May 13, 2024 at 01:56PM
Threat actors use DNS tunneling to track targets’ interactions with phishing emails, scan networks for vulnerabilities, and bypass firewalls. They encode data in DNS queries using algorithms like Base16 or Base64. “TrkCdn” and “SecShow” campaigns demonstrate how attackers track victims and scan networks using DNS tunneling. Unit 42 recommends DNS monitoring and limiting DNS resolvers.
Based on the meeting notes, there are a few key takeaways:
1. Threat actors are utilizing DNS tunneling for tracking when targets open phishing emails, clicking on malicious links, scanning networks for vulnerabilities, and sending and retrieving data or commands via DNS queries.
2. They encode the data using various methods like Base16 or Base64 and deploy DNS tunneling for command and control (C2) and Virtual Private Network (VPN) operations.
3. Two specific campaigns using DNS tunneling were identified: TrkCdn, which tracks victim interactions with phishing email content, and SecShow, which scans network infrastructures for potential vulnerabilities.
4. To address these threats, Unit 42 recommends implementing DNS monitoring and analysis tools to detect unusual traffic patterns and limiting DNS resolvers in the network to handle only necessary queries.
Overall, the use of DNS tunneling for malicious purposes presents a significant security concern, and it is crucial for organizations to take proactive steps to safeguard their networks against such threats.