INTERNET STORM CENTER SPOTLIGHT
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
DNS Reflection Update and Odd Corrupted DNS Requests
Published: 2024-09-25.
Last Updated: 2024-09-25 16:33:15 UTC
by Johannes Ullrich (Version: 1)
Occasionally, I tend to check in on what reflective DNS denial of service attacks are doing. We usually see steady levels of attacks. Usually, they attempt to use spoofed requests for ANY records to achieve the highest possible amplification. Currently, I am seeing these two records used (among others):
ANY nlrb<.>gov
The response for this query may be up to 5,826 bytes in size. With a query payload size of 37 bytes, this leads to a rather impressive implication. The original name server appears to do the right thing, and it ignores EDNS0, but that, of course, doesn't help with open resolvers.
ANY ncca<.>mil
This domain is a bit odd. I only receive empty responses for ANY, NS, or other queries I tried. Maybe this domain was fixed after it got abused for DDoS attacks.
ANY fnop<.>net
The response for this domain is also truncated. Likely also fixed.
"Fixing" Amplification via ANY records
There are a few other defensive techniques that show up more often. Google's domain name service returns a "Not Implemented" error for ANY queries ...
Read the full entry:
https://isc.sans.edu/diary/DNS+Reflection+Update+and+Odd+Corrupted+DNS+Requests/31296/
Fake GitHub Site Targeting Developers
Published: 2024-09-19. Last Updated: 2024-09-19 20:14:39 UTC
by Johannes Ullrich (Version: 1)
Our reader "RoseSecurity" forwarded received the following malicious email:
Hey there!
We have detected a security vulnerability in your repository. Please contact us at https:[//]github-scanner[.]com to get more information on how to fix this issue. Best regards,
Github Security Team
GitHub has offered free security scans to users for a while now. But usually, you go directly to GitHub.com to review results, not a "scanner" site like suggested above.
The github-scanner website first displays what appears to be some form of Captcha to make sure you are "Human" (does this exclude developers?) ...
Read the full entry:
https://isc.sans.edu/diary/Fake+GitHub+Site+Targeting+Developers/31282/
Phishing links with @ sign and the need for effective security awareness building
Published: 2024-09-23.
Last Updated: 2024-09-23 07:40:22 UTC
by Jan Kopriva (Version: 1)
While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or because it used some completely new technique, but rather because its authors took advantage of one of the less commonly misused aspects of the URI format – the ability to specify information about a user in the URI before its "host" part (domain or IP address).
RFC 3986 specifies[1] that a “user information” string (i.e., username and – potentially – other contextual data) may be included in a URI in the following format:
[ userinfo "@" ] host [ ":" port ]
In this instance, the threat actors used the user information string to make the link appear as if it was pointing to facebook.com, while it actually lead to an IPFS gateway[2] ipfs.io.
Read the full entry: