DNS infrastructure always remains an attractive target for cyber attackers and some recent targeted attacks on DNS highlight the increasingly sophisticated attack techniques used by hackers.
New dynamics of the attack
Attackers often target DNS via attacks such as tunneling, phishing, hijacking, cache poisoning, and DDoS, however, other attack methods have also been observed. Recently, an attack campaign was found using dynamic DNS services to scale up their attack.
- The DNS-based attack dubbed Operation Spalax was targeting the Colombian government and private companies, especially those belonging to energy and metallurgical industries, via dynamic DNS services.
- Attackers were using a pool of domain names that were dynamically assigned to IP addresses. By doing this, one domain name can be associated with several IP addresses over a period of time and vice versa.
Recent DNS-based attacks
A SAD DNS (Side channel AttackeD DNS) vulnerability has been observed to be reviving DNS cache poisoning differently. The vulnerability is being tracked as CVE-2020-25705.
- DeathStalker, a hacker-for-hire service group, has been found using an unknown malicious implant that uses DNS over HTTPS as a C2 channel. Later, the implant was named PowerPepper.
- In addition, an unnamed RAT was found to be hiding as a DNS or an SSH server daemon to evade detection and hinder analysis. The unnamed RAT was associated with Magecart.
- The Voyager Digital LLC (cryptocurrency brokerage platform) halted trading after suffering a cyberattack targeting their DNS configuration.
A recent survey discovered that DNS services suffered the most attacks in 2020, with 16% of respondents reporting DNS service based attacks on their telecom organization.
Experts suggest performing context-aware and real-time DNS traffic analysis for behavioral threat detection, keeping DNS resolvers private and protected, and regularly updating the operating system and software.