This post is also available in: 日本語 (Japanese)
The Domain Name System, or DNS, is the protocol that translates human-friendly URLs into machine-friendly IP addresses. Essentially, it’s the phone book of the internet. This makes DNS a critical component of business operations, requiring firewalls to let it pass through and preventing network operators from blocking DNS traffic. As a result, it has become a prime target for threat actors who have successfully deployed various DNS-based attacks against company networks over the years.
Attackers often use DNS to establish command and control (C2). This can lead to gaining unauthorized access to the network, moving laterally or exfiltrating data. As security has evolved to try to prevent abuse of DNS traffic and C2, the tactics and techniques of attackers have also evolved.
These are just some of the sophisticated attacks being used by threat actors to exploit DNS:
- DNS Tunneling – Attackers use the DNS resolver to route queries to the attacker’s C2 server, where a tunneling program is installed. Once the connection is established between the victim and the attacker through the DNS resolver, the tunnel can be used to exfiltrate data or execute other malicious purposes.
- Domain Generation Algorithm (DGA) – Attackers develop DGAs so that malware can quickly generate a list of domains that can be used to provide instructions and receive info from the malware. Attackers often use DGA so they can switch domains they’re using for malware attacks rapidly since security software and vendors try to block and take down malicious domains as quickly as possible.
- Fast Flux – Attackers set up multiple IP addresses per malicious domain name and change them in quick succession to avoid IP controls, making it difficult for threat hunters to find their locations.
- Malicious Newly Registered Domains (NRDs) – A newly registered domain is any domain that has been registered in the last month (33 days to be exact). Attackers will often create slight variations of legitimate domains in an attempt to fool users into clicking on them. The malicious NRDs are typically active only for a short period of time, which makes them hard to detect.
DNS-based attacks are not new, but they are prevalent. Unit 42 has recently seen multiple instances of malware and the threat actors behind it abusing DNS to achieve malicious goals.
OilRig, a threat actor operating in the Middle East, created tools with custom DNS Tunneling protocols for C2. The threat actor was able to use this not only as a main channel of communication but also as a fallback channel if originally placed communications didn’t work correctly.
Unit 42 also observed xHunt, a threat actor which targeted government organizations in the Middle East with a backdoor called Snugy. This backdoor used DNS tunneling to communicate with its C2 server, specifically by issuing DNS A record lookups to resolve custom crafted subdomains of actor-controlled C2 domains.
A prominent recent example of attackers incorporating DGAs can be seen in the SUNBURST backdoor, which compromised the SolarWinds supply chain. SUNBURST used DGAs to escape detection and to encode basic system information such as machine domain name, server name and other identifiers. SUNBURST sent requests to check in with the attacker, containing identifying information intended to help the attacker decide whether to launch a second-stage attack.
We found multiple C2 domains related to the Smoke Loader malware family. When installed, this malware acts as a backdoor and allows attackers to download malicious payloads from C2 servers, ranging from ransomware to info stealers to many things in between. We observed domains that resolved to nearly 100 IP addresses in less than a two-week timeframe.
Attackers took advantage of the pandemic by creating a slew of malicious NRDs that masqueraded as official COVID-19 related resources. The focus of the attackers shifted depending on current events related to the pandemic. In the early stages of the pandemic, attackers targeted people searching for COVID-19 related news and testing kits. We then observed a shift to supposedly government related NRDs, posing as relief program applications to trick users into providing private information. Now the focus is changing again, with threat actors registering apparently vaccine-related domains.
DNS is a perfect choice for adversaries who seek an always-open, often-overlooked protocol that they can leverage for C2 communications and compromising hosts. It should be noted that DNS-related techniques are not only observed in these sophisticated attacks. There are a number of free, easy-to-use tools that exist that can help even an inexperienced adversary carry out a malicious operation leveraging DNS. This enables even unskilled attackers to use DNS as a way to hide their C2 communication, for example. Commodity tools like this increase the sheer volume of attacks prevailing in the wild.
Today’s security teams often focus on web protocols instead of DNS-layer security. With 80% of malware using DNS to establish C2, it’s imperative that organizations monitor and analyze their DNS traffic. In order to do so, security solutions should be able to:
- Inspect DNS traffic inline – Not only must DNS traffic packets be analyzed, it goes without saying, this has to happen at line speed.
- Leverage machine learning – It takes automation to beat automated attacks. We need to use algorithms to analyze, detect and even predict DNS-based threats before they happen.
- Scale – Simple static signatures stop known malicious domains but do not protect against advanced DNS threats. You need a cloud-based solution that keeps your coverage up to date.
- Consume high-quality data – Your ML is only as good as the data that trains it. Using massive amounts of real-world threat data is key to being able to recognize attacks and maintain a low false positive rate.
- Protect against specific attack techniques – Advanced persistent threat actors leverage techniques such as DGA, DNS tunneling and fast flux to bypass your security controls. These techniques are constantly evolving and your security solution needs to keep pace.
- Provide access to rich context – In order to quickly remediate DNS security events and proactively optimize security posture, organizations must have full visibility and context into their DNS traffic.
As DNS-based attacks evolve, so must DNS security. Learn more about how to stop attackers from using DNS against you.
This is only one of the areas in which legacy approaches to cybersecurity can’t keep pace with the needs of today’s organizations. Read our vision of how network security must adapt.