Issue link: https://insights.oneneck.com/i/1458399
CHAPTER 2 Security Challenges in Hybrid Clouds 27 These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. DNS-based attacks Every device connected to the Internet has an Internet Protocol (IP) address. DNS is a protocol that translates a user-friendly domain name, such as www.paloaltonetworks.com, to an IP address — in this case, 199.167.52.137. DNS is ubiquitous across the Internet. Without it, people would have to memorize random strings of numbers, which human brains aren't equipped to do very well. CREDENTIAL THEFT: SHAMOON 2 Palo Alto Networks Unit 42 researchers have been following the Shamoon 2 attacks closely since November 2016. Credential theft is a key part of Shamoon 2 attacks. Shamoon 2 enters and spreads through an organization in three stages: 1. Shamoon 2 attackers access and compromise a single system in the network using Remote Desktop Protocol (RDP) with stolen, legitimate credentials. This becomes their distribution server; they download their tools and malware to this system. 2. Attackers execute commands on the distribution server to con- nect to specific, named systems on the network using the stolen, legitimate credentials, and infect them with the Disttrack malware. 3. The Disttrack malware executes on those named systems the attacker has successfully infected. The Disttrack malware attempts to connect to and spread itself to up to 256 IP addresses on its local network. Any systems successfully infected in this stage also attempt to infect up to 256 IP addresses on their local networks. Shamoon 2 attacks are targeted to a specific region, but it would be a mistake to disregard the threat. Shamoon 2 attackers are using a rudi- mentary, but effective, distribution system of their own making. The power of their attack doesn't lie in the tools they use, but in their abil- ity to obtain and abuse legitimate credentials.