Abusing DNS to Exfiltrate Data

Detection-> Analysis-> Response

Introduction

DNS is the most critical part of the Internet Protocol; its main function is to transform IP addresses to hostnames. DNS is a stateless protocol described in RFC 1035 that uses port 53 to facilitate DNS queries on endpoints and firewalls.

DNS may be regarded of as a globally deployed routing and caching overlay network that connects both public and private Internet,” said Dan Kaminsky, a well-known DNS security researcher. Does this raise any major doubts about DNS’s security? Is it possible that it may be exploited, resulting in a data breach? – Yes of course, DNS can be exploited in a variety of ways, using varied tactics techniques, and procedures. To begin, DNS servers employ the UDP protocol, which has lower latency and bandwidth than TCP. UDP, is a connectionless protocol, which means it doesn’t have error or flow control capabilities, and it doesn’t check for data integrity. The enemies will have an easier time carrying out their attacks as a result of this.

In this post, we’ll look at how DNS data exfiltration works, what strategies and approaches adversaries employ, and how to detect, analyse, and respond to such an assault.

Summary

Threat actors frequently employ DNS to exfiltrate data from infected devices or malicious insiders. DNS data exfiltration involves two hosts sharing data over the internet without having a direct connection. The data is transmitted utilising intermediary DNS servers located between the two hosts.

DNS, as previously stated, is a connectionless protocol that was not meant to send and receive data in a client-server environment. However, because DNS identifies both delivered and received queries as genuine, it is easy to abuse this protocol to create a client-server scheme. As a result, after the initial penetration, the adversaries employ this technique to exploit the protocol and exfiltrate data.

Data Exfiltration through DNS: How Does It Work?

Queries and replies are the two sorts of messages in the DNS, and both have the same format. Various parameters in DNS have a size limit, and the size limit for UDP messages is “512 octets or less,” implying that the adversaries have 512 octets to encode the data in order to avoid detection.

Data is exfiltrated from a compromised endpoint to the threat actor’s server using the DNS protocol, as shown in the diagram below:

  • The attacker first creates a Rouge CnC DNS server and registers it with the name “rogue-dns.com” in this scenario.

  • The next step is to compromise an endpoint and escalate privileges in order to obtain access to critical information.

  • Once the attackers have gotten their hands-on sensitive data, they split it down into small parts.

  • These little numbers are then formed into a query that redirects to “rogue-dns.com” in the UPD message (512 octets) portions.

  • As seen in the figure, these queries are registered in the destination rogue server and recompiled.

  • The same technique can be used to penetrate the network with data/codes.

Threat actors also employ ID tagging and sequence numbering, which is highly important for tagging transactions because the sequence will help in determining which bits are names, card numbers, and CVV numbers.

The network traffic for data exfiltration done in real-time over DNS is shown in the diagram below:

 

Detection

Endpoint hardening might include monitoring and blocking ports like FTP, HTTP, and SSH to combat cyber-attacks. DNS, on the other hand, cannot be blocked because it is essential to create an internet connection. To detect such attacks, we must concentrate on the adversaries’ tactics, techniques, and procedures. The MITRE ATT&CK® architecture provides us with a comprehensive understanding of adversary behaviour and assists us in mapping and searching for vulnerabilities in our environment.

To begin, we must narrow down the adversaries/threat groups that may be targeting your company. We can now use MITRE ATT&CK Navigator to map the TTPs used by these adversaries in order to detect and respond to cyber-attacks. Many attackers employ the DNS protocol to exfiltrate data; examine the threat groups APT3, APT32, and Dragonfly 2.0, for example.

The figure below shows the TTP’s used by groups APT3, APT32 & Dragonfly 2.0:
Scores assigned: APT3- 60, APT32- 80 & Dragonfly 2.0- 100

  • Techniques with a score of 240 are those that are used by all three adversaries.

  • Using this map, you may look for comparable actions in your company and see if an attack is underway.

  • As shown in the diagram, all three attackers employ the Exfiltration over C2 Channel to exfiltrate data.

  • We need to use IPS/IDS to monitor network traffic for suspicious connections being established.

A Use case can be created in SIEM to detect and trigger alerts when the above conditions match.

Analysis

Since exfiltration of data is the last stage of a cyber-attack, if alerts are triggered for a large volume of DNS traffic being initiated to the same destination from an endpoint\endpoints, it is very likely that the attackers have compromised user accounts\ endpoints and have already made a foothold in your environment.

A detailed investigation needs to be carried out to analyse the impact, collect artifacts, and then initiate the containment and remediation process.

  • Identify the user machines which are sending out DNS requests.

  • Check for any phishing emails sent to users.

  • Check if there are any alerts triggered in the EDR from the same hosts.

  • Isolate the machines from the network to avoid lateral movement.

  • Check for the processes and network connection being initiated from the hosts.

  • Correlate and identify how did the malicious file/plugin get installed on the hosts.

  • Check for login attempts being made on user accounts and check if the accounts are compromised.

  • Analyze the IPS/IDS traffic and check for any abnormalities.

  • Validate if any plugins are installed on the browser.

  • Validate if any unwanted application\script\file has been installed on the host.

Response
Containment and Recovery steps:

  • Using EDR, kill, quarantine, and remediate any suspicious processes/files on the machines.

  • If the malicious domain isn’t already blocked on DNS, block it.

  • Change the passwords for the user accounts.

  • Remove any suspicious files from the endpoints.

  • Remove all unnecessary files and plugins from the computer.

  • Carry out a full scan of the hosts.

  • Check for data loss with a DLP solution.

Conclusion

Data is the most valuable asset on the planet, and loss or theft of data is one of the most serious threats that a business encounter. DNS is extremely powerful mechanism that applications and systems leverage to communicate with resources and services via the internet, however DNS is often neglected in terms of security as it is not examined by typical security controls. This makes DNS an ideal target for adversaries to exploit, as it may be used to exfiltrate and infiltrate data.

Security controls or network security solutions such as Cisco Umbrella, Palo Alto Network Security Platform, and others can help organisations defend themselves against these types of cyberattacks. Some examples of defence mechanisms include, but are not limited to:

  • Setting a limit on DNS traffic.

  • Configuring dedicated DNS servers.

  • Blocking domain names based on threat intelligence feeds of known repute.

  • Using rules for the DNS queries ‘Newly Seen domain’ and ‘Strange appearing domain.’

  • Using length and size rules for inbound and outbound DNS queries.

  • Segmentation of the network.

  • Putting data loss prevention (DLP) measures in place.

References

  1. DNS Tunneling: how DNS can be (ab)used by malicious actors by Alex Hinchliffe

  2. Bypassing security products via DNS data exfiltration by Pedro Tavares

  3. Introduction to DNS Data Exfiltration, The Akamai Blog

  4. Data Exfiltration and DNS, Infoblox

  5. MITRE ATT&CK®

Credits: Mohammad Valiuddin 

2 thoughts on “Abusing DNS to Exfiltrate Data”

Leave a Comment

Your email address will not be published.