Cybersecurity experts have uncovered additional details about a Chinese actor, dubbed SecShow, engaged in extensive Domain Name System (DNS) probing activities globally since at least June 2023.
According to Infoblox security analysts Dr. Renée Burton and Dave Mitchell, the actor operates from the China Education and Research Network (CERNET), a project underwritten by the Chinese government.
“These probes aim to locate and measure DNS responses at open resolvers,” they noted in a report released last week. “While the ultimate objective of SecShow’s operations remains unclear, the collected information can be utilized for nefarious purposes and solely benefits the actor.”
Open resolvers are DNS servers capable of recursively resolving domain names for any entity on the internet, making them prime targets for exploitation by malicious actors to initiate distributed denial-of-service (DDoS) attacks, such as DNS amplification attacks.
Central to these probes is the deployment of CERNET nameservers to identify open DNS resolvers and assess DNS responses. This process involves dispatching a DNS query from an unspecified origin to an open resolver, prompting the SecShow-controlled nameserver to return a random IP address.
Interestingly, these nameservers are configured to return a unique random IP address each time a query is made from a different open resolver, a behavior that triggers an amplification of queries by Palo Alto’s Cortex Xpanse product.
“Cortex Xpanse interprets the domain name in the DNS query as a URL and attempts to retrieve content from the random IP address associated with that domain name,” the researchers elaborated. “Firewalls, including those from Palo Alto and Check Point, along with other security devices, perform URL filtering upon receiving the request from Cortex Xpanse.”
This filtering step initiates a fresh DNS query for the domain, causing the nameserver to return another random IP address.
It’s important to highlight that certain aspects of these scanning activities had been previously disclosed by Dataplane.org and Unit 42 researchers over the past two months. As of mid-May 2024, SecShow nameservers are no longer responsive.
SecShow represents the second China-linked threat actor, following Muddling Meerkat, to conduct large-scale DNS probing activities on the internet.
“Muddling Meerkat’s queries are designed to blend into global DNS traffic and remained undetected for over four years, whereas SecShow’s queries transparently encode IP addresses and measurement data,” the researchers explained.
Rebirth Botnet Advertises DDoS Services
In related developments, a financially motivated threat actor has been observed marketing a new botnet service called Rebirth to facilitate DDoS attacks.
The DDoS-as-a-Service (DaaS) botnet, based on the Mirai malware family, is advertised through Telegram and an online storefront (rebirthltd.mysellix[.]io), according to the Sysdig Threat Research Team’s recent analysis.
Sysdig’s report indicates that Rebirth (also known as Vulcan) primarily targets the video gaming community, renting out the botnet to other actors at various price points to attack game servers for financial gain. The earliest indications of the botnet’s deployment date back to 2019.
The most affordable plan, Rebirth Basic, costs $15, while the Premium, Advanced, and Diamond tiers are priced at $47, $55, and $73, respectively. There is also a Rebirth API ACCESS plan available for $53.
Rebirth malware is capable of launching DDoS attacks over TCP and UDP protocols, including TCP ACK flood, TCP SYN flood, and UDP flood.
This isn’t the first instance of game servers being targeted by DDoS botnets. In December 2022, Microsoft revealed details about another botnet, MCCrash, designed to attack private Minecraft servers.
In May 2023, Akamai detailed a DDoS-for-hire botnet named Dark Frost, which has launched DDoS attacks against gaming companies, game server hosting providers, online streamers, and even members of the gaming community.
“With a botnet like Rebirth, an individual can DDoS the game server or other players in a live game, causing games to glitch or slow down, or other players’ connections to lag or crash,” Sysdig noted.
“This can be financially motivated for users of streaming services like Twitch, where a streaming player’s follower count can generate income; essentially, it monetizes a disrupted game.”
Sysdig theorized that potential customers of Rebirth might also use it for DDoS trolling (also known as stresser trolling), where attacks are launched against gaming servers to disrupt the experience for legitimate players.
Attack chains distributing the malware exploit known security vulnerabilities (e.g., CVE-2023-25717) to deploy a bash script that handles downloading and executing the DDoS botnet malware based on the processor architecture.
The Telegram channel associated with Rebirth has since been purged of old posts, with a message posted on May 30, 2024, stating, “Soon we back [sic].” Approximately three hours later, they advertised a bulletproof hosting service called “bulletproof-hosting[.]xyz.”
