Unwanted Guest

[Music]

Welcome everyone. My name is Stephen and I'm a volunteer director at large with the Vancouver Island Security Research Society. Proud organizers of the annual Bside's Vancouver Island Security Conference. This year's event is happening on October 3rd, 2025 at the Victoria Conference Center, grassroots communitydriven celebration of cyber security built for everyone. Today I'm joined by David Brunston, one of our esteemed speakers for this year. David specializes in thread intelligence, researching everything from DNS abuse to botnet infrastructure. And his to unwanted guests, digs into how thread actors abuse compromised or misconfigured infrastructure throughout the attack chain. Rather than hosting their own servers, malicious actors repurpose equipment found in homes and offices, hijack domains, and compromise websites to host malware, and redirect

unsuspecting visitors. David, could you briefly introduce yourself and share a sneak peek of what attendees can expect from your talk? >> Yeah, hi, thanks, Stephen. So, again, my name is David. I'm a threat researcher at a company called Infoblocks and we spe I personally specialize in um threat hunting in DNS. DNS, if you're not familiar, some people call it the phone book of the internet, but I think of it as the glue that holds the internet together. And I follow these trails through DNS through all sorts of different types of threats, pretty much everything. Most cyber attacks use DNS in in several stages of the attack. So, um, I'd like to talk a little bit of

some of the stuff that myself and other members of my team have found over the course of the year. One of the the ones that first comes to mind to me is some DNS or domain hijacking in particular uh subdomain hijacking that occurred earlier this year uh on the CDC like CDC.gov and other uh major organizations like uh Bose and Panasonic. They all had a lot of subdomains compromised. And so what's going on is that threat actors have found ways to compromise subdomains and use legitimate infrastructure to redirect to threats. In this case, what was going on is these organizations like the cdc.gov had had subdomains that led to cloud infrastructure that was under their own control. the as DNS works,

it's a it's like a series of of um of references to different resources. And if one of those resources expires, it's no longer under control, then then it's it's called a dangling record. And so in this case, like the CDC thread actors were able to they had they had cloud resources that expired that were no longer there. And so records were pointing to non-existent cloud resources and thread actors were able to identify these dangling records in DNS and and put their own cloud resources in those locations. So what we have is things like the CDC or other places redirecting to uh malvertising types of threats. So it would visitors of the sites would would be redirected into what we call a

traffic distribution system which can lead to all sorts of threats. These types of dangling records occur a lot in in organizations. It's hard to keep track of how many domains an organization has, let alone how many subdomains an organization has. And so if these records um are become pointing to non-existent resources, threat actors know that they can identify these dangling records and put their own threats in place so that visitors to those subdomains um are instead hitting um for example tech support scams, fake VPNs, sweepstake scams. Well, the list just goes on on the amount of threats that appear there. That's just one example that that's come up this year. Another example that I've been

researching a lot is uh a large botnet of microte routers. These routers are installed all over the world in homes and and small businesses. They're they've formed what we call a large proxy network which can be used for all sorts of things. What I've been mainly tracking it is sending um uh malware in emails. So these microtick botnets have been compromised and they form this proxy network which access to this proxy network is is sold on the dark web and so actors can use this proxy network to hide their identity and send attacks through the microtick botnet. So the attacks appear to be coming from people's homes and and small businesses that are all using these microtick

routers. People with these routers might wonder why their internet is so slow. Well, maybe they're doing a DDoS attack on Ukraine or maybe their internet is so slow because their router is doing um some kind of form of credential stuffing or mailing out um other threats. So, having compromised equipment is usually caused by by um out of date firmware or exposed admin access. For example, if you have got a router that that can be accessed from the internet side, that's generally going to increase your risk. And so we can look further in and and in my presentation, we'll look further into what are some of the threats that are coming out of this botnet. >> Thanks so much for sharing that sneak

peek, David. To everyone watching, don't miss your chance to meet experts like David in person and connect with the local cyber security community. Head to bsidesvi.com to grab your tickets now. If you register before September 18th, you'll get an exclusive customdesign black hacker t-shirt in your chosen size, which may help boost your hacker cred. Find all of our social links on the website and join the conversation online using # bsidesv. See you at the bsides Vancouver Island 2025. Again, thank you so much, David, for being here. >> Thank you.