{ "type": "URL", "indicator": "https://research.openresolve.rs/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://research.openresolve.rs/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3901112328, "indicator": "https://research.openresolve.rs/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6661681a0237ceebcd85e03f", "name": "Suspicious DNS Probing Operation Amplified", "description": "This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open DNS resolvers. The probes utilize selective wildcard responses, returning random IP addresses that inadvertently trigger amplification by Palo Alto's Cortex Xpanse product, polluting passive DNS data sources. This amplification hinders analysis of malicious activity and imposes resource burdens on networks worldwide.", "modified": "2024-06-06T07:43:14.977000", "created": "2024-06-06T07:41:14.168000", "tags": [ "amplification", "reconnaissance", "probing", "dns", "open resolvers" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/what-a-show-an-amplified-internet-scale-dns-probing-operation/" ], "public": 1, "adversary": "Secshow", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1584.002", "name": "DNS Server", "display_name": "T1584.002 - DNS Server" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 362, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 387075, "modified_text": "727 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666968a92959fbb990ffb235", "name": "Suspicious DNS Probing Operation Amplified | Infoblox", "description": "", "modified": "2024-06-12T09:21:45.588000", "created": "2024-06-12T09:21:45.588000", "tags": [ "cortex xpanse", "secshow", "january", "july", "ip address", "june", "infoblox", "april", "december", "august", "february", "survey", "contact", "tools", "leverage", "speed", "protect", "service", "probe", "icmp", "malware" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/what-a-show-an-amplified-internet-scale-dns-probing-operation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 11, "hostname": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "721 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blogs.infoblox.com/threat-intelligence/what-a-show-an-amplified-internet-scale-dns-probing-operation/" ], "related": { "alienvault": { "adversary": [ "Secshow" ], "malware_families": [], "industries": [], "unique_indicators": 17 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 20 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/openresolve.rs", "whois": "http://whois.domaintools.com/openresolve.rs", "domain": "openresolve.rs", "hostname": "research.openresolve.rs" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6661681a0237ceebcd85e03f", "name": "Suspicious DNS Probing Operation Amplified", "description": "This analysis discusses a large-scale domain name system (DNS) probing operation that targets open resolvers globally. An actor operating from the China Education and Research Network is conducting these probes, sending queries with encoded IP addresses to identify and measure responses from open DNS resolvers. The probes utilize selective wildcard responses, returning random IP addresses that inadvertently trigger amplification by Palo Alto's Cortex Xpanse product, polluting passive DNS data sources. This amplification hinders analysis of malicious activity and imposes resource burdens on networks worldwide.", "modified": "2024-06-06T07:43:14.977000", "created": "2024-06-06T07:41:14.168000", "tags": [ "amplification", "reconnaissance", "probing", "dns", "open resolvers" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/what-a-show-an-amplified-internet-scale-dns-probing-operation/" ], "public": 1, "adversary": "Secshow", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1584.003", "name": "Virtual Private Server", "display_name": "T1584.003 - Virtual Private Server" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1583.003", "name": "Virtual Private Server", "display_name": "T1583.003 - Virtual Private Server" }, { "id": "T1584.002", "name": "DNS Server", "display_name": "T1584.002 - DNS Server" }, { "id": "T1584.004", "name": "Server", "display_name": "T1584.004 - Server" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 362, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 8, "hostname": 8 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 387075, "modified_text": "727 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "666968a92959fbb990ffb235", "name": "Suspicious DNS Probing Operation Amplified | Infoblox", "description": "", "modified": "2024-06-12T09:21:45.588000", "created": "2024-06-12T09:21:45.588000", "tags": [ "cortex xpanse", "secshow", "january", "july", "ip address", "june", "infoblox", "april", "december", "august", "february", "survey", "contact", "tools", "leverage", "speed", "protect", "service", "probe", "icmp", "malware" ], "references": [ "https://blogs.infoblox.com/threat-intelligence/what-a-show-an-amplified-internet-scale-dns-probing-operation/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 11, "hostname": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "721 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://research.openresolve.rs/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://research.openresolve.rs/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780486854.3010576 }