A Domain Name System (DNS) blackhole is essentially a DNS server that gives false results for domain names. Also known as a “sinkhole server,” an “Internet sinkhole,” or a “DNS sinkhole,” threat actors sometimes use DNS blackholes to redirect users to potentially harmful sites or pages.

Companies that wish to maintain utmost protection against threats probably prefer to steer clear of DNS blackholes. This post looks into why this is the case using the SideWinder attack as an example and presents one of Threat Intelligence Platform (TIP)‘s new capabilities.

Case Study: SideWinder Attack

Advanced persistent threat (APT) group SideWinder was seen actively targeting various government and military organizations in South Asia since last year. Cybersecurity researchers published a comprehensive list of indicators of compromise (IoCs) related to their campaign, which we analyzed for the presence of DNS blackholes.

As you may already know, APTs can be present in a target network for extended periods without getting detected. Such may be the case for SideWinder targets who have yet to discover the threat’s presence in their infrastructure.

Our analysis revealed DNS blackholes among the published IoCs. This post shows how the Threat Intelligence Platform (TIP) helped us uncover them and what our findings mean.

Uncovering Malicious DNS Blackholes with Threat Intelligence Platform

While careful scrutiny of a domain’s mail exchanger (MX) record then looking it up on a DNS blackhole list can aid in detecting malicious DNS blackholes, the process is time-consuming and may not be sustainable. A tool like TIP can, however, ease this process, giving cybersecurity analysts more time to do other critical tasks.

We’ll illustrate how using the SideWinder IoCs identified by Trend Micro and IBM. Among them are 98 domains that we used as TIP as search terms. Of these, four were identified as DNS blackholes indicated by MX alerts on their TIP results.

The red exclamation point beside “MX,” along with the yellow exclamation point beside “malware,” indicates that the domain could be a malicious DNS blackhole. Confirmation, however, can be obtained by scrolling down to the Real-time blackhole check section under Mail servers. A red Real-time blackhole check section is a sure sign

The four confirmed DNS blackholes among the published IoCs are:

• appleidsupport[.]me
• cdn-sop[.]net
• findmy-phone[.]us
• gov-af[.]org

Clicking “MX” or scrolling down to the Mail servers section of the TIP result page shows more details about the domain based on its MX record, specifically if it appeared in a real-time DNS blackhole list. Here are the real-time blackhole check results for the four domains:

Domains and IP addresses that appear in real-time blackhole check lists are malicious in that they redirect users to dangerous sites or pages. In this particular attack, the pages the domains resolve to are malware hosts as indicated by the yellow exclamation point that appears beside “Malware” on the top of their TIP reports.

All of the subdomains and IP addresses tied to the domains should be avoided to keep SideWinder from potentially siphoning confidential data off your network. These malicious web properties and hosts include imail[.]aop[.]gov-af[.]org, 162[.]255[.]118[.]51, 162[.]255[.]118[.]52, 198[.]54[.]122[.]213, and 198[.]54[.]122[.]215. Malware checks for these on TIP reveal ties to malware or the absence of valid Secure Sockets Layer (SSL) certificates.

Our analysis showed that detecting DNS blackholes is possible without exhausting too much time and effort with the help of TIP. With the tool’s help, your organization can avoid accessing sites or pages that can expose your systems and users to malware, putting your data and infrastructure at great risk.

If you’re interested in conducting similar research and wish to know more about the various tools you can use like TIP, please feel free to contact us on https://threatintelligenceplatform.com.