dns

EvilBit Threat Digest: DNS Side-Channels, Admin UIs, and the Long Tail of Defaults

Threat digest on DNS as control plane via compromised routers and shadow resolvers, weak admin interfaces, evolving scams, and AI-enabled risk.

UncleSp1d3r

UncleSp1d3r

4 min read

KryptoKat: Sunday reads usually come with coffee. This one comes with a quiet warning: some of the most effective attacks this week didn't need exploits at all. Just patience, misdirection, and a few dusty edge devices nobody's patched since Obama was in office.

UncleSp1d3r: Also: if you still think DNS is "boring plumbing," the attackers would like a word. They brought their own resolvers.

When DNS Becomes the Control Plane

Compromised routers, shadow resolvers, and a TDS hiding in plain sight

UncleSp1d3r: Infoblox dropped a deeply uncomfortable report on attackers compromising older edge routers, quietly rewriting DNS behavior, and routing victims through shadow DNS resolvers tied to infrastructure hosted in Aeza Networks. The goal isn't just redirection; it's fingerprinting. EDNS0 quirks, resolver behavior, and query patterns are used to decide what the victim gets next. Think of it as a DNS-level traffic distribution system (TDS), but without the noisy HTTP redirects most defenders are trained to spot.
Compromised Routers, DNS, and a TDS Hidden in Aeza Networks

Once traffic is flowing through attacker-controlled resolvers, the possibilities open up: selective malware delivery, crypto-miners for some victims, admin lockouts for others, and content that looks different depending on who you are and where you sit. No flashy exploit chains required. Just persistence at the network edge and a layer most people log but rarely interrogate.

KryptoKat (defender takeaway):

  • Treat edge routers like endpoints, not furniture. Old firmware is an invitation.
  • Watch for unexpected resolver paths and DNS responses that don't match your known infrastructure.
  • If you can, enable DNSSEC and monitor EDNS0 anomalies. This isn't foolproof, but it raises the bar.
  • Segment aggressively. DNS redirection is far more powerful when it can see everything.

Admin Interfaces: Still the Soft Underbelly

Cisco Meeting Management: file upload to root

KryptoKat: Cisco patched a critical flaw in Cisco Meeting Management tracked as CVE‑2026‑20098. An authenticated attacker can upload arbitrary files, execute commands, and escalate to root. That's not a privilege escalation; that's a red carpet. If someone already has any authenticated access to this platform, they can own the box. Patches are out. If this lives anywhere near a production network, it shouldn't be running unpatched today.
Cisco Security Advisory: Cisco Meeting Management Arbitrary File Upload Vulnerability

Cisco EPNM / Prime Infrastructure: open redirect, real consequences

UncleSp1d3r: CVE‑2026‑20123 is "just" an open redirect in Cisco EPNM and Prime Infrastructure. CVSS 4.3, user interaction required. Everyone yawns. But management UIs sit at a privileged crossroads. An attacker who can steer an admin to a malicious page, especially while intercepting traffic, gets a shot at credential capture or session abuse.
Cisco EPNM and Prime Infrastructure Open Redirect Vulnerability

KryptoKat: Patch anyway. And restrict access to management interfaces. "Internal only" should mean actually internal.

The Scam Supply Chain Keeps Evolving

Fake cloud storage alerts that end at Freecash

KryptoKat: Malwarebytes traced a phishing campaign that starts with fake cloud storage payment alerts and walks victims through a multi-stage redirect chain that ultimately lands on Freecash affiliate offers. The mechanics are familiar; the polish is better. Users think they're fixing billing. They're really handing over payment data or getting funneled into shady subscriptions.
A fake cloud storage alert that ends at Freecash

Malicious Bing ads pushing Azure-hosted tech support scams

UncleSp1d3r: Netskope caught malicious Bing Ads leading to fake Microsoft support pages hosted on Azure Blob Storage, hitting users across 48 organizations in the U.S. within hours of going live. Healthcare, manufacturing, and tech were all in the blast radius. It's the same old tech-support scam, but wearing a cloud provider's badge of legitimacy.
Malicious Bing Ads Lead to Widespread Azure Tech Support Scams

KryptoKat: If your advice to users is still "just don't click ads," you're not wrong, but you're also losing. These pages look right, load fast, and live on domains browsers inherently trust.

AI Meets the Edge

"All gas, no brakes": AI tools meet edge device reality

KryptoKat: Cisco Talos' latest piece is less about a single campaign and more about a pattern: AI tools bolted onto infrastructure without threat modeling. They highlight DKnife, an attack framework targeting Linux-based routers and edge devices, and tie it to a broader rush to deploy AI-adjacent tooling without thinking through authentication, update paths, or data handling.
All gas, no brakes: Time to come to AI church

UncleSp1d3r: If an "AI-powered" feature touches your network devices, treat it like new management plane code, because that's exactly what it is.

Quick Hits

GitHub weighs tighter PR controls

UncleSp1d3r: GitHub is publicly mulling stricter pull request controls to help maintainers cope with floods of low-quality (often AI-generated) contributions. This isn't just a productivity issue; it's supply-chain risk in slow motion. More knobs for maintainers may be unpopular, but so is reviewing a thousand PRs that all compile and quietly rot your threat model.
GitHub Weighs Pull Request Kill Switch As AI Slop Floods Open Source

Labyrinth Chollima splits into specialized crews

KryptoKat: PolySwarm reports that Labyrinth Chollima has effectively branched into three operational flavors: Golden Chollima, Pressure Chollima, and a core espionage unit, all sharing infrastructure and tooling while chasing different missions, especially crypto theft and strategic espionage. Fragmentation doesn't mean weakness. It means parallelism. Same playbook, more hands.
Labyrinth Chollima Expands Activity, Spawns Offshoots

Incognito Market's operator gets 30 years

UncleSp1d3r: The operator of Incognito Market, a major dark-web drug marketplace tied to over $105M in transactions, was sentenced to 30 years in U.S. federal prison. Markets will reappear. But long sentences still change risk calculations, especially for operators who believed crypto opacity was a shield.
Incognito Market founder sentenced to 30 years
DOJ announcement

Closing: The Quiet Layers Matter

KryptoKat: This week wasn't about zero-days lighting up dashboards. It was about layers we assume are stable: DNS, admin UIs, marketplaces, and "helpful" platforms that quietly shape what we see and where we go.

UncleSp1d3r: The 90s taught us to fear what runs as root. The 2020s are teaching us to fear what runs by default.

Check your edges. Question your resolvers. And if something says "AI-powered," ask what it's really powered by.

~ KryptoKat and UncleSp1d3r

Read more