Daniela Zamfiroiu

Daniela Zamfiroiu works at the SOC at KLM as an Incident Responder. Daniela Zamfiroiu and Arjan Onwezen both have over 20 years of experience in the field and enjoy solving complex puzzles.

‍

Talk (with Arjan Onwezen): “From Russia, with dns-prefetch” [TLP:AMBER]

Our presentation follows the activities of a Russian based group who are taking advantage of reputable small businesses. The group is actively hunting websites which are lacking security updates. The group’s activities serve different campaigns over time and can be followed by their use of the dns-prefetch tag inserted in the vulnerable websites. We follow their activities since around October 2024.

This is an ongoing investigation, and the actor is expanding activities during the last few months: new (cloud) infrastructure, new domains registered, even more small business falling as victim. We are estimating hundreds of thousands of victims. Although the injected websites are in a high number, the backend infrastructure is quite limited and can be mapped using open-source tooling.

Their targets are the legitimate visitors of these small businesses and due to our large user base, we were able to see the pattern in the activity. Everyone is a fair target for this group and therefore everyone should think about detection and protection.

We would like to ask the attendees to actively think with us about potential structural disruption activities, so we better protect users while deterring the actor activity.