Malware operators are constantly developing new strategies to evade detection by cybersecurity defenses. One such technique involves DNS infiltration and exfiltration, where attackers exploit the Domain Name System (DNS) to bypass traditional security measures. By using DNS as a covert communication channel, known as “DNS tunneling”, they can discreetly send and receive data without raising suspicion. This method takes advantage of DNS traffic being viewed as benign and often ignored by standard security measures.
By embedding commands or data within DNS queries and responses, attackers can carry out malicious activities without easily being detected, making DNS-based attacks both sophisticated and challenging to mitigate. This article aims to demystify these concepts, highlighting their implications for businesses and providing actionable insights to safeguard against them.
What is DNS infiltration and exfiltration?
DNS acts as the internet’s phonebook, translating human-friendly domain names into IP addresses. Over time, it has become a sort of routing protocol with many additions to the set of query types and answers to them. This flexibility can be abused by malicious actors to control their footprint inside of a business network and to smuggle data out of the network
DNS infiltration involves inserting unauthorized data into a network via DNS queries. Conversely, DNS exfiltration extracts sensitive data from a network through DNS responses. Both processes occur without creating new protocols, making them stealthy and hard to detect.
How does DNS infiltration and exfiltration happen?
Hackers leverage DNS’s ubiquity and lack of scrutiny to infiltrate or exfiltrate data. They often use DNS tunneling—a technique embedding other protocols within DNS to bypass security measures. Infiltration requires analyzing DNS responses, while exfiltration involves scrutinizing DNS queries.
To use DNS tunneling, an attacker must have a footprint on a device inside of the corporate LAN. They use that access to download a DNS infiltration and exfiltration tool.
Attackers set up an authoritative server for a domain using tunneling software. They then use an endpoint tool to send encoded commands in queries for fully qualified domain names (FQDNs) within the command and control (C2) domain to their local resolver. These queries typically use the TXT query type because it allows a larger number of characters in the response. The on-network recursive server queries the authoritative server for the domain and receives a response.
This process enables two-way communication between the compromised endpoint and the command-and-control server, allowing the malicious actor to send commands to the endpoint and receive data in return.
In some cases, the DNS tunneling tool ignores the local DNS resolver and the public DNS hierarchy and simply functions as a point-to-point VPN that relies on the fact that businesses do not block outbound DNS traffic on Universal Datagram Protocol (UDP) port 53.
There are several tools favored by cybercriminals for DNS infiltration and exfiltration due to their ability to operate covertly and efficiently:
- Dnscat2: Dnscat2 is an open-source tool that enables a covert communication channel over DNS traffic. Designed to be anonymous and encrypted, Dnscat2 allows users to send arbitrary data through DNS without being easily detected by traditional monitoring solutions. Its flexibility and configurability make it a popular choice among attackers looking to transfer data or execute commands stealthily.
- IODINE: Iodine is a DNS tunneling tool that allows IPv4 data to be sent through a DNS server. It works by encapsulating data within DNS packets, facilitating data transfer across network barriers like firewalls or content filters. Often used for legitimate purposes where internet access is restricted, Iodine can also be exploited for malicious data exfiltration in unsecured networks.
- DNSExfiltrator: DNSExfiltrator is another open-source tool tailored for data exfiltration over DNS. It encodes data in DNS queries and responses, making it possible to extract information without detection. By manipulating packet sizes and implementing throttling, DNSExfiltrator avoids triggering common security alarms, making it a particularly advanced option for attackers seeking to conduct undetected operations.
Examples of DNS infiltration and exfiltration
There have been several notable incidents where DNS infiltration and exfiltration has been used successfully by cyber criminals:
The Sea Turtle Campaign (2017-2019)
In this state-sponsored attack, perpetrators targeted various government and intelligence agencies across the Middle East and North Africa. The attackers exploited DNS infiltration to reroute traffic from legitimate domains to malicious servers, successfully siphoning sensitive data without immediate detection.
OilRig Campaign (2018)
In this operation, a cyber-espionage group targeted financial institutions and telecommunication companies in the Middle East. They employed DNS exfiltration techniques to extract confidential information, disguising their activities using DNS tunneling tools to evade traditional security measures.
