DNS Tunneling Abuse Expands to Tracking & Scanning Victims
Several campaigns are leveraging the evasive tactic to provide useful insights into victims' online activities and find new ways to compromise organizations.
May 14, 2024
Attackers are taking malicious manipulation of DNS traffic to the next level, abusing DNS tunneling to scan a victim's network infrastructure as well as track victims' online behavior. The goal? To gain useful insights into new ways to compromise organizations.
Researchers from Palo Alto Networks' Unit 42 have identified several recent threat campaigns that have gone beyond the typical use of DNS tunneling, which is the process of using outbound DNS traffic to smuggle malicious data from malware exploitation back to attackers' command-and-control (C2) infrastructure. They revealed in a recent blog post that attackers have been abusing DNS traffic to track victims' activities, by delivering malicious domains to victims with their identity information encoded in subdomain payloads.
"DNS tunneling techniques can be leveraged by adversaries to perform various actions not normally associated with [it]," Unit 42's Shu Wang, Ruian Duan, and Daiping Liu wrote in the post. "Despite the conventional impression that tunneling is used for C2 and VPN purposes, we also find that attackers can use DNS tunneling as a vehicle for victim activity tracking and network scanning."
The scanning in recent campaigns includes trolling network infrastructure by encoding the IP address and time stamp in the tunneling payloads, with spoofed source IP addresses, according to Unit 42. This allows attackers to discover open resolvers — or a DNS server that's willing to resolve recursive DNS lookups for anyone on the Internet — so that they can exploit resolver vulnerabilities to perform DNS attacks, the researchers wrote. This can lead to malicious redirection or denial-of-service attacks.
How DNS Tunneling Works
DNS tunneling is valuable to malicious actors because it provides a covert communications channel, allowing them to bypass conventional network firewalls and thus hide C2 traffic and data exfiltration among legitimate outbound traffic, masking it from traditional detection methods.
DNS tunneling hides traffic in several ways. For instance, attackers can send traffic over User Datagram Protocol (UDP) port 53, which is ubiquitous and commonly allowed through firewalls and other network security measures. The client machine does not communicate with the attacker's server directly, adding another layer of obscurity.
Further, attackers typically encode data sent during exfiltration and infiltration with their own customized methods, which disguises the data within seemingly legitimate DNS traffic.
DNS Tunneling for Tracking
Unit 42 researchers observed two specific attacks in which DNS tunneling was used to track victims' behavior by using subdomains in DNS traffic.
"In this application of DNS tunneling, an attacker's malware embeds information on a specific user and that user's actions into a unique subdomain of a DNS query," the researchers explained. "This subdomain is the tunneling payload, and the DNS query for the FQDN uses an attacker-controlled domain."
One campaign, dubbed "TRkCdn" by the researchers, targeted 731 potential victims using 75 IP addresses for nameservers and resolving 658 attacker-controlled domains. Based on researchers' observations, the technique likely was used to track victims' interaction with email content.
In another campaign, aptly dubbed SpamTracker, attackers used DNS tunneling in a similar way to TrkCdn to track spam delivery, the researchers said. The campaign — related to 44 tunneling domains — employed emails and website links to deliver spam and phishing content with various lures, including fortune-telling services, fake package delivery updates, secondary job offers, and lifetime free items.
DNS Tunneling for Scanning
The third novel use of DNS tunneling observed by Unit 42 came in the form of using the method to periodically scan a victim's network infrastructure for vulnerabilities — often the first stage of a cyberattack — and then performing reflection attacks.
The researchers observed the so-called SecShow campaign seeking open resolvers, testing resolver delays, exploiting resolver vulnerabilities, and obtaining time-to-live (TTL) information. It contained three domains that used various subdomains to achieve different types of network scanning.
The SecShow campaign generally targeted the open resolvers it found and, as a result, victims of it were mainly from "education, high tech and government fields, where open resolvers are commonly found," the researchers noted.
Mitigating Malicious DNS Behavior
When it comes to detecting DNS tunneling, Unit 42 researchers recommended that organizations control the service range of resolvers to accept necessary queries only, and promptly update the version of the resolver software to prevent the exploitation of N-day vulnerabilities.
Of course, the best way to prevent attackers from leveraging DNS tunneling in novel attacks is to keep threat actors out of environments entirely, notes Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4.
"The key is to prevent them from gaining that initial foothold access," he says. "Once they are in, they are in. It's already game over."
To mitigate about 90% of attacks — whether they use DNS tunneling or otherwise — organizations must prevent socially engineered phishing and other attacks from being successful, and patch vulnerable software and firmware, Grimes advises.
About the Author
You May Also Like