Mohammed Al-Moneer , Regional Director , META at Infoblox
VexTrio actors heavily use domains and the DNS protocol to operate their campaigns . The actors leverage vulnerable WordPress websites as attack vectors to serve fraudulent content to unknowing website visitors .
• The user must visit the WordPress website from a search engine . For example , the referrer URL can be https :// www . google . com /.
• Cookies are enabled in the user ’ s web browser .
• The user has not visited a VexTrio compromised web page in the past 24 hours .
Prevention and mitigation
Infoblox recommends the following actions for protection from this kind of attack :
• Implementing Infoblox ’ s RPZ feeds in firewalls can stop the connection by actors at the DNS level , as all components described in this report ( compromised websites , intermediary redirect domains , DDGA domains and landing pages ) require the DNS protocol . TIG detects these components daily and adds them to Infoblox ’ s RPZ feeds .
• Leveraging Infoblox ’ s Threat Insight service , which performs real-time streaming analytics on live DNS queries , can provide high-security coverage and protection against threats that are based on DGA as well as DDGA . p
26 INTELLIGENTCIO LATAM www . intelligentcio . com