a Chinese group codenamed SecShow, which has been conducting global attacks through the domain name System (DNS) since June 2023.
According to Infoblox experts, SecShow operates through the Chinese Education and Research Network (CERNET), which is actively funded by the local government.
"These attacks are aimed at detecting and measuring DNS responses on open resolvers," the report says. "The ultimate goal of SecShow operations is unknown. The information collected now may be used for malicious purposes, but so far it is only useful for the attackers themselves."
There are suggestions that the operation may be related to scientific research involving measurements using IP spoofing on secshow domains.] net", similar to the Closed Resolver Project. However, this raises even more questions, including the purpose of data collection and the meaning of using a shared Gmail address for feedback.
Open resolvers are DNS servers that can accept and process domain names from any user on the Internet, making them vulnerable to DDoS attacks such as DNS Amplification.
The attacks are based on the use of CERNET name servers to identify open DNS resolvers and calculate DNS responses. The process involves sending a DNS request from an undefined source to an open resolver, forcing the SecShow nameserver to return a random IP address.
Interestingly, these nameservers are configured to return a new random IP address every time a request is made from a different open resolver, which causes an increase in the number of requests thanks to Palo Alto's Cortex Xpanse software product.
"Cortex Xpanse treats a domain name in a DNS query as a URL and tries to get content from a random IP address for that domain name," the researchers explain. "Firewalls such as Palo Alto and Check Point, as well as other security devices, perform URL filtering when receiving a request from Cortex Xpanse."
This filtering process initiates a new DNS query for the domain, which causes the name server to return a different random IP address, creating an endless loop of queries.
Some aspects of these scans have already been uncovered by researchers. Dataplane.org and Unit 42. At the same time, SecShow's nameservers have been unresponsive since mid-May 2024.
"At the moment, there is no known impact on customer networks, except for a slight increase in DNS resolution activity to determine whether a domain is malicious," Palo Alto Networks experts said. "Xpanse has the ability to exclude certain domains, and as new command servers are identified, they are added to the block list. We will continue to monitor closely and add relevant domains to the block list."
SecShow is the second Chinese group of attackers, after Muddling Meerkat, to carry out large-scale DNS attacks. "Muddling Meerkat queries were mixed with global DNS traffic and went unnoticed for more than four years, while SecShow queries are transparent and include information about IP addresses and measurement information," the researchers explained.
