Attackers are taking malicious manipulation of DNS traffic to the next level, abusing DNS tunneling to scan a victim's network infrastructure as well as track victims' online behavior.
Researchers from Palo Alto Networks' Unit 42 have identified several recent threat campaigns that have gone beyond the typical use of DNS tunneling, which is the process of using outbound DNS traffic to smuggle malicious data from malware exploitation back to attackers' command-and-control infrastructure.
They revealed in a recent blog post that attackers have been abusing DNS traffic to track victims' activities, by delivering malicious domains to victims with their identity information encoded in subdomain payloads.
The scanning in recent campaigns includes trolling network infrastructure by encoding the IP address and time stamp in the tunneling payloads, with spoofed source IP addresses, according to Unit 42.
This allows attackers to discover open resolvers - or a DNS server that's willing to resolve recursive DNS lookups for anyone on the Internet - so that they can exploit resolver vulnerabilities to perform DNS attacks, the researchers wrote.
This can lead to malicious redirection or denial-of-service attacks.
How DNS Tunneling Works DNS tunneling is valuable to malicious actors because it provides a covert communications channel, allowing them to bypass conventional network firewalls and thus hide C2 traffic and data exfiltration among legitimate outbound traffic, masking it from traditional detection methods.
Attackers can send traffic over User Datagram Protocol port 53, which is ubiquitous and commonly allowed through firewalls and other network security measures.
The client machine does not communicate with the attacker's server directly, adding another layer of obscurity.
Further, attackers typically encode data sent during exfiltration and infiltration with their own customized methods, which disguises the data within seemingly legitimate DNS traffic.
DNS Tunneling for Tracking Unit 42 researchers observed two specific attacks in which DNS tunneling was used to track victims' behavior by using subdomains in DNS traffic.
Based on researchers' observations, the technique likely was used to track victims' interaction with email content.
In another campaign, aptly dubbed SpamTracker, attackers used DNS tunneling in a similar way to TrkCdn to track spam delivery, the researchers said.
The campaign - related to 44 tunneling domains - employed emails and website links to deliver spam and phishing content with various lures, including fortune-telling services, fake package delivery updates, secondary job offers, and lifetime free items.
DNS Tunneling for Scanning The third novel use of DNS tunneling observed by Unit 42 came in the form of using the method to periodically scan a victim's network infrastructure for vulnerabilities - often the first stage of a cyberattack - and then performing reflection attacks.
The researchers observed the so-called SecShow campaign seeking open resolvers, testing resolver delays, exploiting resolver vulnerabilities, and obtaining time-to-live information.
It contained three domains that used various subdomains to achieve different types of network scanning.
Mitigating Malicious DNS Behavior When it comes to detecting DNS tunneling, Unit 42 researchers recommended that organizations control the service range of resolvers to accept necessary queries only, and promptly update the version of the resolver software to prevent the exploitation of N-day vulnerabilities.
Of course, the best way to prevent attackers from leveraging DNS tunneling in novel attacks is to keep threat actors out of environments entirely, notes Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4.
To mitigate about 90% of attacks - whether they use DNS tunneling or otherwise - organizations must prevent socially engineered phishing and other attacks from being successful, and patch vulnerable software and firmware, Grimes advises.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 14 May 2024 14:01:23 +0000