grandeduc - Fotolia

SANS Institute: DNS attacks gaining steam in 2019

At RSA Conference 2019, experts from the SANS Institute discuss the most dangerous attack techniques they've seen, including DNS manipulation and domain fronting.

When it comes to the most dangerous cyber threats of today, DNS attacks stand out as some of the worst.

At RSA Conference 2019, security experts from the SANS Institute delineated five of what they called the "most dangerous attack techniques" that are gaining steam in 2019 -- especially DNS attacks -- and outlined measures that cybersecurity professionals can deploy to shield themselves against such burgeoning attack techniques.

The SANS panelists said information sharing is essential to tackling cybersecurity challenges, including evolving attack techniques, which included domain fronting and exploiting CPU flaws.

"The only way we can improve is by learning from other's mistakes," said Johannes Ullrich, dean of research at the SANS Institute. "If you make mistakes share them, let everybody know about them and hope they don't make the same mistakes again, and they share their mistakes with you so you can actually learn from theirs."

DNS manipulation

A DNS attack type that has significantly impacted various organizations over the last several months is the manipulation of the domain name system (DNS) infrastructure associated with specific enterprises, SANS fellow Ed Skoudis said.

Ed Skoudis, SANS fellowEd Skoudis

Attackers are using compromised credentials, usernames and passwords to log in to DNS providers and name registrars to manipulate the DNS records there so that an enterprise DNS points somewhere else instead of to an organization's own infrastructure, Skoudis said.

"In fact, what they're doing is they're manipulating the mail exchanger record so that email destined for your organization is actually being redirected to the bad guys' mail servers, so they could intercept the email that way," he told RSAC attendees.

They are also applying for TLS certificates and using certificate authorities (CAs) that allow organizations to verify that they own a domain by simply clicking on links that are sent to the email for their given domain, he said.

"The bad guys will apply for a certificate at a place like Comodo or Let's Encrypt ... the email goes from the CA to your enterprise, which of course is now flowing through the bad guy's mail server," he said. "They will click on the link saying 'yes, I own this domain' and then get a certificate issued."

Skoudis referenced the extensive DNS attacks waged against enterprises and government agencies recently in a campaign dubbed "DNSpionage," which was later attributed to Iranian threat actors. Stuart McKenzie, vice president of Mandiant consulting, EMEA, at FireEye, discussed the DNS attacks on a different RSA panel and said that while the campaign involved careful planning and several stages, altering DNS records to redirect traffic isn't all that challenging. McKenzie also said it's extremely hard to detect this type of DNS manipulation because "it happens so quickly."

"You could monitor for changes in your DNS record with threat monitoring, but even they you spotted that, it's going to take [the vendor] an hour to tell you and you've already had an hour's worth of traffic going through [the threat actor]."

If you do deploy DNSSEC remember that you need to have both signed DNS records, as well as validation for those; if you deploy just half of this you have not deployed DNSSEC.
Ed Skoudisfellow, SANS Institute

An effective way to defend against DNS attacks, Skoudis said, is implementing multifactor authentication, or at least two-factor authentication, whenever organizations are making changes to their DNS infrastructure. Operations personnel should also monitor for any changes publicly associated with their DNS records or any digital certificates associated with their organization, he added.

He also advised them to deploy Domain Name System Security Extensions (DNSSEC), which strengthens authentication in DNS by using digital signatures based on public key cryptography.

"If you do deploy DNSSEC remember that you need to have both signed DNS records, as well as validation for those; if you deploy just half of this you have not deployed DNSSEC," he said.

Domain fronting

Domain fronting is a technique used by attackers to obscure where the attacker is located, where the command and control is coming from, and where the bad guy is exfiltrating data to, Skoudis said. It abuses the way content delivery networks (CDNs) and cloud service providers redirect traffic.

"The way this starts is the compromised machine with the malware on it, will send a DNS request for some trusted website, a trusted website that is hosted on a CDN where the attacker is also a customer -- the attacker sets up some accounts on that specific CDN," he explained. "Then the malware will issue an HTTP 1.1 request with a host header asking for something other than that trusted site -- it's actually asking for the attacker site, but it's inside the TLS connection, so the network defenders can't see what's inside there, it's all encrypted."

The front end for the CDN sends the request to the web server's instance that the attacker controls on the content delivery network, which then forwards that request into the attacker's origin server, he explained.

Domain fronting has shown attackers that they can host things on cloud services and still undermine many organizations, he said. Attackers are taking advantage of the fact that organizations using cloud-based services will often trust their cloud provider as though it was part of their own infrastructure, he added.

Enterprise TLS interception is an effective way to defend against such attacks, he said. A free tool called Real Intelligence Threat Analytics can also help detect the domain fronting malware and other nefarious beacon activity on the network, he said.

Capturing DNS traffic

While monitoring DNS logs gives cyber defenders the capability to scan what's happening on their network, including attack traffic, Ullrich said, threat actors are using DNS attacks to collect traffic logs.

Johannes Ullrich, dean of research at the SANS InstituteJohannes Ullrich

"From a privacy point of view, the real dangerous connection is the one between you and your recursive name server because if the bad guy is able to actually intercept that traffic they learn a lot about your traffic, what you're doing and what website you're going to," he said.

One way to solve this is encrypting the DNS traffic with DNS over HTTPS , but a defender doing network monitoring will lose one of the most important tools that they have to spot "evil stuff" on their network, he added.

CPU flaws

Ullrich reminded RSAC attendees that computer systems are not just a single CPU, but consists of other chips that have processing power, memory and code running on them.

"If an attacker got hold of one of your servers ... they can actually use these systems against you," Ullrich said.

An example of this is attackers using baseboard management controllers (BMCs) to gain more persistent access to a system, he said.

"Last time you rented a server out in the cloud, did you check if the BMC was actually still in its original state or if someone actually modified it -- a prior user of that system," Ullrich said.

BMCs are often used to reboot systems and should be connected to a management network, he said. An attacker that controls that BMC now has access to that management network, he added.

Organizations have to keep in mind that the management networks they set up are not air-gapped, he said, and that passive network monitoring is needed for these management networks.

"We have to apply the same kind of network monitoring that we use on our external facing networks to these management networks," he said. "Don't just rely on login, build into these BMCs because that's what the attacker may have access to and that's what may be compromised."

Targeted cloud individualized attacks

Heather Mahalik, director of forensics engineering at ManTech and mobile forensics course director at SANS Institute, took a step back from detailing enterprise-level attack techniques like DNS attacks and briefed RSAC attendees about personalized attacks on individuals.

It is very easy for attackers today to gather information about any individual, Mahalik said.

"They are going to know not only where you are, but where you may intend to go because it's tracked in cloud," she said. "Once they infiltrate one cloud, they can just keep hopping to your other information."

These attacks can happen anywhere and often common entry points include Android malware where it prompted users to enter their email address and passwords or malware that uses Apple's FairPlay DRM to attack iOS users.

Another problem, Mahalik highlighted, is users sharing too much information online, including personal details like birthdates and names of their pets.

"All of this stuff can be used against you," she said.

Users should reconsider using applications and cloud services that don't offer two-factor authentication, she said. She urged users to do frequent security checks, including reviewing their cloud settings and checking what third-party apps have access to their information.

"Consider what you give permission to and set really strong passwords," she said." If you're not capable of doing that, use a password manager that will do it for you and then make sure that password is really secure."

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing