colourful words and phrases

techy tangents and general life chatter from a tired sysadmin

RCA – Degraded DNS reachability

Note

This report is not finalised and is updated as new information comes to light. It was most recently updated at 11:54 on the 18th of April, 2022, +0100 (BST)

Terminology

  • CryptoLocker -- A form of computer malware which encrypts all files it can find and then demands a ransom, usually in cryptocurrency, in order to decrypt the files.
  • DNS -- Domain Name Service - the mechanism by which a computer turns the name 'queer.party' into an IP address it can connect to.
  • Comodo -- An american cybersecurity/antimalware vendor.
  • ForcePoint -- An american cybersecurity/antimalware vendor.
  • Kaspersky -- A russian cybersecurity/antimalware vendor.
  • Mnemonic -- A norwegian cybersecurity/threat intelligence vendor.
  • Quad9 -- A free-to-use public DNS recursor.
  • VirusTotal -- An antivirus/threat intelligence aggregator.

Summary of issue

queer.party citizens may have been unable to access the service from the 29th of March through the 1st of April, 2022, due to an abuse of the service for the command and control of cryptolocker malware.

Timeline of events

Initial cause

On Tuesday, 8th of March, 2022, a user registered for queer.party successfully.

On Monday, 28th of March, 2022, the Mastodon software last recorded some form of activity from that user. It is unclear whether this was a user log-on event or was the last time any activity occurred on the account. The user had been seen accessing queer.party using servers from LeaseWeb US (ASN 30633) and DataPacket Warsaw (ASN 60068), and had registered using a Gmail account. The user's UI language was set to Russian, however it is not known if the user was actually russian. Due to the policy of not collecting any logs or any information other than what the Mastodon software collects by itself, no other information is available.

On Tuesday, 29th of March, 2022, cryptolocker malware began being observed by various threat intelligence services and endpoints, which appeared to contact queer.party

On Thursday, 31st of March, 2022, a queer.party citizen notified me that they were unable to reliably access the service when using Quad9, a DNS recursor service which provides filtering of known malicious addresses. I investigated and confirmed the block, and reached out to Quad9 support for delisting and further information. Quad9 responded and informed me that the domain queer.party was listed on VirusTotal as malicious by Comodo Valkyrie Verdict and suspicious by ForcePoint CSI, as well as by a threat intelligence company named Mnemonic.

On Friday, 1st of April, 2022, I contacted Comodo, ForcePoint and Mnemonic to request delisting and information, and succeeded in having the domain delisted by Comodo. I received an email at 14:39 from Mnemonic confirming that the domain had been flagged as malicious, as it was accessed by malware. The malware performed one request to queer.party - to the profile page of the user who signed up on the 8th of March. Upon receipt, I investigated, found the user's profile to be suspicious, and banned the user immediately (at 14:42), and responded to Mnemonic to inform them of what happened, and request removal of queer.party from their malicious domains list. At 14:56, the user attempted, unsuccessfully, to log into their account, using an IP address from oneprovider[dot]com Brussels (ASN 9009). Quad9 then responded to confirm that they had removed queer.party from their blocked domains list, and helpfully informed me that Kaspersky had also listed the domain as malicious; I have reached out to Kaspersky to have this fixed.

On Wednesday, 6th of April, 2022, I received an email from Kaspersky that the domain would be delisted from their threat list. I verified at this time that the domain had indeed been removed.

On Monday, 18th of April, 2022, I checked and found that Avira had listed the domain as malicious. I am currently in the process of contacting their support to resolve this.

Where we're at

The user account which caused queer.party to be flagged as malware has been banned, and Comodo have removed their malicious flag on the domain. Mnemonic have provided information necessary to identify the root cause, but have not yet responded to my request for removal of any malicious indicator against the domain. I attempted to email them a second time, but have not received any further information from them. I don't know if they have re-classified the domain on their systems, or if they're just not interested in remediation.

Quad9 responded to confirm that they have delisted queer.party, and DNS resolution should return to normal within some hours. I confirmed DNS resolution was restored at 18:27.

I have also made other instance admins aware of this incident in order to reduce the chances of others being impacted by this kind of abuse.

Prevention

I'm not sure how this can reasonably be identified and prevented, and am seeking guidance. Registrations to queer.party have been limited and now require a reason for signup as well as administrator approval, however existing users may invite others as they please.