DNS Tunneling Abuse Expands to Tracking & Scanning Victims

Attackers are taking malicious manipulation of DNS traffic to the next level, abusing DNS tunneling to scan a victim's network infrastructure as well as track victims' online behavior.
Researchers from Palo Alto Networks' Unit 42 have identified several recent threat campaigns that have gone beyond the typical use of DNS tunneling, which is the process of using outbound DNS traffic to smuggle malicious data from malware exploitation back to attackers' command-and-control infrastructure.
They revealed in a recent blog post that attackers have been abusing DNS traffic to track victims' activities, by delivering malicious domains to victims with their identity information encoded in subdomain payloads.
The scanning in recent campaigns includes trolling network infrastructure by encoding the IP address and time stamp in the tunneling payloads, with spoofed source IP addresses, according to Unit 42.
This allows attackers to discover open resolvers - or a DNS server that's willing to resolve recursive DNS lookups for anyone on the Internet - so that they can exploit resolver vulnerabilities to perform DNS attacks, the researchers wrote.
This can lead to malicious redirection or denial-of-service attacks.
How DNS Tunneling Works DNS tunneling is valuable to malicious actors because it provides a covert communications channel, allowing them to bypass conventional network firewalls and thus hide C2 traffic and data exfiltration among legitimate outbound traffic, masking it from traditional detection methods.
Attackers can send traffic over User Datagram Protocol port 53, which is ubiquitous and commonly allowed through firewalls and other network security measures.
The client machine does not communicate with the attacker's server directly, adding another layer of obscurity.
Further, attackers typically encode data sent during exfiltration and infiltration with their own customized methods, which disguises the data within seemingly legitimate DNS traffic.
DNS Tunneling for Tracking Unit 42 researchers observed two specific attacks in which DNS tunneling was used to track victims' behavior by using subdomains in DNS traffic.
Based on researchers' observations, the technique likely was used to track victims' interaction with email content.
In another campaign, aptly dubbed SpamTracker, attackers used DNS tunneling in a similar way to TrkCdn to track spam delivery, the researchers said.
The campaign - related to 44 tunneling domains - employed emails and website links to deliver spam and phishing content with various lures, including fortune-telling services, fake package delivery updates, secondary job offers, and lifetime free items.
DNS Tunneling for Scanning The third novel use of DNS tunneling observed by Unit 42 came in the form of using the method to periodically scan a victim's network infrastructure for vulnerabilities - often the first stage of a cyberattack - and then performing reflection attacks.
The researchers observed the so-called SecShow campaign seeking open resolvers, testing resolver delays, exploiting resolver vulnerabilities, and obtaining time-to-live information.
It contained three domains that used various subdomains to achieve different types of network scanning.
Mitigating Malicious DNS Behavior When it comes to detecting DNS tunneling, Unit 42 researchers recommended that organizations control the service range of resolvers to accept necessary queries only, and promptly update the version of the resolver software to prevent the exploitation of N-day vulnerabilities.
Of course, the best way to prevent attackers from leveraging DNS tunneling in novel attacks is to keep threat actors out of environments entirely, notes Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4.
To mitigate about 90% of attacks - whether they use DNS tunneling or otherwise - organizations must prevent socially engineered phishing and other attacks from being successful, and patch vulnerable software and firmware, Grimes advises.


This Cyber News was published on www.darkreading.com. Publication date: Tue, 14 May 2024 14:01:23 +0000


Cyber News related to DNS Tunneling Abuse Expands to Tracking & Scanning Victims

How to Prevent DNS Attacks: DNS Security Best Practices - To protect against attack, best practices must be applied to protect the DNS protocol, the server on which the DNS protocol runs, and all access to the DNS processes. Implementing these best practices will not only protect DNS but also network ...
10 months ago Esecurityplanet.com
DNS Tunneling Abuse Expands to Tracking & Scanning Victims - Attackers are taking malicious manipulation of DNS traffic to the next level, abusing DNS tunneling to scan a victim's network infrastructure as well as track victims' online behavior. Researchers from Palo Alto Networks' Unit 42 have identified ...
5 months ago Darkreading.com
Hackers use DNS tunneling for network scanning, tracking victims - Threat actors are using Domain Name System tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities. DNS tunneling is the encoding of data or commands that are sent ...
5 months ago Bleepingcomputer.com
7 Best Vulnerability Scanning Tools & Software - Vulnerability scanning tools scan assets to identify missing patches, misconfigurations, exposed application vulnerabilities, and other security issues to be remediated. To help you select the best fitting vulnerability scanning solution, we've ...
9 months ago Esecurityplanet.com
ExpressVPN bug has been leaking some DNS requests for years - ExpressVPN has removed the split tunneling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers. The bug was introduced in ExpressVPN Windows versions 12.23.1 - ...
8 months ago Bleepingcomputer.com
Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
10 months ago Securityboulevard.com
Understanding DNS Zones: A Comprehensive Guide - DNS stands for Domain Name System, and it is one of the most important components of the Internet. It is a network of servers that coordinates the registration, updating and resolution of domain names, so that users can easily access websites and ...
1 year ago Heimdalsecurity.com
Attacks abuse Microsoft DHCP to spoof DNS records The Register - A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers. We're told the attacks - which are ...
11 months ago Go.theregister.com
How ID Scanning Apps Can Prevent Fraud - One effective solution is the use of ID scanning applications. These apps provide businesses with an efficient method to verify customer identities and reduce the risk of fraud. In this article, we will explore how ID scanning apps help prevent fraud ...
5 months ago Hackread.com
Microsoft tests Windows 11 encrypted DNS server auto-discovery - Microsoft is testing support for the Discovery of Network-designated Resolvers internet standard, which enables automated client-side discovery of encrypted DNS servers on local area networks. Without DNR support, users must manually enter the info ...
11 months ago Bleepingcomputer.com
Cybersecurity Performance Goals: Assessing How CPGs Help Organizations Reduce Cyber Risk - In October 2022, CISA released the Cybersecurity Performance Goals to help organizations of all sizes and at all levels of cyber maturity become confident in their cybersecurity posture and reduce business risk. Earlier this summer, CISA outlined ...
11 months ago Cisa.gov
Understanding Vulnerability Scanning and How to Protect Your Networks - Vulnerability scanning is an important part of maintaining the security of networks and systems. It is the process of identifying and analyzing software vulnerabilities in a system or network that could be exploited by hackers to gain unauthorized ...
1 year ago Heimdalsecurity.com
KeyTrap attack: Internet access disrupted with one DNS packet - A serious vulnerability named KeyTrap in the Domain Name System Security Extensions feature could be exploited to deny internet access to applications for an extended period. Tracked as CVE-2023-50387, KeyTrap is a design issue in DNSSEC and impacts ...
8 months ago Bleepingcomputer.com
SANS Internet Storm Center - A DNS suffix is a configuration of the Windows DNS client to have it append suffixes when doing domain lookups. If a DNS suffix local is configured, then Windows' DNS client will not only do a DNS lookup for example.com, but also for example.com. ...
5 months ago Isc.sans.edu
47 Years Later: Serious Security – How Deliberate Typos Might Improve DNS Security - The Domain Name System (DNS) is an internet infrastructure that has been around since the early 80s and still plays an integral part in how websites and online services are accessed. Although it has been in use for almost 47 years, security issues of ...
1 year ago Nakedsecurity.sophos.com
'KeyTrap' DNS Bug Threatens Widespread Internet Outages - Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System security extension, which under certain circumstances could be exploited to take down wide expanses of the ...
8 months ago Darkreading.com
DNSSEC vulnerability puts big chunk of the internet at risk The Register - A 20-plus-year-old security vulnerability in the design of DNSSEC could allow a single DNS packet to exhaust the processing capacity of any server offering the system for domain-name resolution, effectively disabling the machine. Yes, a single DNS ...
8 months ago Go.theregister.com
Hackers Use Malware to Hunt Software Vulnerabilities - Many threat actors are turning to malware to scan software vulnerabilities that they can use in future cyber-attacks. Security researchers at Unit 42, the threat intelligence branch of cybersecurity provider Palo Alto Networks, discovered a ...
6 months ago Infosecurity-magazine.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Researchers Uncovered an Active Directory DNS spoofing exploit - In the intricate web of our interconnected world, the Domain Name System stands as a linchpin, directing users to their online destinations. Even this vital system is not impervious to the dark art of malicious manipulation. In a recent revelation by ...
10 months ago Gbhackers.com
Lost and found: How to locate your missing devices and more - Physical trackers are small, circular or square-shaped objects that use simple replaceable batteries to remain charged for a long time. For travelers going around with luggage on trains and planes, there have been times when they come in really handy ...
10 months ago Welivesecurity.com
Bill Would Require Privacy Compliance For Period-Tracking Apps - With a fast-growing number of users, period-tracking apps have opened up a new way for people to track their menstrual cycle and other vital health information. But, are they securely storing and protecting user data? A bill introduced in Congress ...
1 year ago Securityweek.com
Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials - Intruder.io, a London, England-based cybersecurity firm, conducted a self-hack using a DNS rebinding attack, enabling them to extract low-privileged AWS credentials. Cybersecurity firm Intruder has published blog posts explaining how they got hacked ...
11 months ago Hackread.com
What's new in the MSRC Report Abuse Portal and API - The Microsoft Security Response Center has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report ...
4 months ago Msrc.microsoft.com
Cyber scam call center slavery expands beyond southeast Asia The Register - Human trafficking for the purposes of populating cyber scam call centers is expanding beyond southeast Asia, where the crime was previously isolated. Interpol revealed this week that an ongoing investigation has discovered evidence of abuse emanating ...
10 months ago Go.theregister.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)