Threat Advisory

DNS Tunneling for Network Scanning and User Tracking

Threat: Malicious Campaign
Targeted Region: Japan
Targeted Sector: Government & Defense, Education
Criticality: High

 

EXECUTIVE SUMMARY:

DNS tunneling, historically associated with command and control (C2) and virtual private network (VPN) evasion, has emerged with new applications extending beyond traditional uses. Recent findings reveal its adoption for network scanning and tracking, posing novel challenges to network security. Malicious actors exploit DNS traffic's ubiquitous nature to bypass conventional defenses, necessitating a nuanced understanding of these evolving threats.

DNS tunneling covertly embeds data within DNS requests and responses, facilitating communication between compromised hosts and attacker-controlled nameservers. By encoding data within DNS queries, malicious actors obscure their activities, evading detection by traditional security measures. Recent campaigns demonstrate DNS tunneling's versatility, with adversaries employing it for scanning and tracking purposes. In scanning, attackers encode IP addresses and timestamps into tunneling payloads, enabling reconnaissance of network infrastructure and potential vulnerability exploitation. Conversely, tracking leverages subdomains in DNS queries to monitor victim behavior, providing insights into email interaction and content delivery.

As DNS tunneling continues to evolve, organizations must bolster their defensive strategies to combat emerging threats effectively. Deploying advanced DNS security solutions capable of detecting anomalous tunneling activities is paramount. Additionally, proactive measures such as controlling resolver service ranges and promptly updating resolver software versions can mitigate vulnerabilities. By remaining vigilant and adapting to the evolving threat landscape, organizations can fortify their defenses against DNS tunneling and safeguard their networks from malicious exploitation.

 

THREAT PROFILE:

Tactic Technique Id Technique
Defense Evasion T1205 Traffic Signaling
Discovery T1046 Network Service Discovery
T1012 Query Registry
T1018 Remote System Discovery
T1082 System Information Discovery
Collection T1005 Data from Local System
Command and Control T1001 Data Obfuscation
T1572 Protocol Tunneling
T1071 Application Layer Protocol
Exfiltration T1048 Exfiltration Over Alternative Protocol
Impact T1565 Data Manipulation
T1496 Resource Hijacking
T1499 Endpoint Denial of Service

 

REFERENCES:

The following reports contain further technical details:
https://www.bleepingcomputer.com/news/security/hackers-use-dns-tunneling-for-network-scanning-tracking-victims/

crossmenu