Pulse Detail — Threat Intelligence

PULSE NAME

Suspicious DNS Probing Operation Amplified

WHITE Secshow AlienVault 2024-06-06 Modified: 2024-06-06

IOCs

MEDIUM VOLUME

This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open DNS resolvers. The probes utilize selective wildcard responses, returning random IP addresses that inadvertently trigger amplification by Palo Alto's Cortex Xpanse product, polluting passive DNS data sources. This amplification hinders analysis of malicious activity and imposes resource burdens on networks worldwide.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1583.002 T1584.003 T1583.001 T1583.004 T1583.003 T1584.002 T1584.004 T1584.001

Indicators of Compromise (17)

All URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://research.openresolve.rs/	—	2024-06-06
domain	afusdnfysbsf.com	—	2024-06-06
domain	attacker.fit	—	2024-06-06
domain	bai1du.com	—	2024-06-06
domain	nameserver.fit	—	2024-06-06
domain	prey.fit	—	2024-06-06
domain	savme.xyz	—	2024-06-06
domain	secdns.site	—	2024-06-06
domain	victim.fit	—	2024-06-06
hostname	202404111-40-ans-timeout.l-time.secshow.net	—	2024-06-06
hostname	202404111-40-query-timeout.l-time.secshow.net	—	2024-06-06
hostname	bailiwick.secshow.net	—	2024-06-06
hostname	f.sechow.online	—	2024-06-06
hostname	main.research.openresolve.rs	—	2024-06-06
hostname	query-maxttl.l-httl.secshow.net	—	2024-06-06
hostname	research.openresolve.rs	—	2024-06-06
hostname	test.l.secshow.net	—	2024-06-06

References (1)

↗ https://blogs.infoblox.com/threat-intelligence/what-a-show-an-amplified-internet-scale-dns-probing-operation/