DNS Tunneling Abuse Widens Scope to Track and Scan Victims
Attackers have increased their use of DNS tunneling to smuggle data from malware to command-and-control infrastructure, as well as to scan target networks and monitor online activity. This is an expansion of their exploitation of DNS traffic. The goal of this sophisticated deception is to obtain important information for breaching companies.
Palo Alto Networks’ Unit 42 has recently conducted investigations that have revealed several threat campaigns that go beyond the standard use of DNS tunneling. Attackers are now leveraging DNS traffic to track victims’ activities rather than just concentrating on data exfiltration. Malicious domains are sent to victims by encoding identification details within subdomain payloads, which makes tracking easier.
In a recent blog post, Unit 42 researchers Shu Wang, Ruian Duan, and Daiping Liu discussed this changing pattern. They noted that DNS tunneling, which was previously linked with command-and-control and VPN operations, is increasingly used by attackers for victim tracking and network scanning objectives.
In recent campaigns, scanning include encoding IP addresses and timestamps within tunneling payloads, which are frequently false source IP addresses. This approach allows attackers to discover open resolvers, which are DNS servers that resolve recursive DNS lookups for all internet users. Exploiting vulnerabilities in these resolvers might result in DNS-based attacks like redirections or denial-of-service situations.
Understanding the Function of DNS Tunneling
DNS tunneling is helpful to malicious actors because it provides a covert mode of communication, allowing them to bypass normal network firewalls. This enables the masking of command-and-control (C2) communication and data exfiltration within legal outbound traffic, thereby avoiding detection by typical security measures.
DNS tunneling uses a variety of strategies to hide traffic. For example, attackers might use the User Datagram Protocol (UDP) port 53, which is widely supported by firewalls and other network security protocols, to transfer traffic. Furthermore, the client machine does not communicate directly with the attacker’s server, providing an additional degree of concealment.
Furthermore, attackers often employ customized methods to encode the data exchanged during exfiltration and infiltration. This serves to camouflage the data within seemingly legitimate DNS traffic, enhancing the covert nature of their activities.
DNS Tunneling for Tracking
Unit 42 researchers have observed two specific instances where DNS tunneling was utilized for tracking victims’ behavior by integrating subdomains into DNS traffic.
“In this instance of DNS tunneling, the attacker’s malware encodes information about a particular user and their activities into a distinct subdomain within a DNS query,” explained the researchers. “This subdomain serves as the tunneling payload, and the DNS query for the Fully Qualified Domain Name (FQDN) employs a domain controlled by the attacker.”
One of these campaigns, named “TRkCdn” by the researchers, targeted 731 potential victims, utilizing 75 IP addresses for nameservers and resolving 658 domains controlled by the attacker. According to the researchers’ observations, this technique was likely employed to monitor victims’ engagement with email content.
The researchers observed the SecShow campaign, which aimed to locate open resolvers, assess resolver delays, exploit resolver vulnerabilities, and gather time-to-live (TTL) information. This campaign employed three domains, utilizing various subdomains to facilitate different types of network scanning.
Primarily targeting open resolvers, the SecShow campaign focused on victims primarily from sectors like education, high technology, and government, where open resolvers are prevalent, as highlighted by the researchers.
Addressing Malicious DNS Activity
Unit 42 researchers advise organizations on detecting DNS tunneling by recommending the restriction of resolver service ranges to essential queries only and ensuring timely updates of resolver software versions to mitigate the exploitation of N-day vulnerabilities.
Roger Grimes, a data-driven defense evangelist at KnowBe4, emphasizes that the most effective strategy to counter DNS tunneling and other novel attacks is to prevent threat actors from infiltrating environments altogether.
“The critical step is preventing their initial access,” he explains. “Once they breach, the damage is done. It’s essentially game over.”
Grimes further advises that to mitigate approximately 90% of attacks, whether involving DNS tunneling or otherwise, organizations should focus on thwarting socially engineered phishing attempts and other attack vectors, alongside maintaining up-to-date patching of vulnerable software and firmware.