Intelligent CIO North America Issue 27 | Page 26

Mohammed Al-Moneer , Regional Director , META at Infoblox
vectors to serve fraudulent content to unknowing website visitors .
To accomplish this , they first detect websites that show cross-site scripting ( XSS ) vulnerabilities in WordPress themes or plugins , then inject malicious JavaScript code into them . When victims visit these websites , they are led to a landing web page that hosts fraudulent content , via one or more intermediary redirect domains that are also controlled by the actors .
Additionally , as a means to avoid detection , the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect :
• The user must visit the WordPress website from a search engine . For example , the referrer URL can be https :// www . google . com /.
• Cookies are enabled in the user ’ s web browser .
• The user has not visited a VexTrio compromised web page in the past 24 hours .
Prevention and mitigation
VexTrio primarily abuses vulnerable WordPress websites to deliver unwanted content to visitors . Embedding malicious JavaScript code in oft-visited web blogs and other popular but vulnerable websites helps the actors widen their reach . Infoblox assesses the VexTrio DDGA campaign could serve as a delivery vector for other cybercrime syndicates and thereby enable follow-on attacks .
Infoblox recommends the following actions for protection from this kind of attack :
• Disabling JavaScript on web browsers completely , or enabling it only for trusted sites , can help mitigate attacks employed by VexTrio actors , who capitalize on the use of JavaScript to run their tasks .
• Consider using an adblocker program to block certain malware activated by popup ads . Along with an adblocker , consider using the web extension NoScript , which allows JavaScript and other potentially harmful content to execute only from trusted sites to reduce the attack surface available to actors .
• Implementing Infoblox ’ s RPZ feeds in firewalls can stop the connection by actors at the DNS level , as all components described in this report ( compromised websites , intermediary redirect domains , DDGA domains and landing pages ) require the DNS protocol . TIG detects these components daily and adds them to Infoblox ’ s RPZ feeds .
• Leveraging Infoblox ’ s Threat Insight service , which performs real-time streaming analytics on live DNS queries , can provide high-security coverage and protection against threats that are based on DGA as well as DDGA .
Newly observed domains and the Ukraine war
The surge in registration and observation of new domains related to the Russian invasion of Ukraine has been over for some time . Nevertheless , Infoblox research shows that low levels of new phishing campaigns , donation scams and other suspicious activities are still being launched in attempts to take advantage of Ukraine ’ s crisis .
Overall , data shows that the volume of legitimate domains is greater than malicious websites in Infoblox ’ s environment . The surge in newly observed domains began in the first week after the invasion ( the beginning of March ).
For several weeks , many legitimate sites were created to help provide relief to the people of Ukraine ; however , cyberthreat actors and scammers also took advantage of the crisis , creating their own sites and adding to the volume of newly observed domains . By the end of March ( week 13 ), the number of domains started to decrease and the number of newly observed domains in Infoblox ’ s data began to stabilize .
The most recent trends , beginning in April ( week 14 ), show that , on average , there continues to be a higher – though only slightly – number of newly observed domains ( legitimate and suspicious / malicious ) in comparison to before the invasion .
Although the number of malicious domains is trending down , users should remain vigilant . From previous experience , bad actors will continue to exploit individuals through email , malvertizing and other means as long as they can . For comparison , while COVID-related malware campaigns peaked in 2020 , we still see them two years later . Users should carefully inspect requests for donations from organizations they are not familiar with and they should not click on links from unknown sources .
“ Our report shares research on many dangerous malware threats ,” said Mohammed Al-Moneer , Regional Director , META at Infoblox . “ Security effectiveness depends on timely , up-to-date threat intelligence . Using tools included in Infoblox BloxOne Threat Defense , security teams can collect , normalize and distribute highly accurate , multi-sourced threat intelligence to strengthen the entire security stack . Additional capabilities can help SecOps to accelerate threat investigation and response by up to two-thirds .” p
26 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com