Secshow is a Chinese actor conducting global DNS probing to identify open resolvers, with amplification driven by Cortex Xpanse that pollutes passive DNS data worldwide. The investigation shows how encoded IPs and wildcard responses are used in the probes, and how Xpanse amplification inflates activity and burdens DNS providers. #Secshow #CortexXpanse
Keypoints
- Secshow operates at global scale from CERNET to probe open DNS resolvers and measure DNS responses.
- Amplification is driven by the combination of selective wildcard DNS responses and Cortex Xpanseβs active scanning.
- Cortex Xpanse amplification creates a multi-fold effect, turning single Secshow queries into numerous global DNS queries and increasing DNS processing loads.
- DNS queries encode information (target IPs, timestamps) to communicate with resolvers, often pointing to open DNS resolvers.
- Secshow employs diverse query formats (e.g., hex-encoded IPs, hyphen-delimited IPs, CNAME/DNAME usage) to trigger responses and test resolver behavior.
- Open resolvers pose security and research challenges, polluting passive DNS data and hindering reliable threat intelligence and research.β
MITRE Techniques
- [T1046] Network Service Scanning β Secshow probes to open DNS resolvers by sending DNS queries to IPs around the world; βSecshow sends DNS queries to IP addresses around the world, including both IPv4 and IPv6; we call these the targets.β
- [T1071.004] Application Layer Protocol: DNS β The actor uses DNS queries with encoded data to convey information to name servers and trigger results; βThe queries contained encoded IP addresses, and that these IP addresses were often open resolvers. He also identified timestamps in the queries.β
Indicators of Compromise
- [Domain] Secshow domains β secshow.online, secshow.net, secdns.site, prey.fit, attacker.fit, nameserver.fit, victim.fit, savme.xyz
- [IPv4 Address] Open resolver targets and encoded addresses β 235.81.235.90, and 08-08-08-08 (encoded IP representation)