APT29’s Operations (2020)
Known as Cozy Bear, this group attacked global organizations in the healthcare sector amid the COVID-19 pandemic. Employing DNS-based techniques, they infiltrated companies’ systems and exfiltrated valuable information related to vaccine development, leveraging sophisticated DNS tunneling approaches.
APT34’s Attack on Energy Sector (2017)
This group targeted the energy sector in various countries, using DNS exfiltration to steal geopolitical and business-related data. They integrated DNS tunneling to maintain continuous access to compromised networks, exploiting the DNS protocol’s fundamental trust within networks to execute their attack successfully.
How does DNS infiltration and exfiltration impact your businesses?
DNS tunneling is a technique often leveraged during data breaches to stealthily transmit and receive data through DNS queries and responses. By encoding data within these seemingly legitimate DNS requests, attackers can bypass traditional firewalls and security systems undetected, as DNS traffic is typically allowed through network defenses.
In maintaining persistence within a business’s network, hackers use DNS tunneling to create a continuous communication channel with compromised systems. This allows them to exfiltrate data over extended periods and adjust their tactics as needed, prolonging their access and minimizing the risk of detection. As a result, the business remains vulnerable, with sensitive data at risk until the infiltration is identified and remediated.
The consequences of DNS infiltration and exfiltration can be devastating. Data breaches lead to financial losses, reputational damage, and legal liabilities. They disrupt business operations, erode customer trust, and may result in hefty regulatory fines.
For small businesses, the stakes are even higher. Limited resources make recovery challenging, emphasizing the critical need for proactive defense strategies. With the prevalence of DNS tunneling, businesses must prioritize securing their DNS infrastructure to prevent data leakage and mitigate the impact of potential attacks. Regularly monitoring and controlling network traffic through DNS analysis can help detect and block malicious activity before it escalates, safeguarding sensitive information and preserving business continuity.
Preventing DNS Infiltration and Exfiltration
To protect against these threats, businesses must adopt comprehensive security measures:
Use Protective DNS
Employ DNS filtering services that automatically block requests to known malicious domains. Protective DNS can prevent users from accessing harmful sites, even if they accidentally click on dangerous links. This proactive approach adds an extra layer of defense by stopping threats before they enter your network. Ultimately, integrating protective DNS into your security strategy can significantly reduce the risk of infiltration or data exfiltration activities that exploit DNS vulnerabilities.
Configure Firewalls and Proxies
Restrict outbound DNS traffic by ensuring it only originates from your designated DNS resolvers, which helps prevent unauthorized connections and potential security breaches. This measure is crucial for maintaining network integrity by reducing the risk of malicious activities and data leaks. Regular audits and monitoring can further enhance these safeguards, ensuring that all DNS queries are legitimate and secure.
Use Anti-Malware Solutions
Implement robust anti-malware software to detect and block malicious software that could enable DNS tunneling. An effective anti-malware strategy focuses on early detection and prevention of endpoint compromises, which are often the initial steps in installing tools required for such attacks. Regularly updating and running comprehensive scans on your systems can help identify potential threats before they can leverage DNS vulnerabilities, thus securing your network against unauthorized data transfer.
A manageable risk
DNS infiltration and exfiltration present notable risks to modern enterprises, but these threats are manageable with the right controls. By understanding the vulnerabilities and implementing robust security measures, businesses can significantly reduce their impact. Staying informed and proactive allows companies to protect assets, preserve customer trust, and maintain a competitive edge in today’s digital landscape. Engaging with cybersecurity experts or exploring additional resources online can further enhance DNS security. Ensure your business’s safety by taking the necessary steps to manage these threats effectively.
How Vercara can help
Vercara’s UltraDDR offers exceptional DNS security by acting as a filtering DNS recursive server, safeguarding endpoint devices from various threats. It integrates recursive and private DNS resolver technologies to block malicious queries, including infiltration and exfiltration, and monitor adversary infrastructure.
If you are interested in learning more, check out our advanced security solutions and reach out to our cybersecurity experts to enhance your defenses against DNS infiltration and exfiltration and other emerging threats.
