SoS Musings - DNS Attacks Are on the Rise

By grigby1 

Domain Name System (DNS) exploits are a top attack vector in the realm of cyberattacks. The DNS protocol is a critical component of the Internet, best compared to a phonebook. It provides a distributed directory, mapping human-readable domain names to their corresponding machine-readable IP addresses. Concerns arise as hackers can abuse vulnerabilities in the Internet system through a variety of attacks. Findings indicate the growth of DNS attacks in regard to frequency and associated costs. According to the "2023 IDC Global DNS Threat Report," 90 percent of organizations have experienced one or more DNS attacks, with each attack costing an average of $1.1M in damages. Security experts have identified a number of different DNS attacks that require further investigation and prevention.

There are many types of DNS attacks that threat actors use to infiltrate networks, conduct phishing attacks, disrupt responses to legitimate DNS requests, and perform other malicious activities. Some examples of DNS attacks include DNS hijacking, DNS tunneling, and DNS spoofing, also referred to as DNS cache poisoning. DNS hijacking refers to attacks in which DNS requests are intercepted and redirected to rogue or compromised DNS servers or domains through the modification of DNS records or the exploitation of vulnerabilities in the domain name registrar's system. If attackers want to use the DNS as a covert communication protocol or a way in which data can be exfiltrated from a network, they can perform DNS tunneling by inserting data from other programs inside DNS responses and queries. Through the performance of DNS tunneling, attackers can bypass network security technology such as firewalls to evade detection. Another common DNS attack is DNS cache poisoning, which enables the rerouting of traffic from real DNS servers to fake ones. Attackers perform DNS cache poisoning by sending forged DNS responses via a fraudulent DNS server, which are then cached by legitimate DNS servers, changing information in the servers pertaining to what IP address corresponds with a specific domain name. DNS cache poisoning can be used to send unsuspecting users to malicious phishing websites where malware is spread.

Threat actors have performed DNS tunneling to track when targets open phishing emails and click on malicious links. They have also used DNS tunneling to scan networks for vulnerabilities. DNS tunneling involves encoding data or commands sent and retrieved via DNS queries, turning the DNS into a covert communications channel. Threat actors encode the data in different ways, such as Base16 or Base64 or custom textual encoding algorithms, so they can be returned when querying DNS records. DNS tunneling is commonly used by hackers to bypass network firewalls and filters. Palo Alto Networks' Unit 42 security research team discovered the use of DNS tunneling in two malicious campaigns involving victim tracking and network scanning called "TrkCdn" and "SecShow."

Cybercriminals have used a novel DNS hijacking technique to carry out investment scams. "Savvy Seahorse," a new DNS threat actor, used sophisticated methods to lure victims into fake investment platforms and steal funds. According to Infoblox researchers, the DNS threat actor convinces victims to create accounts on fake investment platforms and make a deposit to a personal account. Savvy Seahorse then transfers those deposits to a bank in Russia. Users are lured by ads on social media platforms such as Facebook, and they are tricked into providing personal information in exchange for alleged high-return investment opportunities via fake ChatGPT and WhatsApp bots. DNS Canonical Name (CNAME) records have been used to create a Traffic Distribution System (TDS) for the financial scam campaigns since August 2021, allowing threat actors to avoid detection. A CNAME record is used to map a domain or subdomain to an alias instead of pointing to an IP address. This approach has the benefit of only updating the DNS A record for the root domain when the host IP address changes. The technique helps Savvy Seahorse register several short-lived subdomains that share a CNAME record and IP address. These Domain Generation Algorithm (DGA)-created subdomains are associated with the primary campaign domain. The infrastructure is resistant to takedown because the domains and IP addresses change frequently. Threat actors can continuously create new domains or change their CNAME records to a different IP address when their phishing sites are disrupted.

Researchers have highlighted a flaw in the design of a DNS feature that could disable large parts of the Internet. The Internet Engineering Task Force (IETF), an international standards organization, developed DNS Security Extensions (DNSSEC) to secure the DNS protocol by cryptographically verifying DNS response data sources and ensuring integrity. The DNS feature authenticates responses to domain name lookups. DNSSEC aims to prevent attackers from manipulating or poisoning responses to DNS requests. The Internet Corporation for Assigned Names and Numbers (ICANN) calls for full deployment of DNSSEC across all unsecured domain names to prevent DNS hijacking, DNS cache poisoning, and other DNS attacks. ICANN adds that, while this will not solve the Internet's security problems, it does aim to assure that Internet users reach their desired online destination by helping to prevent to prevent Man-in-the-Middle (MITM) attacks, in which a user is unknowingly redirected to a potentially malicious site. However, a team of researchers at the Germany-based ATHENE National Research Center for Applied Cybersecurity disclosed a DNS-related vulnerability called "KeyTrap," a critical flaw in the design of DNSSEC. According to the researchers, the design flaw could enable malicious actors to cause Internet disruption by using a DNS packet that results in CPU resource exhaustion. Over 31 percent of web clients had used DNSSEC-validating DNS resolvers as of December 2023. KeyTrap would lead to significant consequences for any application that uses the Internet, including the unavailability of technologies such as web-browsing, email, and instant messaging. An attacker could completely disable large parts of the Internet using KeyTrap, prompting some DNS vendors to describe it as the most severe attack method ever discovered. DNSSEC logic issues that enabled KeyTrap are fundamental in nature and are difficult to fix, with researchers noting that completely preventing KeyTrap attacks requires changing the "underlying design philosophy of DNSSEC."

Efforts must continue to be made to explore and improve DNS security. There are best practices that should also be used to prevent different types of DNS attacks. For example, to detect or counter DNS hijacking, it is important to monitor log files, implement Intrusion Detection or Protection Systems (IDS or IPS), apply Next-Generation Firewall (NGFW) packet inspection, and tighten access controls. DNS tunneling can be detected and prevented by inspecting DNS traffic, restricting access to the DNS server, and tracking the IP address or domain to which DNS information is sent. When using logs to detect tunneling attacks, look for a large number of paired requests and responses from complex or suspicious domains, as well as an unusually large amount of requests. DNS is a critical component of the Internet infrastructure, but it is vulnerable to various attacks, and no single method can prevent all of them. Thus, it requires further exploration and implementation of different solutions or strategies.

To see previous articles, please visit the Science of Security Musings Archive.

Submitted by Gregory Rigby on