Cyber Threat Intelligence Information | Infoblox Threat Center
Select Page

THREAT CENTER

Learn How to Protect Against Latest Attacks

Today’s networks are getting more complex. Paradigm shifts and new trends like digital transformation and IoT are leading to more breaches, attacks and ultimately more risk to your business. Knowing how some of the threats and attacks work can help you put in remediation measures. Read more about some of the recent threats in the sections below and stay protected.

NotPetya

A new type of ransomware started infecting organizations and spread to more than 12,000 systems in Europe and into the Americas on June 27, 2017. This attack was initially thought to be a variant of Petya ransomware. However upon further analysis, it was found to be a new ransomware variant, NotPetya. It started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as ETERNALBLUE.

Once NotPetya infects a system, it sets up encryption routines and attempts to spread over the network. It also attempts to extract cached user credentials from the original infected machine and propagates using WMIC. NotPetya doesn’t use a killswitch domain and encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the Internet. As with all ransomware, the end goal is to lock up the files on infected machines and demand a ransom to retrieve the data.

Read the Blog on NotPetya »

NotPetya

NotPetya

NotPetya

A new type of ransomware started infecting organizations and spread to more than 12,000 systems in Europe and into the Americas on June 27, 2017. This attack was initially thought to be a variant of Petya ransomware. However upon further analysis, it was found to be a new ransomware variant, NotPetya. It started spreading across networks using Windows Management Instrumentation Command-line (WMIC) or the Microsoft Server Message Block (SMB) exploit known as ETERNALBLUE.

Once NotPetya infects a system, it sets up encryption routines and attempts to spread over the network. It also attempts to extract cached user credentials from the original infected machine and propagates using WMIC. NotPetya doesn’t use a killswitch domain and encryption will happen irrespective of whether the infected system is in an isolated environment or connected to the Internet. As with all ransomware, the end goal is to lock up the files on infected machines and demand a ransom to retrieve the data.

Read the Blog on NotPetya »

WannaCry Impacts 150+ Countries

WannaCry Impacts 150+ Countries

WannaCry ransomware, launched on May 12, 2017, impacted hundreds of thousands of computers in 150+ countries. It leveraged a known and patched vulnerability in Microsoft Server Message Block (SMB) to spread. It encrypted files on users’ machines and demanded a ransom of up to $600 in Bitcoin to return the files.

Even back in early 2016, Infoblox threat research team found a 35-fold increase in creation of domains for ransomware over the previous quarter, setting a new high for Infoblox DNS Threat Index. Ransomware attacks continue to be a leading threat vector well into 2017. While different ransomware use different vulnerabilities to infect and spread, they all use DNS to carry out their campaigns. Stay informed on how best to protect your network and devices from ransomware using the resources available on this page.

Watch the webinar on Fighting Ransomware »

Jaff – The Other Ransomware Attack

Jaff ransomware attack launched at the same time that WannaCry was launched in May. Although it didn’t get the same level of attention, Jaff’s goal is the same as WannaCry – to lock up your data for ransom. The Jaff ransomware was launched by Necurs, one of the largest botnets in the world. While the delivery of the ransomware happened through phishing emails, once downloaded, it connects to C&C servers via DNS before beginning the encryption process. The amount demanded as ransom averaged around 2 Bitcoin ($3500).

Watch the webinar on WannaCry and Jaff »

Block Data Exfiltration in Real Time

Block Data Exfiltration in Real Time

Jaff – The Other Ransomware Attack

Jaff ransomware attack launched at the same time that WannaCry was launched in May. Although it didn’t get the same level of attention, Jaff’s goal is the same as WannaCry – to lock up your data for ransom. The Jaff ransomware was launched by Necurs, one of the largest botnets in the world. While the delivery of the ransomware happened through phishing emails, once downloaded, it connects to C&C servers via DNS before beginning the encryption process. The amount demanded as ransom averaged around 2 Bitcoin ($3500).

Watch the webinar on WannaCry and Jaff »

DNS Messenger, a Random Access Trojan, Opens Dangerous Backdoor

DNS Messenger, a Remote Access Trojan, Opens Dangerous Backdoor

DNS Messenger is a Remote Access Trojan (RAT) that is completely fileless and opens a dangerous backdoor to control infected machines. These infected machines end up forming a botnet that can launch DDoS or other types of attacks. Being fileless, DNS Messenger is harder to detect by traditional tools like antivirus software. But it does use DNS to communicate with Command and Control(C&C) servers, which means using behavioral analytics on DNS queries can help detect it in real time.

Watch our FB live session on DNS Messenger »

Dyn DDoS Attacks

In the fall of 2016, Dyn, a DNS service provider was a victim of a large scale DDoS attack which crippled the Internet and made access to high profile sites such as Twitter, Netflix, Box, The New York Times and many others sporadic. This attack was launched by a Mirai botnet comprised of thousands of insecure IoT devices like Internet cameras and DVRs. The high volume of attack traffic prevented Dyn from responding to legitimate requests. While the Mirai malware exploits weaknesses in IoT devices, there are several simpler DDoS kits available that attackers can take advantage of. Your business can be severely impacted by a DDoS and recovery can be difficult and expensive.

Watch Cricket Liu Explain how the Dyn Attack Worked »

Download Advanced DNS Protection Eval »

Dyn DDoS Attacks
Dyn DDoS Attacks

Dyn DDoS Attacks

In the fall of 2016, Dyn, a DNS service provider was a victim of a large scale DDoS attack which crippled the Internet and made access to high profile sites such as Twitter, Netflix, Box, The New York Times and many others sporadic. This attack was launched by a Mirai botnet comprised of thousands of insecure IoT devices like Internet cameras and DVRs. The high volume of attack traffic prevented Dyn from responding to legitimate requests. While the Mirai malware exploits weaknesses in IoT devices, there are several simpler DDoS kits available that attackers can take advantage of. Your business can be severely impacted by a DDoS and recovery can be difficult and expensive.

Watch Cricket Liu Explain how the Dyn Attack Worked »

Download Advanced DNS Protection Eval »

[contact-form-7 id="10507" title="Contact form 1"]