Palo Alto Networks Advanced DNS Security introduces new protection against DNS Tunneling APT attribution. This new detection is part of the Command-and-Control (C2) Domains category.
Cybercriminals often leverage techniques like DNS Tunneling to exploit the DNS protocol and inject malware or exfiltrate sensitive data through a client-server model. Attackers abuse DNS requests and responses using various techniques in a manner that allows a compromised host to communicate with a DNS nameserver they control. With the new DNS Tunneling APT attribution detection, customers can defend themselves against DNS Tunneling by simply enabling the C2 category set to sinkhole with a Palo Alto Networks Advanced DNS Security or DNS Security subscription.
Given the various ways an attacker uses DNS Tunneling, it's crucial to understand its severity, especially in the context of Advanced Persistent Threats (APTs). APT is a type of cyberattack in which an unauthorized user gains access to a network and remains undetected for an extended period. The proactive capabilities of the new DNS Tunneling APT attribution feature allows organizations to identify potential new and existing attack campaigns used within their environment, prioritize their responses, and enhance their overall defenses. Users can view the context of the tunneling tools used, why the traffic is blocked/sinkholed, and its APT attribution in threat log details. By analyzing threat campaigns associated with DNS Tunneling, Advanced DNS Security gives customers real-time insights into how many users are connecting to such domains and IPs, enabling rapid and effective incident response. This approach facilitates the identification and isolation of affected users as a critical step in remediation with more confidence.
Palo Alto Networks Unit 42 threat research team discovered the TrkCdn DNS tunneling campaign, which is meant to track a victim's interaction with its email content. Attackers used several subdomains and 75 IP addresses for nameservers, resolving 658 attacker-controlled domains, and targeting at least 731 potential victims to exfiltrate victims' email tracking activity.
Reference: https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/
It’s well established that attackers abuse DNS for C2 operations that enable stealthy and resilient communication channels, facilitating malicious activities such as data exfiltration and infiltration. Well-known campaigns such as DarkHydrus, OilRig, xHunt, SUNBURST, and Decoy Dog often leverage the DNS tunneling technique for C2. Additionally, attackers can also use DNS Tunneling to track user activity and scan for open vulnerable resolvers.
Using DNS tunneling for tracking, attackers can track victims' activities concerning spam, phishing, ad content, etc., by encoding user email addresses or identifying information in subdomain fields of the attacker controlled domain. Using DNS tunneling for scanning allows attackers to quickly scan the network infrastructure by encoding the spoofed source IP address or current timestamp in the subdomain fields. Then, the attackers are able to discover open resolvers by analyzing and correlating DNS logs from their authoritative nameserver to exploit resolver vulnerabilities and perform DNS-based attacks.
Palo Alto Networks new DNS Tunneling APT Attribution detection tracks and identifies all types of DNS tunneling behaviors, including associated campaign details, context, tools and other techniques used by attackers. For example, for tracking, we discovered that attackers are using the same encoding methods for subdomains and a single IP address for both domain hosting and nameserver for each campaign. Similarly, for scanning, we identified campaigns using similar attributes, such as same encoding methods for various identities, added as subdomains pointing to the same malicious domain and a single IP address for both domain hosting and nameserver. By mapping these types of attack patterns, we can effectively identify and block emerging attack campaigns. This approach also allows us to enrich our threat logs with details about the campaign, tunneling tools, and techniques used by attackers. In summary, the new DNS Tunneling APT Attribution detection gives users clear visibility into attack campaigns targeting their organization, allowing them to confidently block and sinkhole malicious DNS traffic. For detailed information on attackers' techniques, visit the blog Leveraging DNS Tunneling for Tracking and Scanning
The DNS Tunneling APT Attribution detection is added under the DNS Command-and-Control category, which is part of the PAN-OS 10.0 release. So, Customers with PAN-OS 10.0 or later can benefit from these new detection insights. Customers do not need to make any configuration changes or take any actions unless they need to change the default action of the Command-and-Control (C2) Domains category.
Below are the snippets of how DNS Tunneling APT Attribution detection entries appear in the threat log of the firewall:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 2 Likes | |
| 1 Like | |
| 1 Like | |
| 1 Like | |
| 1 Like |
