Bypassing security products via DNS data exfiltration


Criminals are using different strategies to compromise computer networks, infrastructures and organizations. Cyber incidents have increased in number and complexity since the exploitation of public vulnerabilities towards the use of advanced tactics, techniques and procedures (TTP).

Data encryption malware, such as ransomware, is a good method to introduce the subject described in this article. Criminals have been using ransomware attacks for a very long time; however, their strategy has changed over the past few years. 

Initially, ransomware locked users out of their devices or blocked the access to files until a sum of money was paid. Now the paradigm has changed and criminals are also exfiltrating sensitive data from the victims and putting that information on dark web forums when the ransom is not paid. Ragnar_Locker, for instance, is a piece of ransomware operating in this manner.

Due to several conditions such as well-segmented networks, security products or even the block of outgoing TCP traffic, data exfiltration and malware communications from internal networks or devices is seen as an absolute challenge. DNS protocol abuse can be performed in specific scenarios where no TCP outgoing communication is possible. For example, when an internal device is compromised by malware in the presence of network security products, the communication with the C2 server can be easily detected during its operation. Among other channels, the DNS protocol is often used by criminals to bypass firewall rules.

DNS protocol

The DNS protocol is a stateless protocol, as described in the RFC1035. This protocol works through TCP/UDP port 53 by default and is used only to exchange specific data. In particular, DNS allows communication between internal networks and the Internet and translates IP addresses to hostnames for user convenience.

The dig tool, for instance, can be used in a user-friendly way to improve  the (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: