DNS Tunneling Abuse Expands to Tracking & Scanning Victims

DNS Tunneling Abuse Expands to Tracking & Scanning Victims

May 14, 2024 at 10:07AM

Attackers are exploiting DNS tunneling to track victims’ network activity and infrastructure vulnerabilities. This advanced technique enables them to hide malicious data within legitimate outbound DNS traffic, evading traditional detection methods. Researchers have identified campaigns using DNS tunneling for tracking user behavior and network scanning, urging organizations to control resolver services and update resolver software to prevent exploitation.

From the meeting notes, it is clear that there is a growing concern about attackers utilizing DNS tunneling for malicious purposes. The technique has been observed being used to track victims’ online behavior and scan network infrastructure, which poses a threat to organizations.

The attackers are utilizing DNS tunneling to hide their malicious activities by bypassing traditional network firewalls and exfiltrating data. The Unit 42 researchers highlighted specific attacks where DNS tunneling was used to track victim behavior by using subdomains in DNS traffic. Another novel use of DNS tunneling was observed in the form of scanning a victim’s network infrastructure for vulnerabilities, followed by performing reflection attacks.

To mitigate these malicious DNS behaviors, Unit 42 recommended organizations to control the service range of resolvers and promptly update the resolver software to prevent the exploitation of vulnerabilities. It was also emphasized that preventing attackers from gaining the initial foothold access is crucial in preventing these attacks.

In addition, it was advised that about 90% of attacks, regardless of the technique used, can be mitigated by preventing socially engineered phishing and other attacks from being successful, and by patching vulnerable software and firmware.

Full Article