Threat actors are using Domain Name System tunneling to track when their targets open phishing emails and click on malicious links, and to scan networks for potential vulnerabilities.
DNS tunneling is the encoding of data or commands that are sent and retrieved via DNS queries, essentially turning DNS, a fundamental network communication component, into a covert communications channel.
The threat actors encode the data in various ways, such as Base16 or Base64 or custom textual encoding algorithms, so they can be returned when querying DNS records, such as TXT, MX, CNAME, and Address records.
Hackers commonly use DNS tunneling to bypass network firewalls and filters, employing the technique for command and control and Virtual Private Network operations.
There are also legitimate DNS tunneling applications, such as for bypassing censorship.
Palo Alto Networks' Unit 42 security research team recently discovered additional use of DNS tunneling in malicious campaigns involving victim tracking and network scanning.
The attackers embed content in an email that, when opened, performs a DNS query to attacker-controlled subdomains whose FQDN contains encoded content.
Which resolves to a CNAME to a primary authoritative name server.
This approach allows the attackers to evaluate their strategies, refine them, and confirm the delivery of malicious payloads to their victims.
The attackers embed IP addresses and timestamps into DNS queries to map out network layouts and discover potential configuration flaws that can be exploited for infiltration, data theft, or denial of service.
The DNS queries used in this campaign were periodically repeated to enable real-time data gathering, detect status changes, and test the response of different network parts to unsolicited DNS requests.
Threat actors opt for DNS tunneling over more traditional methods like tracking pixels and regular network scanning tools for several reasons, including the ability to bypass security tools, avoid detection, and maintain operational versatility.
Unit 42 proposes that organizations implement DNS monitoring and analysis tools to monitor and analyze logs for unusual traffic patterns and anomalies, such as atypical or high-volume requests.
It's advisable to limit the DNS resolvers in the network to handle only the necessary queries, reducing the potential of DNS tunneling misuse.
Roid bug leaks DNS queries even when VPN kill switch is enabled.
Turn your phone into a scanner with $140 off the SwiftScan VIP app.
New XZ backdoor scanner detects implant in any Linux binary.
New 'Loop DoS' attack may impact up to 300,000 online systems.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 13 May 2024 17:50:12 +0000