New research from Infoblox Threat Intel spotlights two of these investment scam actors: Reckless Rabbit and Ruthless Rabbit. Reckless and Ruthless Rabbit both utilize registered domain generation algorithms (RDGAs) to scale their malicious campaigns and lure victims into their trap by using well-known names to appear trustworthy.

Reckless Rabbit is a threat actor that uses Facebook ads to promote fake investment platforms. They exploit fake celebrity endorsements and create thousands of domains to evade detection:

• Malicious Facebook Ads: Reckless Rabbit uses Facebook ads to lure victims into their scams. These ads often feature fake celebrity endorsements to make the scams appear more credible.
• Wildcard Domain Name System (DNS) Responses: The actor sets up its domains so that queries to any subdomain will return a response. This creates noise in DNS and makes it difficult to identify which subdomains are actually being used for scams by the actor.
• Global Targeting: Reckless Rabbit targets victims across multiple countries, using localized content to increase the believability of their scams.

Ruthless Rabbit is a threat actor that operates its own cloaking service to perform validation checks on users. They primarily target victims in Eastern Europe, impersonating real local news websites or even big brands like WhatsApp or Meta:

• Cloaking Service: Ruthless Rabbit operates a cloaking service to perform validation checks on users, filtering out non-target traffic and making their scams harder to detect.
• Spoofed News Sites: They often spoof real news websites or big brands, such as Russian news sites or WhatsApp, to lure victims into their scams.
• Dynamic URL Paths: Ruthless Rabbit uses dynamic URL paths for their scam landing pages, constantly changing them in order to make tracing them harder.

The success of these investment scams hinges on two key elements: chaos and trust. In chaotic times, individuals are more likely to seek quick financial gains. Cybercriminals exploit this chaos by creating a sense of urgency and fear of missing out on a good and easy investment opportunity. At the same time, they leverage trust by using familiar and accepted sources, such as celebrity endorsements and well-known news sites, to make their scams appear legitimate.

The fact that criminals rely on DNS exploitation for their large and sophisticated campaigns enables defenders to use DNS as an important pillar for security. Through the lens of DNS, Infoblox Threat Intel researchers are able to leverage automated detection and correlate these investment scam domains at scale.

Users should exercise extreme caution when asked to invest in any project or company. Double-check any domain with a major search engine to ensure it is not a spoofed or fake site. Any media claiming sponsorship of the platform by major sports figures or celebrities should be treated with caution and users should consider that those claims could have been produced using AI. Organizations that use Protective DNS services with strong threat intelligence behind it can protect all of their users from these scams by preventing access to the fake media and platforms.

RDGAs are a sophisticated evolution of traditional domain generation algorithms (DGAs) used by cybercriminals to generate large numbers of domain names for malicious activities. These algorithms are utilized in malware, phishing, spam, scams, gambling, traffic distribution systems (TDSs), VPNs, and advertising. They not only allow threat actors to continuously create new domains, but by being registered, they make it difficult for security systems to block them all and so it requires advanced detection methods to stay ahead of these evolving threats.

The Infoblox Threat Intel team names RDGA actors as “rabbits.” This means that actors in this category algorithmically create and then register domains. They differ from traditional DGAs in that all of the domains are registered. These malicious domains may be used for a wide range of purposes including malware, phishing, scams, and spam.

“Vigorish Viper represents one of the most sophisticated and important threats to digital security that we have discovered to date,” said Dr. Renée Burton, Vice President, Infoblox Threat Intel. “Infoblox Threat Intel used cutting-edge DNS research to discover the technologies underpinning the syndicate. Vigorish Viper created a complex infrastructure with multiple layers of traffic distribution systems (TDSs) using DNS CNAME records and JavaScript, which makes it incredibly difficult to detect. These systems are complemented by their own encrypted communications and custom-developed applications, making their activities not only elusive but also remarkably resilient.”

Vigorish Viper is a name derived from the gambling world’s exorbitant fees levied on unlucky bettors. The term vigorish, or vig for short, is used by organized crime syndicates to refer to these fees. Viper refers to the complex combination of TDSs and convoluted brand relationships that the actor employs to route users to content. Vigorish Viper leverages sponsorship of popular European sports teams to advertise for their illegal gambling sites, which primarily target Greater China.

Dr. Renée Burton added, “This work is particularly important because it connects the physical crimes of human trafficking, money laundering, and fraud, to online crime in a way that hasn’t been done before. We can now see that organized crime is executing a cunning strategy that uses unwitting European clubs to fuel their criminal cycle.” The research report from Infoblox details the discovery of Vigorish Viper, how it operates from a technical perspective, its ties to organized crime, and its role in the European football sponsorship scandals. Key findings include:

