Over the last few months we have been monitoring some widespread use of a feature meant to protect networks from attacks, but in this case it is being used to carry out targeted attacks. We are sure you are familiar with DNS solutions such as Damballa, OpenDNS and similar DNS products that protect you from malware by using RPZ (Response Policy Zones) or rewriting legitimate DNS responses with configured DNS data (the zone). Typically RPZ is used to deny the ability of malware to infect end users on a network. It works by allowing a DNS server to lie to network clients to keep them from being able to access malicious malware, viruses or bad downloads hosted on the domain that is being responded to. While this is a great feature for network administrators, it is being used by nation state actors and Governments to carry out all sorts of malicious activity.
Detecting the Problem
In order to detect this type of activity, there are several methods you can employ to see if DNS records are being manipulated. As recently as this morning, we discovered nearly 3000 unique and interesting DNS entries on some major ISP's in the US. These ISP's are running their own DNS servers which means that all customers of these ISP's are affected.
It has been known for awhile that there are bad DNS servers out there serving clients on the open Internet, but the fact that ISP's are also allowing manipulation is problematic. In fact we have earlier warned of CDN (Content Delivery Networks) doing something very similar in which clean software installers were being switched with installers that contain malware. We reported on this twice last year and you can read about the CDN abuse at the previous blog post below.
Previous Reports of Activity
JS-006-17 - Trojaned CDN Downloaders - Our original alert
Remember our CDN alert? - A follow up article
We started observing some strange activity on several IP's but after researching realized that the issue was much larger. At the time of the incident we reported the finding to Verizon, and that original host has been cleaned, but there are many additional content delivery host that are now taking it's place.
The Microsoft Azure Hosting Connection
Upon researching the hostname and looking at the history we were able to find that MCI and Verizon both have DNS servers behaving in this manner. Unsuspecting users on Verizon and MCI's networks are being redirected to installers with malware attached with the file payloads being stored on Microsoft's CDN host. Looking at the history of these servers indicates that they have had 74 exploits and 31 trojans and 2 viruses when reviewing Jigsaw Security's historical data. The questions is why is Microsoft allowing the hosting of malicious content that is being changed by the users daily?
This activity has been occurring since 2015 and although it has been cleaned up over the years, it is still today infecting visitors. DNS entries for this host also are different on MCI and Verizon networks from that of other networks (UUNet and Root name servers as examples) indicating the whatever is occurring is being assisted by the operators or owners of these 2 networks. There may be more.
A look at some open source data shows clearly that there is a connection between these vendors as well as Azure which is where the malware is being hosted.
Looking at the major ISP's DNS servers only shows that this is occurring on a few distinct Internet service providers and that RPZ is the method of redirection.
As a method of protecting our customers we have permanently blocked all access to the identified host associated with this activity. Customers can view more information in Jigsaw Security threat intelligence by reviewing event 20934 and 8725 which is our previous CDN alert and Globe Imposter malware samples that have some overlap with this incident.