Intelligent CIO LATAM Issue 18 - Page 26

Mohammed Al-Moneer , Regional Director , META at Infoblox
VexTrio actors heavily use domains and the DNS protocol to operate their campaigns . The actors leverage vulnerable WordPress websites as attack vectors to serve fraudulent content to unknowing website visitors .
To accomplish this , they first detect websites that show cross-site scripting ( XSS ) vulnerabilities in WordPress themes or plugins , then inject malicious JavaScript code into them . When victims visit these websites , they are led to a landing web page that hosts fraudulent content , via one or more intermediary redirect domains that are also controlled by the actors .
Additionally , as a means to avoid detection , the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect :
• The user must visit the WordPress website from a search engine . For example , the referrer URL can be https :// www . google . com /.
• Cookies are enabled in the user ’ s web browser .
• The user has not visited a VexTrio compromised web page in the past 24 hours .
Prevention and mitigation
VexTrio primarily abuses vulnerable WordPress websites to deliver unwanted content to visitors . Embedding malicious JavaScript code in oft-visited web blogs and other popular but vulnerable websites helps the actors widen their reach . Infoblox assesses the VexTrio DDGA campaign could serve as a delivery vector for other cybercrime syndicates and thereby enable follow-on attacks .
Infoblox recommends the following actions for protection from this kind of attack :
• Disabling JavaScript on web browsers completely , or enabling it only for trusted sites , can help mitigate attacks employed by VexTrio actors , who capitalize on the use of JavaScript to run their tasks .
• Consider using an adblocker program to block certain malware activated by popup ads . Along with an adblocker , consider using the web extension NoScript , which allows JavaScript and other potentially harmful content to execute only from trusted sites to reduce the attack surface available to actors .
• Implementing Infoblox ’ s RPZ feeds in firewalls can stop the connection by actors at the DNS level , as all components described in this report ( compromised websites , intermediary redirect domains , DDGA domains and landing pages ) require the DNS protocol . TIG detects these components daily and adds them to Infoblox ’ s RPZ feeds .
• Leveraging Infoblox ’ s Threat Insight service , which performs real-time streaming analytics on live DNS queries , can provide high-security coverage and protection against threats that are based on DGA as well as DDGA . p
26 INTELLIGENTCIO LATAM www . intelligentcio . com