Analyzed: Chinese Actor SecShow Carries Out Extensive DNS Scanning Globally
Studies in cybersecurity have illuminated the actions of a Chinese entity known as SecShow, engaging in large-scale Domain Name System (DNS) activities across the globe since June 2023.
The opposition, as delineated by security specialists Dr. Renée Burton and Dave Mitchell from Infoblox, is based within the China Educational and Research Network (CERNET), a venture financially backed by the Chinese administration.
In a recent publication, they articulated, “The sole purpose of these probes is to detect and evaluate DNS responses at open resolvers. The ultimate intentions of the SecShow operations remain undisclosed, yet the intelligence garnered could serve malevolent ends and exclusively benefit the entity in question.”
Although some indications hint at a potential association with academic research centred on “conducting surveys using IP Address Spoofing Approaches on domains within secshow.net” utilizing methodologies similar to the Closed Resolver Project.
Nevertheless, this development raises more questions than it answers – particularly concerning the project’s entire scope, the rationale behind data collection, the preference for a common Gmail account for feedback reception, and the general dearth of transparency.
Open resolvers denote DNS servers capable of receiving and resolving domain names recursively for any entity on the web, rendering them vulnerable to exploitation by malicious agents for executing distributed denial-of-service (DDoS) assaults such as a DNS amplification strike.
At the core of the inquiries lies the utilization of CERNET nameservers to pinpoint open DNS resolvers and compute DNS responses. This entails dispatching a DNS inquiry from an as-yet-unspecified origin to an open resolver, inducing the SecShow-managed nameserver to furnish a random IP address.
In a unique turn, these nameservers are configured to deliver a different random IP address each instance a query is made from a distinct open resolver, an action provoking an escalation of queries facilitated by the Palo Alto Cortex Xpanse platform.
“Cortex Xpanse interprets the domain name in the DNS query as a URL and endeavors to retrieve content from the random IP address linked to that domain name,” as articulated by the researchers. “Firewalls, including Palo Alto and Check Point, alongside other security apparatuses, execute URL filtering upon receiving requests from Cortex Xpanse.”
Such filtration procedures incite a new DNS inquiry for the domain, compelling the nameserver to unveil a distinct random IP address.
It merits acknowledging that certain elements of these scanning endeavours had been formerly disclosed by Dataplane.org and Unit 42 researchers over the preceding two months. The SecShow nameservers have ceased to be operational as of mid-May 2024.
SecShow emerges as the second Chinese-linked threat actor after Muddling Meerkat to engage in in-depth DNS scanning operations on the internet.
“Muddling Meerkat tactics are devised to blend into worldwide DNS traffic and elude detection for over four years, while Secshow practices are transparent encoding of IP addresses and measurement data,” the researchers highlighted.
Rebirth Botnet Renders DDoS Assistance
The unfolding scenario features a profit-driven threat actor promoting a fresh botnet service known as Rebirth, aimed towards aiding DDoS attacks.
The DDoS-as-a-Service (DaaS) botnet is “founded on the Mirai malware lineage, and the operators leverage Telegram and an online outlet (rebirthltd.mysellix[.]io) to advertise its services,” as detailed by the Sysdig Threat Research Team in a recent assessment.
According to the cybersecurity company, Rebirth (also identified as Vulcan) chiefly targets the gaming community, leasing out the botnet to other entities at various price ranges to aim at game servers for financial gain. The inception of the botnet’s real-world deployment traces back to 2019.
The most economical option, known as Rebirth Basic, is priced at $15. Conversely, the Premium, Advanced, and Diamond levels are priced at $47, $55, and $73 respectively. Additionally, there is a Rebirth API ACCESS plan available for $53.
Rebirth malware offers features that enable the initiation of DDoS assaults through TCP and UDP protocols, including TCP ACK flood, TCP SYN flood, and UDP flood.
This isn’t the initial instance of game servers becoming targets of DDoS botnets. In December 2022, Microsoft revealed information about another botnet called MCCrash which is designed to attack private Minecraft servers.
Subsequently, in May 2023, Akamai elaborated on a DDoS-for-hire botnet identified as Dark Frost that has been found engaging in DDoS attacks against gaming firms, providers of game server hosting, online streamers, and even other members of the gaming community.
“By utilizing a botnet like Rebirth, an individual has the capacity to launch DDoS attacks on game servers or other players during live gameplay, potentially leading to glitches in games, slowdowns, or causing the connections of other players to experience lag or crashes,” as per Sysdig.
“This could be financially driven for users of platforms like Twitch, which depend on streamers gaining followers for their business model; essentially converting it into a source of revenue by exploiting gameplay disruptions.”
The company based in California also speculated that potential clients of Rebirth might also employ it for executing DDoS trolling (or stresser trolling) whereby attacks are directed at gaming servers to disrupt the experience of genuine players.
The chain of attacks disseminating the malware involves exploiting known security vulnerabilities (e.g., CVE-2023-25717) to deploy a bash script that handles the download and execution of the DDoS botnet malware based on the processor architecture.
The Telegram channel tied to Rebirth has been removed to eliminate all previous posts. On May 30, 2024, a message was posted stating “Soon we back [sic].” Nearly three hours later, they promoted a fortress-like hosting service named “bulletproof-hosting[.]xyz.”
About Author
