This is my third iteration of the DomainTools Investigations (DTI) newsletter, so I think by the power invested in self-help books everywhere, I have fully formed a habit (*pats self on the back*).
I’m glad you’ve stuck around to read DTI news from our group of researchers and analysts focused on providing their expertise in investigating, mitigating, and preventing domain- and DNS-based attacks.
We are now one quarter in since launching DTI and we’ve covered a lot of ground in such a short amount of time. In fact, here’s something we posted just moments ago…
HOT OFF THE PRESSES
Just prior to hitting ‘publish’ on this newsletter, the DTI team shared new research regarding a large-scale phishing infrastructure heavily focused on defense and aerospace entities with links to the conflict in Ukraine. There’s no actor currently attributed to this activity, but available evidence indicates this activity is motivated by cyber espionage, with an emphasis on intelligence collection.
Why is This Important? This movement is critical to pay attention to as it’s not only intelligence gathering relating to the conflict in Ukraine, but the targets have provided support to Ukraine’s military efforts in its conflict with Russia.
The Domain Event for Disinformation
We’ve said it before and we’ll say it again: as we iterate our tactics and techniques as defenders, so do malicious actors. We recently found that Russian actors are evolving in how they spread disinformation by exploiting specific registrars, hosting providers, and domain obfuscation techniques to evade detection.
Why is This Important? As cyber defenders, journalists, and policymakers, it is crucial to stay ahead of these evolving tactics and disrupt their ability to weaponize domain infrastructure for disinformation.
Reading Rainbow
That was one of the best shows, right? I can’t share a reading list without mentioning that show and then getting the theme song stuck in my head.
My colleague, Ian Campbell, graciously puts together a reading list on what the DTI folks are currently reading/listening to (audiobooks count, people!)
The goal is to not only share what we’re finding, but to share the findings of others – that’s how we get better as defenders.
Some of the topics Ian included in his recent reading lists include:
- Properly Cleaning and Gutting Your Phish: How Cybercriminals Are Vetting Victim Data from SpyCloud
- The Many Faces of DNS Abuse from Infoblox
- New Darcula 3.0 Tool Generates Phishing Kits to Mimic Global Brands from gbhackers.
Be sure to check out the reading list for his full recommendations!
Where We’ll Be
- Closed Door Sessions (Invite-Only, TLP:RED research – say I referred you)
- Austin – 01 April
- Boston – 03 April
- San Francisco – 29 April
- FIC – 01 to 03 April
- Catch my colleague Malachi Walker at FIC in Lilles, France.
- BSides SF – 29 April
- My colleague, Austin Northcutt, and I will present WHOIS Your Daddy: Tracking Iranian-backed cyber operations with Passive DNS at 1:30PM PT on 4/26
- THREE DTI folks at BSides SF? Yep! Malachi will also be there presenting Something’s Phishy: See the Hook Before the Bait
- RSAC – 28 April – 01 May
- Meet me and the DTI team at RSAC!
Final Thoughts
Again, if you’re a returning reader from last month, I thank you. If you’re new, I hope you found this newsletter informational, helpful, and worthy of sharing with your peers.
We share this newsletter via email as well – if you’d prefer to get it to your inbox, sign up here.
If you missed last month’s content, here are some quick links:
Chinese Malware Delivery Domains Part II: Data Collection
BUT WAIT. Would you like to hear more about our Chinese malware research? In tomorrow’s episode of the Breaking Badness Cybersecurity Podcast, I chat with Wes Young from CSIRTS Gadgets about what DTI found and how he iterated on the information shared. Here’s a teaser for your viewing pleasure, but get the whole episode tomorrow at 9AM PT!
Thanks for reading – see you next month!
Daniel
