This post is also available in: 日本語 (Japanese)
The Domain Name System, or DNS, is the protocol that translates human-friendly URLs into machine-friendly IP addresses. Essentially, it’s the phone book of the internet. This makes DNS a critical component of business operations, requiring firewalls to let it pass through and preventing network operators from blocking DNS traffic. As a result, it has become a prime target for threat actors who have successfully deployed various DNS-based attacks against company networks over the years.
Attackers often use DNS to establish command and control (C2). This can lead to gaining unauthorized access to the network, moving laterally or exfiltrating data. As security has evolved to try to prevent abuse of DNS traffic and C2, the tactics and techniques of attackers have also evolved.
These are just some of the sophisticated attacks being used by threat actors to exploit DNS:
DNS-based attacks are not new, but they are prevalent. Unit 42 has recently seen multiple instances of malware and the threat actors behind it abusing DNS to achieve malicious goals.
OilRig, a threat actor operating in the Middle East, created tools with custom DNS Tunneling protocols for C2. The threat actor was able to use this not only as a main channel of communication but also as a fallback channel if originally placed communications didn’t work correctly.
Unit 42 also observed xHunt, a threat actor which targeted government organizations in the Middle East with a backdoor called Snugy. This backdoor used DNS tunneling to communicate with its C2 server, specifically by issuing DNS A record lookups to resolve custom crafted subdomains of actor-controlled C2 domains.
A prominent recent example of attackers incorporating DGAs can be seen in the SUNBURST backdoor, which compromised the SolarWinds supply chain. SUNBURST used DGAs to escape detection and to encode basic system information such as machine domain name, server name and other identifiers. SUNBURST sent requests to check in with the attacker, containing identifying information intended to help the attacker decide whether to launch a second-stage attack.
We found multiple C2 domains related to the Smoke Loader malware family. When installed, this malware acts as a backdoor and allows attackers to download malicious payloads from C2 servers, ranging from ransomware to info stealers to many things in between. We observed domains that resolved to nearly 100 IP addresses in less than a two-week timeframe.
Attackers took advantage of the pandemic by creating a slew of malicious NRDs that masqueraded as official COVID-19 related resources. The focus of the attackers shifted depending on current events related to the pandemic. In the early stages of the pandemic, attackers targeted people searching for COVID-19 related news and testing kits. We then observed a shift to supposedly government related NRDs, posing as relief program applications to trick users into providing private information. Now the focus is changing again, with threat actors registering apparently vaccine-related domains.
DNS is a perfect choice for adversaries who seek an always-open, often-overlooked protocol that they can leverage for C2 communications and compromising hosts. It should be noted that DNS-related techniques are not only observed in these sophisticated attacks. There are a number of free, easy-to-use tools that exist that can help even an inexperienced adversary carry out a malicious operation leveraging DNS. This enables even unskilled attackers to use DNS as a way to hide their C2 communication, for example. Commodity tools like this increase the sheer volume of attacks prevailing in the wild.
Today’s security teams often focus on web protocols instead of DNS-layer security. With 80% of malware using DNS to establish C2, it’s imperative that organizations monitor and analyze their DNS traffic. In order to do so, security solutions should be able to:
As DNS-based attacks evolve, so must DNS security. Learn more about how to stop attackers from using DNS against you.
This is only one of the areas in which legacy approaches to cybersecurity can’t keep pace with the needs of today’s organizations. Read our vision of how network security must adapt.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.