1. Sophisticated Tech Suite: Vigorish Viper’s technology suite is a comprehensive cybercrime supply chain, encompassing software, DNS configurations, website hosting, payment systems, and mobile apps.
2. Criminal Connections: The technology was developed by the notorious Yabo Group (also known as Yabo Sports or Yabo) prior to its reported dissolution in 2022. The Yabo Group has been linked to controversy in Europe surrounding the use of certain football club sponsorships, including several in the English Premier League such as Manchester United, to illegally advertise unregulated gambling sites in Asia. The Asian Racing Federation (ARF) Council on Anti-Illegal Betting and Related Financial Crime identified Yabo as “possibly the biggest illegal gambling operation targeting Greater China” and directly tied it to practices of modern slavery in which victims are forced to support gambling services.
3. Elusive Operations & DNS Knowledge: Vigorish Viper operates a vast network of over 170,000 active domain names, evading detection and law enforcement through its sophisticated use of DNS CNAME traffic distribution systems.
4. European Sponsorship Controversy: The network is implicated in a scheme that involves securing European football club sponsorships on screens during games, or on player jerseys for example, to advertise illegal gambling sites in Southeast Asia, exploiting the clubs’ popularity to attract bettors.
5. Interconnected Threats: Tens of seemingly unrelated gambling brands that advertise by way of sponsorship deals with certain European sports teams use Vigorish Viper technology. While these brands appear distinct, they operate more like the branches of a franchise, further highlighting the importance of a holistic view of such threats that only DNS brings to the table.

“DNS analytics led to the discovery of Vigorish Viper and constitutes the best mechanism for tracking the actor’s infrastructure. Stopping Vigorish Viper is also most effective via DNS because the actor changes rapidly,” added Burton. Adding to the gravity of the situation, despite gambling being almost completely illegal in Greater China, it is estimated that citizens in the region bet nearly $850 billion annually. This staggering figure underscores the scale and complexity of Vigorish Viper’s operations, with significant implications for global cybercrime.

Infoblox Threat Intel has developed multiple algorithms to discover and track RDGAs in the wild, including patent-pending detection of emerging clusters of RDGA domains. With these detectors, Infoblox discovers tens of thousands of new domains every day, capturing them into clusters of actor-controlled assets. Most of these domains surprisingly go unnoticed by the security industry. In the new study of the RDGA threat landscape, Infoblox has found that the use of RDGAs has grown over the past few years and shows how domains created with them are used, including numerous examples from scams to malware.

The most remarkable example included is an RDGA controlled by the actor Infoblox named Revolver Rabbit. This actor has registered over 500,000 domains costing them over $1 million in registration fees. At the same time, discovering the purpose of these domains was a challenge. Infoblox Threat Intel has been tracking Revolver Rabbit for nearly a year but was stumped for months on the threat actor’s motivation.

How can so many domains be registered without a trace of malicious activity? Recently Infoblox solved the puzzle: Revolver Rabbit uses the RDGA to create command and control (C2) and decoy domains for XLoader (aka Formbook) malware. This malware is an information stealer typically delivered via phishing emails. It must be a profitable malware for Revolver Rabbit given their investment in domain names. Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.

The landscape study shows that RDGAs are a formidable and underestimated threat. Actors can easily scale their spam, malware, and scam operations often without fear of detection by the security industry. Moreover, automation in the domain registration services makes it easy for cybercriminals to use an RDGA. The study intends to raise awareness and shed light on the growing trend in malicious domain registrations.

VexTrio controls a vast and malicious network that reaches a broad audience of internet users. Through a criminal affiliate program with over 60 partners, including high-profile entities like SocGholish and ClearFake, it has become the most pervasive DNS threat actor. Operating for six years and impacting over 50% of customer networks, its role as an invisible traffic broker has kept it undetected by other vendors, complicating detection and tracking.

Infoblox’s research has also yielded several other significant findings:

• VexTrio uniquely operates its affiliate program, providing a small number of dedicated servers to each affiliate.
• VexTrio’s affiliate relationships appear to be longstanding. For instance, SocGholish has been a VexTrio affiliate since at least April 2022. While less total time, ClearFake has been assessed to have worked with VexTrio throughout its lifetime; at least since launching their campaigns in August 2023.
• VexTrio attack chains can include multiple actors. Four actors have been observed in an attack sequence.
• VexTrio and its affiliates are abusing referral programs related to McAfee and Benaughty.
• VexTrio controls multiple TDS networks, which function in different ways. A new DNS-based TDS was first observed in late December 2023.

Infoblox has been tracking VexTrio via DNS since 2020, but new evidence shows their enterprise began in 2017, possibly earlier. The ongoing evolution of VexTrio, coupled with its partnership with significant actors like SocGholish, highlights its crucial role in the criminal industry, contributing to the industry’s lack of recognition.

VexTrio’s affiliate program operates similarly to a legitimate marketing affiliate network. Each cyberattack uses DNS infrastructure owned by multiple cybercriminal entities. Participating cybercriminal affiliates will forward user traffic originating from their services (such as a compromised website) to VexTrio-controlled TDS servers. Subsequently, VexTrio relays these flows of user traffic to other cybercriminal affiliate networks or fake web pages. In many cases, VexTrio also redirects victims to their ongoing phishing campaigns.

While SocGholish and ClearFake are most associated with malware and fake software update pages, these two entities operate TDS servers to route internet users based on their details – device information, operating system, location, and other personal details.

The research underscores the critical role of TDS in the estimated $8 trillion cybercrime economy. Globally, the cost of cybercrime is estimated at over US$7 trillion and is expected to grow steadily over the years. In the Asia-Pacific region, the rapid pace of digitalization and the accelerated adoption of new technologies have made it one of the major hotspots for cybercrime.

Dr. Renée Burton, Sr Director of Threat Intelligence for Infoblox

Written by Dr. Renée Burton, Sr Director of Threat Intelligence for Infoblox

Over the last several years, the adoption of multi-factor authentication (MFA) has gained momentum. Consumer advocates and government agencies alike recommend that everyone adopt the technology.^, As is often the case, when something becomes popular, it becomes a target; MFA is no different. Years ago, security campaigns encouraged users to move from easily guessed passwords to stronger passwords containing a variety of characters. In doing so, individuals and enterprises gained a sense of confidence from adopting another defence against criminals lurking on the internet.

But criminals are both persistent and smart: as people got tired of remembering all their now-complex passwords, they started storing them in password “wallets,” which the bad actors then targeted. Essentially, the same has happened with MFA. Multi-factor authentication, also known as two-factor authentication (2FA), adds additional security to online accounts and systems by requiring a user to verify their login request with something beyond their password. As users have become more confident in and reliant on MFA preventing compromise, threat actors began targeting MFA services as they were commercialized into a fairly small number of brokers. In defence, we are introducing a new algorithm class in Threat Insight called Rapid Domain Triage. With this capability, BloxOne Threat Defense customers will be able to automatically block suspicious domains in near real-time and be alerted of activity that will allow them to remediate attacks more quickly.

As Infoblox and others have reported, fake MFA domain attacks have risen greatly in the last 15 months, aided by a cheap toolkit available on the dark market to quickly implement an adversary-in-the-middle (AiTM) attack at scale. While the specifics vary, a common MFA attack works like this:

• the attacker obtains a set of phone numbers of their targets
• they register a domain name that is a lookalike to MFA, 2FA, Okta, Duo, or one of a handful of other well-known verification keywords
• they use a toolkit to send out SMS text messages with some kind of urgent message requesting the user to verify their credentials to an account
• when the user clicks on the link, the attacker actively interacts with them and intercepts the MFA codes; they may even phone the victim to further the deception
• the attacker relays the user’s MFA codes into the real system and gains access to the user’s account
• from there, the actors may perform other attacks to gain further access and escalate their privileges, or they may just steal user information and move on

These phishing attacks are used against consumers and enterprises alike. Infoblox has custom algorithms designed to detect the registration and utilization of MFA-lookalike domains, and we observe both widespread targeting of banking and other financial services, as well as spear phishing of institutions. We have seen a consistent rise in these attacks since June 2022 and detect hundreds of new MFA-lookalike domains every month. Mandiant recently reported that MFA SMS phishing (smishing) is a favourite technique of Scatter Spider, the actor behind the disruption of both MGM International and Caesar’s networks in September 2023.

We detect dozens of these domains queried in customer networks every month. While that may not seem like many, it only takes one successful phish to compromise a network. Software company Retool disclosed that this exact scenario happened to them in late August 2023, impacting nearly 30 of their cloud customers. Like Coinbase had done earlier this year, Retool provided a detailed account of the hack. In the Retool case, a Google setting, designed as a convenience feature for users, allowed the attacker much more significant access to internal networks than they would have gained from a standard AiTM smishing attack. Retool rightfully pointed out that in this case, MFA was no longer MFA because access to a single user’s Google account gave them access to all of that user’s internal applications. The hackers had both successfully targeted the company’s MFA authentication and Google’s MFA synchronization.

The details that Retool provided allowed us to take a closer look at the attack and compare its domains with others we have detected recently as MFA phishing. Retool fell victim to a spear-smishing attack on August 27th. A number of their employees received SMS messages indicating a problem that might prohibit their ability to enrol in healthcare coverage and including a link that appeared to be an Okta login. While most recipients disregarded the text messages, one employee followed the link. In this case, the attacker immediately phoned the employee pretending to be a member of their IT department.

This extra step helped cement employee trust; when the employee provided their MFA credentials, the attacker gained access to their corporate Google account. Unfortunately, they also were able to retrieve the user’s MFA tokens for other applications and penetrate internal networks. As Retool explains, this attack was not the fault of the employee. Hackers like this are con artists, and con artists are successful because they are good at social engineering, not because their victims are stupid. The scenario Retool faced has increasingly been observed over the last 15-18 months, although it was exacerbated by a GSuite setting that synchronized all of their active tokens into the cloud.

The link that the Retool employee clicked on was this:

https://retool[.]okta[.]com[.]oauthv2[.]app/authorize-client/xxx

The second level domain, oauthv2[.]app, was registered the same day it was used against Retool, August 27th. We have found that almost 100% of MFA-lookalike domains are used by the actor within 24 hours of registration. This is in startling contrast to the bulk of phishing domains we observe, where only 55% of them were used the same day they were registered. Many years ago, phishing domains were registered and used immediately, then dropped nearly as quickly, in a rapid cycle.

However, the security industry was quick to develop a response to these tactics including the blocking of newly registered domains and the development of scanning systems that looked for active phishing content based on registration data. Phishers responded by delaying the use of their domains, a practice called strategic ageing. Our data over the last 5 years has consistently shown a trend in phishing toward strategic ageing, with over 30% of domains being first observed in campaigns more than 3 days after registration.

If phishers wait to use their domains, why do those using MFA-lookalikes use them in campaigns immediately? We don’t know for sure, but we suspect it is an attempt to catch security systems unprepared. Unlike common phishing attacks, Retool employees were targeted using specific information about their company healthcare enrollment; this is called spearphishing. In these highly focused attacks, the actor typically creates a domain name that combines terms that reference multifactor authentication, such as 2FA, Okta, MFA or verify; with the company name. In the Retool attack, the domain oauthv2[.]com looks like a verification domain, but the actor added both retool and okta into the subdomains to further their deception. However, this kind of domain is likely to be picked up by domain name-based detection systems like ours. Indeed, it was. By acting quickly, the actor took advantage of the delay in security systems.

While there is no evidence that the domain oauthv2[.]com was used to target other companies, they could easily do so with a structure similar to the one used in the attack. We can see from global passive DNS (pDNS) data that the same actor registered a number of MFA lookalike domains around the same time. They appear to be targeting both general consumers and specific enterprises, based on the breadth of subdomains we observed in pDNS, as well as the other domains they have registered. Several of the subdomains suggest Coinbase, FedEx, ShipBob, and Cox Communications have been targeted, among others.

We detected a likely different actor conducting similar operations in September. The domains com-2fa[.]support, com-2fa[.].help, reset-2fa[.]com, and com-reset[.]help included Coinbase in the subdomains, e.g., coinbase.com-2fa[.]support. Based on our MFA lookalike detections over the past 6 months, Coinbase may be the most targeted of all companies for recent MFA spear phishing attacks, with a fairly constant set of domains designed to fool their customers or employees. Similar to the Retool attacker, this actor runs a range of phishing attacks including lookalikes to various cryptocurrency sites.

While generic MFA lookalikes are common, we also detect a large number of malicious domains that include both a company lookalike and a term associated with MFA. Often the company name will be shortened or misspelled. Financial institutions and internet service providers are common targets of this approach. Examples of such phishing domains observed in September include samtanfe-verify[.]click, 2fa-portal-nsandi[.]com, scotiasecureinfo-verify[.]services, and verify-wick[.]xyz. These domains are lookalikes to entities in banking and Discord bots.

While we detect hundreds of MFA lookalikes every month, we detect tens of thousands of lookalikes of commercial enterprises and services. Frequently threat actors, like the one that attacked Retool, will dabble in a variety of methods to exploit users, including general lookalike phishing domains as well as spear phishing. The actor who registered com-2fa[.]support, for example, also registered coinbase-live[.]support and smart-core[.]fr, both lookalikes to cryptocurrency companies.

The sheer number of lookalike domains we detect demonstrates the burden on users to guard both their home and their workplace. While some security pundits argue that successful attacks highlight the need for more vigilance on the part of users, shaming users for the failure of security systems to protect them is not the answer.  Infoblox has had lookalike detection in place for three years, and specially tuned MFA-lookalike detection since early this year, in order to find and block the domains before they impact our customers. We are constantly refining our approach and learning from events where we failed to detect malicious activity.

Although the Retool compromise came via an SMS message, MFA lookalike attacks are delivered in other ways as well. Phishing emails, compromised and fraudulent websites, and malvertising are all some ways that an attacker can deliver a link. Earlier this year, the US Cybersecurity and Infrastructure Security (CISA) released a joint Cybersecurity Advisory regarding a phishing campaign that involves the malicious use of legitimate remote monitoring and management (RMM) software. In those incidents, the attacker prompted the user to enter a lookalike domain over the phone into a web browser. There are many ways to trick a user into visiting a domain!

Whether you are receiving a prompt for MFA as a consumer or an employee, be sceptical if there is anything unusual about it. Criminals have all day to think about new ways to fool you so it is important to be ever vigilant. At the same time, we in the security industry shouldn’t participate in victim blaming. It is our job to constantly improve our abilities to automatically thwart the bad guys and try to turn the tables on them. With MFA lookalikes and the broad push to adopt the technology, we’ve also given them a way to focus their attention.

We became alarmed by the use of MFA-lookalike domains immediately following their registration for spear phishing attacks early this year. While these attacks are rare, when successful they can be profoundly damaging, as the Retool hack attests. We became aware of multiple instances where we flagged a domain as suspicious a few hours after the attack, including the domain used against Retool. Retool’s attacker was able to use the stolen MFA tokens to access several internal systems and take over 27 customer accounts. All of this took some time, both for the attacker to accomplish and for Retool to discover. With Rapid Domain Triage, Retool would have received an alert for a potential spear phishing attack on their network with all the asset and timing information necessary for them to isolate the device and perhaps even thwart the attacker before they were fully inside their systems.

The threat actors swiftly responded following Infoblox’s disclosure of the toolkit, adapting their systems to ensure continued operations, indicating that maintaining access to victim devices remains a high priority. The analysis shows that the use of the malware has spread, with at least three actors now operating it. Although based on the open-source RAT Pupy, Decoy Dog is a fundamentally new, previously unknown, malware with many features to persist on a compromised device. Many aspects of Decoy Dog remain a mystery, but all signs point to nation-state hackers. Infoblox released a new data set containing DNS traffic captured from Infoblox’s servers to support further industry investigation of the C2 systems.

The question many in the industry continue to silently ask is:  Are we really securing our network if we’re not monitoring our DNS? There is a significant risk that Decoy Dog and its use will continue to grow and impact organizations globally. Currently, the only known means to detect and defend against Decoy Dog/Pupy today is with DNS Detection and Response systems.

“It’s intuitive that DNS should be the first line of defence for organizations to detect and mitigate threats like Decoy Dog. Infoblox is the industry’s best-of-breed DNS Detection and Response solution, providing companies with a turn-key defence that other XDR solutions would miss,” said Scott Harrell, Infoblox President and CEO.  “As demonstrated with Decoy Dog, studying and deeply understanding the attacker’s tactics and techniques allows us to block threats before they are even known as malware.”

Through large-scale DNS analysis, Infoblox has learned key features of the malware and the actors who operate it. Directly following the first announcement on social media, every Decoy Dog threat actor responded to Infoblox’s disclosures in different ways. Some of the name servers mentioned in Infoblox’s April 2023 report were taken down, while others migrated their victims to new servers.

Despite their efforts to hide, Infoblox has continued to track the activities and has since learned a great deal more about them. Infoblox has been able to infer the nature of some communications and estimates that the number of compromised devices is relatively small. Infoblox has also been able to distinguish Decoy Dog from Pupy and determine that Decoy Dog has a full suite of powerful, previously unknown capabilities, including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time. Some victims have actively communicated with a Decoy Dog server for over a year.

“The lack of insight into underlying victim systems and vulnerabilities being exploited makes Decoy Dog an ongoing and serious threat,” said Dr. Renée Burton, Head of Threat Intelligence at Infoblox. “The best defence against this malware is DNS. Malicious activity often goes unnoticed because DNS is undervalued as a critical component in the security ecosystem. Only enterprises with a strong protective DNS strategy can protect themselves from these types of hidden threats.”

In total, Infoblox is currently monitoring 20 Decoy Dog domains, some of which were registered and deployed within the last month. This toolkit exploits an inherent weakness of the malware-centric intelligence ecosystem that dominates the security industry today. Furthermore, this malware was discovered solely because of DNS threat detection algorithms. Organizations’ best defence against these attacks is protection at the DNS level, within every network.

“We urge the industry to take this research forward, further investigate and share their findings,” added Harrell. Hands-On, Real-Life Experience of Pupy at BlackHat: Dr. Renée Burton will be discussing why “Decoy Dog is No Ordinary Pupy” in detail, along with other key findings at the Black Hat cybersecurity conference in Las Vegas on Wednesday, August 9 from 1:15 pm-1:35 pm PT.

Throughout the conference, attendees will be able to meet with Infoblox researchers and demonstrate their skills with a series of hands-on challenges using a live Pupy controller via Infoblox’s Double Dog Dare experience. Additional short introductions to Decoy Dog and Pupy will be held at the booth theater both days. This unique experience will allow participants to see firsthand how the DNS traffic is used to relay communications between the client and server to better understand the serious threat this malware poses.

The Hidden Potential of DNS in Security: Decoy Dog and Pupy take advantage of the lack of DNS oversight that often occurs in networks. In fact, over 90% of all malware uses DNS in some way. Infoblox knows it’s imperative that security professionals understand the ways in which malware exploits DNS and how DNS Detection and Response can often thwart these attacks. Experts in the field recently released a new book titled “The Hidden Potential of DNS in Security.” This book gives readers everything they need to know about lookalike domains, domain-generated algorithms (DGAs), DNS tunnelling, data exfiltration over DNS, why hackers use DNS, and how to defend against these attacks.

What do you see as some of the regional trends in the networking and security space?
Below are some of the key trends that we see in the MEA region:

1. Focus on Cyber Security
2. Adoption of Multi-cloud strategies
3. Leading the way in NetOps and SecOps collaboration

As cyberattacks are increasing in frequency and sophistication, companies in the Middle East and Africa are increasingly investing in cybersecurity measures to protect their networks and sensitive data. Spending on security solutions and services in the MEA region, including Israel, is expected to increase by 7.9% YoY in 2023, reaching $6.2 billion, according to the latest Worldwide Security Spending Guide from the International Data Corporation (IDC).

Within the cybersecurity domain, there will be increased Zero Trust adoption. Zero-Trust architectures have become a means for modern enterprise and government institutions to secure sensitive data in the face of digital transformation and the loss of the traditional network perimeter, as we move to borderless network architectures. And we will no doubt witness an increasing adoption in the MEA market by enterprises this year and beyond.

Companies are increasingly relying on Software-defined Wide Area Networking (SD-WAN), virtualization, and other cloud-based networking solutions. Cloud-managed networking provides the visibility, management, and scale needed to operate today’s distributed cloud and on-premises network, security, and location infrastructure.

Over the past 9 years of operating in this region, we have observed a growing trend among various industries in bringing their networking and security teams together to achieve a more comprehensive and unified approach to securing their core network services, such as DNS and DHCP. In the financial industry, we have witnessed the largest banks and financial institutions in the GCC adopting a more collaborative approach between their networking and security teams to mitigate the growing threat of cyber attacks.

Similarly, in the healthcare industry, hospitals are also implementing this approach to ensure the security and privacy of patient data. We have also seen a similar trend in large enterprises across industries such as technology, retail, and manufacturing, where they are increasingly moving towards a more integrated approach between their networking and security teams.

While we have worked with several global customers who have successfully integrated their networking and security teams, we cannot disclose their names due to confidentiality agreements. However, we can share industry-specific case studies that demonstrate the benefits of this approach and its effectiveness in improving network security and performance.

Can you talk about Infoblox’s regional growth in the Middle East and Africa markets? What are the key drivers for the business?
Infoblox has made a significant investment across the META region with the idea of building out its presence in multiple countries, with offices in Saudi, UAE, Egypt, Kenya, South Africa, Morocco & Turkey. Infoblox has been expanding its operations in META over the past few years, as the region’s digital transformation initiatives have increased demand for network automation and security solutions. The company serves customers across various industries, including telecommunications, finance, healthcare, education, and government.

Some of the key drivers for Infoblox’s business in META include:

• Increasing demand for uniting network and security together – As more organizations in the region move their operations online, the need for network and security to work together became paramount. Our solutions help both, network and security teams to protect networks from cyber threats, including malware, ransomware, and phishing attacks.
• Growing adoption of cloud-based services: Many organisations in the region are embracing cloud-based services to improve operational efficiency and reduce costs. Infoblox offers cloud-based DNS and IPAM solutions that help manage and secure these cloud-based networks.
• Strong partner program: Infoblox’s innovative partner program has been launched to play an instrumental role in meeting the growing demand for network and security solutions.

By bringing together network and security teams, our partners are better equipped to position Infoblox’s core technology value and deliver comprehensive solutions to customers. With our solutions, customers can achieve real-time visibility and control over their networks, enabling them to build safer and more resilient environments. Infoblox is committed to working closely with our partners to help organizations in all industries meet their network and security needs.

What is the significance of the new brand launch for local customers and partners in the Middle East and Africa region?
The rationale behind our new brand positioning is the fact that networking and security work better together when they share real-time visibility into application, user and device context. And real-time threat protection and more resilient network performance can only happen when networking and security work side by side.

Infoblox is uniquely positioned – we help enable NetOps and SecOps to work more efficiently by uniting their view of user context and DNS data, so everything runs faster, works better, and is more secure. And uniting saves NetOps and SecOps time, by uniting real-time user and device context, eliminating critical network and security bottlenecks. Unlocking this unparalleled visibility and control empowers customers to deliver the protection and performance they need today.

We believe that security effectiveness depends on threat intelligence above all else. Using tools included in Infoblox BloxOne Threat Defense, security teams can collect, normalize and distribute highly accurate, multi-sourced threat intelligence to strengthen the entire security stack, secure DNS and boost SecOps efficiency. Infoblox rebrand initiatives reflect confidence and business focus, shaping the company’s critical role in securing the networks of some of the world’s largest companies, appealing to both networking and security professionals alike.

A new brand launch can have a significant impact on local customers and partners in regions like the Middle East and Africa, as we weave a story around how our company is making the transition to a new world of protective services. We believe that the launch will increase awareness of our brand, create new business opportunities, and improve the customer experience.

What can customers in MEA expect from Infoblox in the next 4-5 years?
Infoblox will continue to invest in developing cloud-based solutions to help customers secure their networks and data. This could include offerings like cloud-based DDI (DNS, DHCP, and IP address management) and security services that provide visibility and threat detection across hybrid cloud environments.

Automation is a key focus area for Infoblox, and customers in the MEA region can expect to see more automation features added to its solutions. Infoblox is likely to continue focusing on improving the user experience of its products, with a particular emphasis on making its solutions easier to use and more intuitive.

What are some of the investments that Infoblox is making in the region?
Our company’s training programs, mentorship initiatives, and collaborations with academic institutions are aimed at equipping the region’s talent with the necessary skills and knowledge to tackle today’s networking and cybersecurity challenges effectively. We believe that investing in regional talent is crucial to the success of our customers, and it is a responsibility that we take seriously.

At Infoblox, we are committed to creating a diverse and inclusive work environment that nurtures and empowers our employees to deliver value to our customers. By investing in regional talent, we are not only contributing to the development of our employees but also to the growth and prosperity of the communities we operate in.

Are there any big channel initiatives planned for the region?
A big focus when it comes to the channel is on our recently launched “Skilled to Secure” partner program which reflects the changing security landscape and shifting customer requirements – and the need for providers of security solutions and services to adapt in response. We have been heavily investing in our talented and experienced channel teams and I am proud to say that we currently have industry-leading channel executives across the region who are really able to transform the way we engage with our partners.

We lay heavy emphasis on knowledge and skills development of our channel and we deliver a broad range of training programs. One of our key priorities is building out our channel ecosystem through the recruitment of partners that share our vision, ideology and passion. And we find a great amount of interest from new channel companies interested in joining our program, largely based on the fact that they see huge market potential for our solutions and services. We also have a robust program – Expert Club, for our top-performing partners, to incentivize them as they drive growth for our company.

How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
Zero Trust Network Architecture has been evolving since its inception in 2010 to include the latest technologies, best practices, and recommended cybersecurity frameworks. Initially, it was built on the principle of not trusting any user or device trying to connect to the network, or trying to access applications and data, unless such users and devices are being verified and have the right privileges of access and authorisation.

One compelling cybersecurity practice for defending organizations against malicious activities is the deployment of a solution for securing DNS since 91% of malware use DNS in their life-cycle. Zero-Trust architectures have become a means for modern enterprises and government institutions to secure sensitive data in the face of digital transformation and the loss of the traditional network perimeter as we move to borderless network architectures.

Do you believe that technologies that support zero trust are moving into the mainstream?
No doubt that technologies that enable Zero Trust are gaining wider adoption and interest. As more organizations are adopting work-from-home business models and embracing cloud-based services (SaaS/IaaS/PaaS), the need for secure access to sensitive data and resources has become increasingly critical.

As a result, there is growing interested in implementing Zero Trust principles and related technologies, such as Data Protection, Identity and Access Management solutions, Visibility, Network Segmentation, Multi-factor authentication, and more. We will increasingly start hearing more about AI-based technologies being integrated with or within the Zero-Trust model.

At the same time, traditional Work-from-Office organizations, continue to improve their cybersecurity posture and protect against evolving threats with Zero Trust. In other words, the Zero-Trust model is suited for both traditional as well as modern networks.

Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
No doubt! The changing nature of IT and business services, and the technologies that empower such services, would mean that organizations must continuously re-evaluate and assess new ways of architectures and practices to address evolving security threats.

Zero-Trust is not a set-in-stone model or a network architecture. It can evolve to address new challenges and threats, such as AI adoption by malicious activities. In other words, organisations should consider leveraging AI and Machine Learning (ML) to detect and respond to threats in real-time, and they should continuously update their security protocols to stay ahead of emerging threats. Regular employee training and awareness programs can also help mitigate risks, which is often a leading cause of security breaches for now.

How can companies get started with zero trust?
First, you need to have the buy-in from all the C-levels of the organization, led by a CIO or CISO’s conviction. Second, acquiring the right skill sets, whether with training and/or hiring is at the top of the list as an action item. Third, organizations should identify their critical assets and determine who needs access to them, from where, and when.

Fourth, you need to identify the technologies and potential vendors you would require, by inviting relevant manufacturers and solution integrators for discussions and demos. Fifth, is budgeting. This is where you need to determine the budget based on the potential risks that you could have, and then prioritize it. And lastly, implementing the technologies and utilising them to their maximum potential.

Overall, companies should take a holistic and planned approach to Zero Trust, integrating it throughout their entire IT infrastructure and organization.

Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Today AI can be leveraged by malicious activities, and it might be an advantage to bad actors on one hand. Yet on the other hand, the Zero Trust model should evolve so that the existing AI and machine learning technologies learn to identify and mitigate security risks. By analyzing data from various sources and detecting anomalous behavior, AI-powered security tools can help organizations prevent attacks before they occur.

However, with potentially having AI on the offensive side of the threat versus AI on the defensive side of the organization, adopting such a new approach requires a fundamental shift in mindset and a commitment to integrating the latest cybersecurity and practices throughout all aspects of the IT infrastructure, from the network to applications, users, and devices.

With AI, the volume and destruction of cyber-attacks will be extreme to unprecedented or even unimaged levels, disrupting human lives and putting nations into chaos. Zero-Trust would then need to further evolve, to alleviate the damage that AI can bring when leveraged by malicious activities.

What according to you are the limitations of zero trust?
Zero-Trust is easier said than done! In fact, you are never really done with Zero-Trust in such a dynamic world, where AI will be a major threat to organizations and nations.

But here are some of the limitations:

1. Implementation complexity. Requires skill sets, talent, buy-in from stakeholders, and time-consuming exercises.
2. Budget and cost. Implementing a Zero Trust model can be expensive, especially for small and medium-sized businesses that may lack the resources to implement and maintain the required security tools and technologies.
3. The friction of adoption. One example: Zero Trust requires users to authenticate and re-authenticate frequently, which can lead to increased user friction and frustration. This can lead to users finding workarounds that weaken the security posture of the organization.
4. Lack of visibility. One example is that having a Secure DNS is often overlooked, along with a common lack of visibility into DNS & IP address management services.

In the last edition of our Quarterly Cyber Threat Intelligence Report, Infoblox brings into focus and provides insights into two major cyber threats that organizations should be aware of – Emotet and Omnatuor Malvertising Network.

EMOTET
Emotet is a notorious malware family that has evolved significantly over the years: from a simple banking trojan to a botnet to an infrastructure for content delivery. Infoblox has been monitoring Emotet and providing insights into its activity all along. Emotet has been around since 2014. It survived its January 2021 takedown by law enforcement agencies from the Netherlands, UK, and US and from Germany, France, Lithuania, Canada, and Ukraine. During the takedown, Emotet was offline for 11 months.

The frequency of Emotet-related malspam campaigns increased from January to May 2022 as the malware authors changed techniques to evade Microsoft’s increasing countermeasures on VBA Macro security. The Max Planck Institute for Plasma Physics was attacked on 12 June 2022, and recent reports put Emotet back at the top of the list of malware families with an impact that spans the globe. A consistent feature of Emotet has been its use of email as a delivery vector. Microsoft Office documents have been the attachments of choice, and Excel files have been the most prevalent of these documents.

Infoblox’s analysis indicates that the actors behind Emotet have made some attempts to protect the network from further takedowns. Perhaps unsurprisingly, the use of compromised websites and of email as a delivery vector has persisted, and this has enabled us to reliably identify and track Emotet’s activity. Infoblox’s view of the threat landscape affords a detailed understanding of not only the current prevalence of Emotet in malspam, but also of the location and services used in its infrastructure.

As our company continues to research and monitor Emotet’s behavior, it will provide protection by denying access to the compromised domains used to host the Emotet payload, and it will offer vital, actionable intelligence on Emotet’s C&C infrastructure.

We recommend the following actions for protection from this kind of attack:

• To mitigate the risk of infection from known threats, keep security software up to
  date and patched.
• Conduct security awareness training in the organization. It is important for
  everyone to be up to date with the latest techniques used by attackers to trick
  users who receive malicious emails.
• Enhance network perimeter security. 99% of successful attacks involve some
  type of network communication. Having the right tools in place can help identify
  and minimize the impact of a threat like Emotet before they cause damage

OMNATUOR MALVERTISING NETWORK
For some time, the Infoblox Threat Intelligence Group has been tracking a malvertising network (the “Omnatuor Malvertising Network”) that not only abuses push notifications, pop-ups, and redirects within a browser but continues to serve ads even after the user navigates away from the initial page.

Omnatuor has been dismissed by the security community as adware, a label that implies the activity is largely a nuisance. This naive response underestimates the danger of the potential threat posed by malvertising in general, and the Omnatuor actor in particular. In addition to its ability to persist, the network delivers dangerous content.

The Omnatuor actor takes advantage of WordPress vulnerabilities and is effective at spreading riskware, spyware, and adware. It uses an extensive infrastructure and has a broad reach into networks across the globe. The Omnatuor domain has a suspiciously high breadth and query volumes.

An initial look into WHOIS data revealed the domain was created on 12 July 2021. Since being registered it was present in 45% to 48% of all customer networks and surpassed 50% at various times. Most networks contained tens, if not hundreds, of thousands of queries for the domain. From July 2021 to July 2022, we observed just over 25.4 million unique, resolved queries to omnatuor[.]com.

This campaign compromises vulnerable WordPress sites through embedded malicious JavaScript or PHP code. The code redirects users or otherwise forces them to view and click malvertisements via pop-ups and push notifications.

We recommend that users take the following preventive measures:

• To assist in blocking known malvertising efforts, leverage the GitHub repository of indicators associated with the Omnatuor Malvertising Network.32 Infoblox offers a sample of indicators in this article and will continue to update the GitHub repository as new indicators are discovered.
• Use an adblocker program, such as UBlock Origin. The adware is delivered via an inline script, and blocking only the domains and IP addresses at a firewall or DNS level will not stop push notifications, redirects, or pop-ups. Because the DNS query cannot be completed, the contents of those vectors will not load; however, the browsing experience will still be interrupted.
• Disable JavaScript entirely, or use a web extension (such as NoScript) to enable JavaScript only on trusted sites.

It’s no secret that the cybersecurity industry is in something of a talent crisis. The need for cybersecurity experts greatly outpaces the supply. These professionals underpin the security and integrity of networks and data, manage a company’s security stack, and have the skills to identify, react to and remediate security risks.

Over the past year, this talent pool has faced unprecedented demands as the pandemic forced understaffed cybersecurity teams to extend security to cover the blending of corporate and home technologies as millions of employees worked remotely—all while adjusting to the challenges of remote work themselves.

To compound these difficulties, malicious actors have pounced, preying on these new work arrangements, hastily set up network architectures, and fears of the pandemic to launch a growing number of cyber-attacks. All of this has culminated in a cybersecurity workforce that is stretched out, overburdened, and burnt out.

The novelty of this situation has forced organizations to rethink how they attract talent, train employees, and educate those inside and outside the organization to better understand the different threats they face. Organizations are raising pay, recruiting from underserved communities, and making cybersecurity careers more accessible to students without a traditional degree.

These solutions are helping but not filling the entire gap. This challenge did not arise overnight and will require long-term strategic thinking to overcome. And unfortunately, time is a luxury. Malicious actors are not good sports, waiting for the cybersecurity community to transform itself before launching an attack.

The cybersecurity industry needs to act now and follow the lead of the fast food industry and small businesses that have addressed skill shortages by leveraging technology to help manage work, increase productivity, and reduce burnout.

Here’s how…

First, look for technology solutions that prioritize automation. Technology that automates lower-order tasks is relatively easy to deploy, frees up workers’ valuable time and also removes the potential for any human error combing through different risks.

Second, recognize the power of context. In cybersecurity, context can help workers better understand the threats they face and enable them to make better, more accurate, and faster decisions.

Not all threats are the same, so it’s important that context follows automation so that security teams do not waste hours chasing down the most basic of threats that can easily be remediated via technology.

Third, look for technology solutions that leverage the expertise you already have. While context is key for understanding a single threat, it’s also valuable for cybersecurity teams who need to make decisions about which threats to prioritize. Workflow prioritization can help identify and remediate the most dangerous, time-consuming threats instead of randomly remediating threats based on when they’re discovered.

Many solutions already exist that can provide this kind of automation, orchestration and context. For example, if you are monitoring the DNS traffic of your network and your DNS Firewall blocks a request to a malicious site, solutions that can automatically trigger a response to the Network Access Control system to quarantine that user into a sandbox until it can be further researched by an analyst can dramatically reduce the time and effort needed to track down and isolate infected devices. At the same time, systems that automatically send additional context about that user and the request (Who is the user? What kind of machine are they using? Where was the request sent?) to the analyst can give them a head start into researching and ultimately mitigating the threat.

Vulnerability scanners are also a point of note. Oftentimes, they only scan networks at a given interval (once a day, week, or even month. Yes, monthly scans are a thing). Organizations can quickly, easily, and automatically improve their security posture by scanning a device as soon as it connects to the network by leveraging an orchestration flow where the DHCP server automatically identifies the new machine and triggers the scan.

These and other technology solutions that leverage automation, context, and the skills your team already has are not merely a bridge between now and a fully-staffed cybersecurity industry of the future. They are a critical part of a robust cybersecurity platform today, one that both improves network security and extends the capabilities of the team you already have.