Recently, the Financial Security Institute (FSI) of South Korea released a detailed analysis report on a new cyber threat targeting financial institutions, called NXDomain Hunter. This hacking group focuses on identifying and exploiting systems with poor security and management to penetrate internal networks. This article examines NXDomain Hunter’s attack techniques, and how financial institutions can use Criminal IP’s Attack Surface Management (ASM) solution to counter these threats.
NXDomain Flood and Subdomain Scanning Attacks: Real Cases Targeting Financial Institutions
NXDomain Flood attacks generate excessive DNS queries to non-existent domains, consuming DNS server resources and leading to a denial of service (DoS) condition. In contrast, subdomain scanning attacks systematically search for subdomains of a specific domain to understand the network structure, identify unprotected resources, and find new attack vectors.
| Category | NXDomain Flood Attack | Subdomain Scanning Attack |
|---|---|---|
| Attack Impact | Excessive load on DNS server resources | |
| Traffic Characteristics | High NXDomain response rate | |
| Attack Purpose | Service availability disruption | Identifying weak or unprotected domains |
| Query Domain | Random domains | Domains with possible existence |
| Source IP Spoofing | Spoofing possible | Spoofing not possible |
Financial institutions may be vulnerable to NXDomain Hunter’s subdomain scanning attacks. According to FSI analysis, this attack group performs sequential subdomain scanning attacks on various financial companies and affiliates. By analyzing attack traffic segmented by specific periods, FSI found that attacks predominantly occur at certain times of the day for each target.
The periodic attack traffic is believed to be systematically generated by scanning tools that use various legitimate public IPs to target specific entities sequentially. Through traffic analysis and real IPs, FSI suspects that NX Domain Hunter is more focused on subdomain scanning attacks than on NXDomain Flood attacks.
Criminal IP ASM: The Optimal Attack Surface Management Solution for Financial Institutions
To effectively counter external threats penetrating vulnerable and unmanaged systems, financial institutions should utilize an Attack Surface Management (ASM) solution. Criminal IP’s ASM solution provides features like automated asset discovery, risk assessment, and real-time monitoring to help financial institutions manage their attack surfaces thoroughly.
Criminal IP ASM offers powerful attack surface detection capabilities to prepare for external threats infiltrating through unmanaged systems. It provides visual reports on neglected assets and vulnerabilities, allowing financial institutions to identify their attack surfaces in advance and swiftly address potential threats.
- Automated Asset Discovery: Entering just the representative domain automatically identifies all connected IT assets worldwide and visualizes them on a dashboard. This process detects all subdomains and IP addresses, allowing a comprehensive view of the attack surface.
- Risk Assessment and Visualization: Detected assets are categorized into High, Medium, and Low-risk levels and presented on an intuitive dashboard. This feature helps quickly assess the security status of assets and understand risk factors visually.
- Real-Time Monitoring: Continuous monitoring of asset security status is available.
The Importance of Criminal IP ASM in Evolving Cyber Attacks
According to FSI analysis, to effectively respond to scanning attacks, it is crucial to ensure that vulnerable domains are not exposed externally and to continuously manage the attack surface internally. This involves reducing exposed surfaces and preemptively blocking potential threats to improve security. Criminal IP ASM is an effective platform for addressing these cyber threats and supporting financial institutions and companies in strengthening their security management.
For further reading, refer to the article Detecting Exposed Cyber Assets: Criminal IP ASM Use Case (2).
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine and Attack Surface Management solution, Criminal IP ASM. To access the full features of Criminal IP ASM, you can apply for a free demo to auto-monitor assets exposed to attack surfaces.
Source : Criminal IP(https://www.criminalip.io), Financial Security Institute(https://www.fsec.or.kr/en)
Related Article: