The Home of the Security Bloggers Network
Home » Security Bloggers Network »
Brian Krebs published this very detailed article today:
krebsonsecurity.com
In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on…
While AWS and Azure were referenced specifically, it isn’t particular to just them. This happens also with Cloudflare that fronts many scam operations. Just like Amazon and Microsoft, upon receiving notices of broken terms of service, they typically respond quickly, but not always as I’ll show you with a specific example.
With Zero Trust connectivity, the ADAMnetworks application of the Principle of Least Privilege as it applies to egress traffic, one way to view it is to look at it as DNS as the root of trust.
It is a combination of all of these properties:
Let’s explore how this would work with an actual Pig Butchering Scam that uses the same Infrastructure as a legitimate website. Incidentally, this site has been operational for over six months and Cloudflare is still protecting them at the time of this writing:
For comparison, let’s use a random domain that is a legitimate offering that uses the exact same Cloudflare service:
Both of these FQDNs resolve to this IP address of Cloudflare public IPv4 frontend:
Let’s see how a regular user of Zero Trust connectivity is protected by using DNS is used as a root of trust, a protective resolver and policy that simply doesn’t resolve unverified destinations:
However, let’s say that it attempts to connect directly by IP address like this:
Whether by domain or directly-by-IP, the connection fails as it should.
And yet, if attempting to visit a legitimate website at that infrastructure, no problem:
As an aside, what makes the pig butchering scams like this work is that they are highly sophisticated by allowing invitation-only signups and then offer a mix of real and fake currencies. There’s always a WhatsApp “professor” that guides the victims (and bots that appear have had huge wins) to buy crypto currencies with leverage. Confidence is built with some actual long or short positions with the likes of BTC and ETH, the victim is then convinced to go all in on a “whale alliance” trade of a never-before-seen coin and gets rug-pulled at a time when they’re all in. Here’s an example of the rug-pull that happened to one of their victims:
This IHTA coin is fake as is the entire trading history. Take a look at where this victim was liquidated with a fake drop in the coin price in the middle of a leveraged long position.
Note that we specifically are not IP-blocking. Sometimes IP-based blocks are an additional defense in depth, but that’s not what is relied upon here.
Infrastructure Laundering is a technique that need not be successful as long as leak-proof egress control is applied, which is finally practical.
1 post – 1 participant
Read full topic
*** This is a Security Bloggers Network syndicated blog from ADAMnetworks® Blog – ADAMnetworks authored by David. Read the original post at: https://support.adamnet.works/t/infrastructure-laundering-how-dns-as-the-root-of-trust-offers-protection/1353 
About The Author
More Stories
Anatomy of a Scam
Climate and Environmental Sustainability Within the IETF and IRTF
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation