Latest news with #Infoblox
Tahawul Tech
3 days ago
- Business
- Tahawul Tech
Threat Intel must adapt to disruptive adversarial GenAI
Bart Lenaerts, Senior Product Marketing Manager, Infoblox, explores how cyber adversaries are increasingly leveraging Generative AI (GenAI), especially Large Language Models (LLMs), to enhance their attacks through social engineering, deception, and code obfuscation. Generative AI, particularly Large Language Models (LLM), is enforcing a transformation in cybersecurity. Adversaries are attracted to GenAI as it lowers entry barriers to create deceiving content. Actors do this to enhance the efficacy of their intrusion techniques like social engineering and detection evasion. This article provides common examples of malicious GenAI usage like deepfakes, chatbot automation and code obfuscation. More importantly, it also makes a case for early warnings of threat activity and usage of predictive threat intelligence capable of disrupting actors before they execute their attacks. Example 1: Deepfake scams using voice cloning At the end of 2024, the FBI warned that criminals were using generative AI to commit fraud on a larger scale, making their schemes more believable. GenAI tools like voice cloning reduce the time and effort needed to deceive targets with trustworthy audio messages. Voice cloning tools can even correct human errors like foreign accents or vocabulary that might otherwise signal fraud. While creating synthetic content isn't illegal, it can facilitate crimes like fraud and extortion. Criminals use AI-generated text, images, audio, and videos to enhance social engineering, phishing, and financial fraud schemes. Especially worrying is the easy access cybercriminals have to these tools and the lack of security safeguards. A recent Consumer Reports investigation[1] on six leading publicly available AI voice cloning tools discovered that five have bypassable safeguards, making it easy to clone a person's voice even without their consent. Voice cloning technology works by taking an audio sample of a person speaking and then extrapolating that person's voice into a synthetic audio file. However, without safeguards in place, anyone who registers an account can simply upload audio of an individual speaking, such as from a TikTok or YouTube video, and have the service imitate them. Voice cloning has been utilized by actors in various scenarios, including large-scale deep-fake videos for cryptocurrency scams or the imitation of voices during individual phone calls. A recent example that garnered media attention is the so-called 'grandparent' scams[2], where a family emergency scheme is used to persuade the victim to transfer funds. Example 2: AI-powered chat boxes Actors often pick their victims carefully by gathering insights on their interests and set them up for scams. Initial research is used to craft the smishing message and trigger the victim into a conversation with them. Personal notes like 'I read your last social post and wanted to become friends' or 'Can we talk for a moment?' are some examples our intel team discovered (step 1 in picture 2). While some of these messages may be extended with AI-modified pictures, what matters is that actors invite their victims to the next step, which is a conversation on Telegram or another actor controlled medium, far away from security controls (step 2 in picture 2). Once the victim is on the new medium, the actor uses several tactics to continue the conversation, such as invites to local golf tournaments, Instagram following or AI-generated images. These AI bot-driven conversations go on for weeks and include additional steps, like asking for a thumbs-up on YouTube or even a social media repost. At this moment, the actor is trying to assess their victims and see how they respond. Sooner or later, the actor will show some goodwill and create a fake account. Each time the victim reacts positively to the actor's request, the amount of currency in the fake account will increase. Later, the actor may even request small amounts of investment money, with an ROI of more than 25 percent. When the victim asks to collect their gains (step 3 in picture 2), the actor requests access to the victim's crypto account and exploits all established trust. At this moment, the scamming comes to an end and the actor steals the crypto money in the account. While these conversations are time-intensive, they are rewarding for the scammer and can lead to ten-thousands of dollars in ill-gotten gains. By using AI-driven chat boxes, actors have found a productive way to automate the interactions and increase the efficiency of their efforts. InfoBlox Threat Intel tracks these scams to optimize threat intelligence production. Common characteristics found in malicious chat boxes include: AI grammar errors, such as an extra space after a period, referencing foreign languages Using vocabulary that includes fraud-related terms Forgetting details from past conversations Repeating messages mechanically due to poorly trained AI chatbots (also known as parroting) Making illogical requests, like asking if you want to withdraw your funds at irrational moments in the conversation Using false press releases posted on malicious sites Opening conversations with commonly used phrases to lure the victim Using specific cryptocurrency types used often in criminal communities The combinations of these fingerprints allow threat intel researchers to observe emerging campaigns, track back the actors and their malicious infrastructure. Example 3: Code obfuscation and evasion Threat actors are using GenAI not only for creating human readable content. Several news outlets explored how GenAI assists actors in obfuscating their malicious codes. Earlier this year Infosecurity Magazine[3] published details of how threat researchers at HP Wolf discovered social engineering campaigns spreading VIP Keylogger and 0bj3ctivityStealer malware, both of which involved malicious code being embedded in image files. With a goal to improve the efficiency of their campaign, actors are repurposing and stitching together existing malware via GenAI to evade detection. This approach also assists them in gaining velocity in setting up threat campaigns and reducing the skills needed to construct infection chains. Industry threat research HP Wolf estimates evasion increments of 11% for email threats while other security vendors like Palo Alto Networks estimate[4] that GenAI flipped their own malware classifier model's verdicts 88% of the time into false negatives. Threat actors are clearly making progress in their AI driven evasion efforts. Making the case for modernising threat research As AI driven attacks pose plenty of detection evasion challenges, defenders need to look beyond traditional tools like sandboxing or indicators derived from incident forensics to produce effective threat intelligence. One of these opportunities can be found by tracking pre-attack activities instead of sending the last suspicious payload to a slow sandbox. Just like your standard software development lifecycle, threat actors go through multiple stages before launching attacks. First, they develop or generate new variants for the malicious code using GenAI. Next, they set up the infrastructure like email delivery networks or hard to trace traffic distribution systems. Often this happens in combination with domain registrations or worse hijacking of existing domains. Finally, the attacks go into 'production' meaning the domains become weaponised, ready to deliver malicious payload. This is the stage where traditional security tools attempt to detect and stop threats because it involves easily accessible endpoints or networks egress points within the customer's environment. Because of evasion and deception by GenAI tools, this point of detection may not be effective as the actors continuously alter their payloads or mimic trustworthy sources. The Value of Predictive Intelligence Based on DNS Telemetry To stay ahead of these evolving threats, organisations should consider leveraging predictive intelligence derived from DNS telemetry. DNS data plays a crucial role in identifying malicious actors and their infrastructure before attacks even occur. Unlike payloads that can be altered or disguised using GenAI, DNS data is inherently transparent across multiple stakeholders—such as domain owners, registrars, domain servers, clients, and destinations—and must be 100% accurate to ensure proper connectivity. This makes DNS an ideal source for threat research, as its integrity makes it less susceptible to manipulation. DNS analytics also provides another significant advantage: domains and malicious DNS infrastructures are often configured well in advance of an attack or campaign. By monitoring new domain registrations and DNS records, organisations can track the development of malicious infrastructure and gain insights into the early stages of attack planning. This approach enables the identification of threats before they're activated. Conclusion The evolving landscape of AI and the impact on security is significant. With the right approaches and strategies, such as predictive intelligence derived from DNS, organizations can truly get ahead of GenAI risks and ensure that they don't become patient zero. [1] [2] [3] [4] Image Credit: Infoblox
Scoop
21-05-2025
- Scoop
New Cyber Threat ‘Hazy Hawk' Hijacks Major Domains – Are You At Risk?
Press Release – Infoblox Infoblox Threat Intel has tracked some of this activity to a threat actor, dubbed Hazy Hawk, that uses hijacked domains to conduct large-scale scams and malware distribution. Hazy Hawk is a sophisticated threat actor that hijacks forgotten DNS records from …Subdomain hijacking through abandoned cloud resources is an issue that probably every major organisation has experienced, and these attacks are on the rise. Infoblox Threat Intel has tracked some of this activity to a threat actor, dubbed Hazy Hawk, that uses hijacked domains to conduct large-scale scams and malware distribution. This discovery highlights the critical need for organisations to manage their domain name systems (DNS) records and cloud resources vigilantly. Hazy Hawk is a sophisticated threat actor that hijacks forgotten DNS records from discontinued cloud services such as Amazon S3 buckets and Azure endpoints. By taking control of these abandoned resources, Hazy Hawk is able to host malicious URLs that lead unsuspecting users to scams and malware. Identifying vulnerable DNS records in the cloud is significantly more challenging than identifying regular unregistered domains. As cloud usage has grown, the number of abandoned 'fire and forget' resources has skyrocketed. Especially for those companies that do not use a comprehensive visibility and management solution for managing all their assets across their digital real estate. Hazy Hawk has successfully hijacked subdomains of reputable organisations, including the U.S. Center for Disease Control (CDC), various government agencies, universities, and international companies since December 2024. Hazy Hawk Details: Sophisticated Techniques: Unlike traditional domain hijackers, Hazy Hawk targets DNS misconfigurations in the cloud and must have access to commercial passive DNS services to do so Wide-Reaching Impact: The hijacked domains are used to distribute a variety of scams, including fake advertisements and malicious push notifications, affecting millions of users globally Economic Consequences: The scams facilitated by Hazy Hawk contribute to the multi-billion-dollar fraud market, with significant financial losses reported, particularly among the elderly population Obfuscation: Hazy Hawk uses layered defenses to protect its operations, including hijacking reputable domains, obfuscating URLs, and redirecting traffic through multiple domains Protective Measures To thwart threat actors like Hazy Hawk, organisations should implement robust DNS management practices, including regular audits of DNS records and prompt removal of records associated with discontinued cloud services. Additionally, users should be educated to deny push notification requests from unfamiliar websites to avoid falling victim to scams. For more information on Hazy Hawk read the full research Blog here.
Channel Post MEA
10-04-2025
- Business
- Channel Post MEA
Infoblox And Google Cloud Partner On Networking Security
Infoblox has announced it is collaborating with Google Cloud to simplify enterprise networking and security while helping organizations accelerate their cloud transformation journeys. Infoblox and Google Cloud are offering two new solutions to help enterprises address challenges in hybrid, multi-cloud networking and cybersecurity: Infoblox Universal DDI for Google's Cloud WAN is a fully integrated solution that combines the world-class, global Google Cloud Cross-Cloud Network infrastructure with Infoblox's industry-leading DNS and DHCP capabilities to transform enterprise networking. Google Cloud DNS Armor, powered by Infoblox, is a next-generation, native Protective DNS solution that provides robust and preemptive detection of malicious activity for Google Cloud workloads. 'The partnership with Google Cloud represents a strategic milestone in our commitment to innovation and mission to enhance cloud networking and security,' said Scott Harrell, president and CEO, Infoblox. 'It's a testament to the critical role that Protective DNS and DDI services play in managing and securing today's hybrid multi-cloud environments. Infoblox and Google Cloud are providing enterprises with tightly integrated, cloud-first solutions that enable secure connectivity while also reducing operational overhead. Together, our technologies are used to manage critical workloads at nearly every Fortune 100 company.' 'At Google Cloud, we are committed to building a cloud infrastructure with global scale that helps simplify operations for our customers,' said Muninder Singh Sambi, VP/GM, Networking, Google Cloud. 'Enabling a resilient and secure network is a critical component of that vision—bridging networking and security to help ensure seamless connectivity and performance. Infoblox has long been a leader in DDI and Protective DNS innovation, making them the ideal partner to help us deliver enterprise-grade network services in the cloud. By integrating Infoblox's technology into Google Cloud, we're making it easier for organizations to modernize, connect and scale their global operations with confidence.' As businesses today face growing challenges to simplify operations, strengthen security and stay agile, they require a more streamlined, integrated approach to networking and security. 'The partnership between Infoblox and Google Cloud marks a major leap forward in enterprise networking and security,' said Alfredo Rodriguez, vice president, cloud platform infrastructure, Sabre Corporation. 'By uniting their expertise, they are delivering scalable, intelligent solutions that simplify branch operations, fortify defenses and enable agile, efficient cloud connectivity.' Infoblox Universal DDI for Google's Cloud WAN The Infoblox Universal DDI integration with Google's Cloud WAN allows organizations to quickly deploy Universal DDI's NIOS-X as a Service with ease. Infoblox Universal DDI for Google's Cloud WAN provides infrastructure-free DNS and DHCP services, anywhere in the world, tightly integrated with the Google Cloud Cross-Cloud Network. The combination provides enterprises modernizing their infrastructure with enhanced performance, resiliency and scale across the globe. These integrated services greatly simplify infrastructure deployment and management, reducing total cost of ownership while helping to ensure the efficient delivery of applications, workloads and services to branches, data centers and users worldwide. This fully integrated, centrally managed solution unifies enterprise backbones, SD-WANs and enterprise-grade critical network services. And, when combined with Infoblox security offerings, Infoblox Universal DDI can be used as a single interception point to deploy consistent security policies across an entire hybrid cloud infrastructure. Infoblox Universal DDI for Google's Cloud WAN is available in the Google Cloud Marketplace. The Infoblox Universal DDI integration with Google's Cloud WAN allows organizations to quickly deploy Universal DDI's NIOS-X as a Service with ease. Infoblox Universal DDI for Google's Cloud WAN provides infrastructure-free DNS and DHCP services, anywhere in the world, tightly integrated with the Google Cloud Cross-Cloud Network. The combination provides enterprises modernizing their infrastructure with enhanced performance, resiliency and scale across the globe. These integrated services greatly simplify infrastructure deployment and management, reducing total cost of ownership while helping to ensure the efficient delivery of applications, workloads and services to branches, data centers and users worldwide. This fully integrated, centrally managed solution unifies enterprise backbones, SD-WANs and enterprise-grade critical network services. And, when combined with Infoblox security offerings, Infoblox Universal DDI can be used as a single interception point to deploy consistent security policies across an entire hybrid cloud infrastructure. Infoblox Universal DDI for Google's Cloud WAN is available in the Google Cloud Marketplace. DNS Armor, powered by Infoblox DNS Armor from Google Cloud leverages Infoblox's deep expertise in protective DNS and DNS-centric threat intelligence to secure cloud workloads, delivering simplified, scalable threat detection. The solution provides enhanced and preemptive security designed to integrate seamlessly without increasing operational complexity. It allows customers to inspect DNS communications for malicious activity, such as ransomware, command and control, data exfiltration, Zero Day DNS threats, domain generation algorithms and more. Infoblox's technology powers the DNS Armor service, and customers can activate and configure DNS threat detection directly on the Google Cloud console. Administrators can monitor DNS queries and access real-time DNS threat logs that enable early threat detection and a proactive security posture. DNS Armor can detect attacks 63 days before other solutions. The solution is easy for any Google Cloud customer to activate within the Google Cloud console. 'As cyber threats grow more sophisticated, the collaboration between Infoblox and Google Cloud delivers a game-changing approach to network security,' said Bob Walker, senior domain network engineer, Lloyds Banking Group. 'Google Cloud's DNS Armor, powered by Infoblox, harnesses the best of both technologies—cutting-edge DNS threat intelligence and scalable cloud architecture—to provide enterprises with robust protection against emerging threats.' 'Infoblox powers Google Cloud's DNS Armor with intelligence beyond just a DNS block list—tracking activity of potential adversaries to uncover and flag every corner of their malicious network,' said Chris Kissel, research vice president, security and trust, IDC. 'The first challenge to cybersecurity is it's typically reactive, and DNS Armor, powered by Infoblox, provides a preemptive solution to securing cloud workloads that doesn't add additional complexity or compute.'
TECHx
10-04-2025
- Business
- TECHx
Infoblox, Google Cloud Unite to Simplify Enterprise Security
Infoblox, a cloud networking and security provider, has partnered with Google Cloud to simplify enterprise networking and enhance enterprise security, accelerating cloud transformation globally. Infoblox, a cloud networking and security services provider, has announced a new collaboration with Google Cloud. This partnership aims to simplify enterprise networking and enterprise security while accelerating cloud transformation for businesses worldwide. Together, Infoblox and Google Cloud are launching two integrated solutions that address challenges in hybrid and multi-cloud environments. The first, Infoblox Universal DDI for Google's Cloud WAN, combines Infoblox's DNS and DHCP capabilities with Google Cloud's Cross-Cloud Network. This powerful integration supports infrastructure modernization while enhancing global performance and scalability. It also helps organizations reduce deployment complexity and operational costs. The second solution, Google Cloud DNS Armor powered by Infoblox, is a next-generation Protective DNS service. It proactively detects malicious activity targeting cloud workloads. By leveraging Infoblox's DNS threat intelligence, it delivers high-impact enterprise security with minimal operational burden. Users can activate the service directly in the Google Cloud console and monitor threats in real time. Scott Harrell, president and CEO of Infoblox, stated that the partnership demonstrates a shared commitment to innovation. He emphasized the growing importance of Protective DNS and DDI services in supporting enterprise security within hybrid, multi-cloud infrastructures. Muninder Singh Sambi, VP/GM of Networking at Google Cloud, added that the collaboration bridges networking and security. He noted that Infoblox's experience in DDI and threat detection makes them a strategic partner for delivering robust enterprise security solutions in the cloud. Today's businesses face rising pressure to stay agile while strengthening enterprise security across distributed environments. These new solutions directly respond to that demand by providing scalable, cloud-native tools that simplify operations. Infoblox Universal DDI for Google's Cloud WAN is available through the Google Cloud Marketplace. It enables rapid deployment of NIOS-X as a Service and offers global, infrastructure-free DNS and DHCP. The solution also supports unified policy enforcement across all hybrid cloud environments when paired with Infoblox's security offerings. Google Cloud DNS Armor provides early detection of ransomware, Zero Day threats, and data exfiltration attempts. It gives IT teams full visibility into DNS activity and ensures faster, more proactive threat response. Bob Walker of Lloyds Banking Group described DNS Armor as a game-changer for enterprise security, while Chris Kissel of IDC praised its ability to reduce complexity without sacrificing protection. With this partnership, Infoblox and Google Cloud are delivering integrated solutions that help organizations build stronger foundations for enterprise security in a cloud-first world.
Forbes
28-03-2025
- Forbes
Users Face New Phishing Threats From Sophisticated Scam Kit
Close up on screen of website sign in button getty A sophisticated phishing operation known as Morphing Meerkat is putting internet users at serious risk. Discovered by cybersecurity researchers at Infoblox, this phishing-as-a-service platform has been quietly active since at least 2020. At first glance, Morphing Meerkat might appear to be just another spam campaign. But beneath the surface, it leverages cutting-edge tactics that make it far more dangerous and difficult to detect—especially for non-technical individuals. What sets this campaign apart is its use of DNS-over-HTTPS. This technology allows it to bypass traditional DNS filters and monitoring tools, making it harder for security software to identify the threat. The phishing toolkit also performs live lookups of Mail Exchange records, which tell it what email provider the victim uses. With that information, the platform dynamically generates a login page that looks exactly like what the victim expects—whether it is Gmail, Yahoo, Outlook, or over 110 other commonly used services. Morphing Meerkat is a phishing kit designed for scalability, stealth, and ease of use—even for cybercriminals with little technical skill. The actual attack typically begins with a highly convincing email. These messages are crafted to look legitimate and are translated into multiple languages, including English, Spanish, Russian, and Chinese. They often appear to come from widely recognized brands and carry urgent subject lines like 'Action Required: Account Deactivation,' designed to trigger a quick, emotional reaction. When a user clicks on the link inside the email, they are taken through a maze of redirects—often via ad networks, compromised WordPress sites, or free hosting platforms. This redirect chain helps the attackers obscure their tracks and bypass browser security warnings. Eventually, the user lands on a fake login page. At this point, the phishing kit quietly queries the victim's email domain using DNS-over-HTTPS to identify which email provider they use. Once identified, the kit dynamically loads a counterfeit login page tailored to that provider, often with the victim's email address already filled in. The design is nearly indistinguishable from the real thing. If the user enters their password, the credentials are transmitted to the attackers—sometimes even forwarded in real time using tools like Telegram bots. In some cases, the user is prompted to re-enter their password with an error message such as 'Invalid Password! Please enter email correct password,' which helps confirm that the stolen information is accurate. To complete the deception and avoid raising alarms, the user is then redirected to the legitimate login page of their email provider. From their perspective, it simply appears that the login failed the first time, and they continue on as usual—unaware that their credentials have already been compromised. Despite the increasing complexity of phishing attacks, there are practical and effective steps that consumers can take to protect their digital lives:
