Secshow Hackers Exploiting Open DNS resolvers to Attack Organization Worldwide

Researchers have identified a large-scale DNS probing operation targeting open resolvers since June 2023, which uses China Education and Research Network (CERNET) name servers to find open resolvers and analyze their responses. 

The probes return random IP addresses, causing amplification by Palo Alto Cortex Xpanse, which pollutes passive DNS data, hindering research on malicious actors. 

They named this actor Secshow based on initial domain names, as this technique not only confuses researchers but also assists attackers and burdens DNS providers with increased queries. 

Secshow, a Chinese actor, is conducting large-scale DNS probes on a global scale, by sending encoded DNS queries to various IP addresses (targets) seeking open resolvers. 

Secshow Hackers Exploiting Open DNS
A simplified view of the Secshow DNS probing operations; open resolvers result in queries sent to the Secshow actor for resolution

Open resolvers are vulnerable devices that can be exploited in DDoS attacks, and if a target is an open resolver, it will respond with the requested information. 

Otherwise, the target might send an ICMP response or forward the query, as these probes can negatively impact internet-facing devices not designed to receive DNS queries, such as home routers and IoT devices. 

Infoblox detected Secshow activity in July 2023, where the activity initially had low volume due to the few open resolvers in Infoblox’s customer base, but it grew dramatically by the fall 2023. 

The increase in DNS queries was traced back to Secshow actor’s wildcard configurations and Palo Alto Cortex Xpanse’s unfiltered scanning, because their findings on the information encoded in the queries were different from others’ because of Xpanse’s amplification effect, which can lead researchers astray. 

Demonstration of wildcard responses by the secshow.online name server

Secshow, an actor observed since July 2023, controls domains with name servers resolving to a wide range of IP addresses. 

The name servers answer any subdomain query within their domains (e.g., “f.secshow.online”) with a random IP address, but not queries without a subdomain, which is consistent with a DNS-based command and control channel, but the purpose of the random responses is unclear.  

A Google search engine crawl of secshow[.]net shows that the actor was performing research on DNS resolvers

It is performing large-scale scans on the internet to identify vulnerable DNS resolvers, using various techniques, including sending DNS queries with encoded target IP addresses and analyzing the response to understand the resolver’s behavior. 

The techniques include checking for source address validation, a negative caching policy and handling CNAME/DNAME records. By analyzing the responses, Secshow can potentially identify resolvers with weaknesses that could be exploited in attacks. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here