Threat actors are using DNS tunneling to scan for network vulnerabilities and check the success of phishing campaigns, according to new research from Palo Alto Networks.
The security vendor’s Unit 42 explained in a blog post yesterday that DNS tunneling is usually deployed as a means to bypass security filters by hiding malicious traffic in DNS packets. In this way, hackers can smuggle stolen data out from a target infrastructure, or hide inbound malware or command-and-control (C&C) instructions.
However, Unit 42 recently found several campaigns using more novel techniques.
The first is to track victim activities regarding interactions with spam or phishing emails.
“In this application of DNS tunneling, an attacker’s malware embeds information on a specific user and that user’s actions into a unique subdomain of a DNS query. This subdomain is the tunneling payload, and the DNS query for the fully qualified domain name (FQDN) uses an attacker-controlled domain,” the blog explained.
“An authoritative nameserver for the attacker-controlled domain receives the DNS query. This attacker-controlled nameserver stores all DNS queries for the domain. The unique subdomains and timestamps of these DNS queries provide a log of the victim's activity.”
Attackers can use the same technique to track multiple victims from their campaign, Unit 42 said. The researchers claimed to have observed this in action during campaigns dubbed “TrkCdn” and “SpamTracker” to check victim interactions with phishing and spam emails respectively.
Read more on DNS threats: DNS Attacks on the Rise, Costing $1 Million Each
The research team also observed DNS tunneling in a separate campaign, “SecShow,” where it is used to “periodically scan a victim’s network infrastructure, and then they typically perform reflection attacks.”
More specifically, threat actors were observed using DNS queries to probe for network misconfigurations in targeted organizations, which could be subsequently exploited for denial-of-service attacks, to steal data or to install malware.
Once again, DNS tunneling is used to hide this activity from firewall inspection.
“Uncovering the scanning applications of tunneling campaigns can help us prevent cyber-attacks at an early stage, mitigating potential damage,” Unit 42 said.
The vendor urged network defenders to reduce the attack surface of their DNS resolvers by controlling the service range of resolvers to accept necessary queries only, and promptly updating the resolver software versions.