DNS (Domain Name System) is a protocol that exists in almost all networks. It works like “yellow pages”, translating user-friendly domain names into IP addresses, which are used by computers to communicate with each other.
According to various researches, more than 80% of malware uses DNS to communicate with command and control (C&C) servers, exfiltrate data or redirect traffic to malicious sites. Dangers are often hidden in innocent apps, documents, and websites, invisible to firewalls and other security solutions.
DNS is extremely difficult to lock down because it was designed to be an open protocol. Therefore, it is often used by less advanced cybercriminals, who are looking for an always-on and often overlooked protocol that they can use for C&C communication and compromise hosts.
SolarWinds – an example of a network attack with DNS
The SolarWinds attack shows how a sophisticated cyberattack can travel through the supply chain undetected for at least eight months, and how most organizations are unfortunately unprepared to prevent and detect such threats.
SolarWinds is an American company that develops software for companies to help them manage their networks, systems and IT infrastructure. Among the company’s products is SolarWinds Orion Platform – an infrastructure monitoring and management platform, used by thousands of public and private customers. Attackers broke into SolarWinds and inserted weaponized Trojans into SolarWinds Orion update package. This package was distributed to 18,000 customers, and because it was digitally signed by SolarWinds, it was approved and deployed to their internal networks, bypassing default EDR and anti-virus systems. Once installed, the malicious code opened backdoors that communicated with third-party servers, giving hackers remote access to emails, confidential documents and other sensitive information.
“Eighteen thousand customers was our best estimate of who might have downloaded the code between March and June 2020,” noted Sudhakar Ramakrishna, President and CEO of SolarWinds, “If you then take 18,000 and start scrolling through them, the actual number of customers affected is much lower.“.
The malicious code – dubbed SUNBURST – was written to guarantee maximum confidentiality: for example, the first communication with the C&C server took place two weeks after the installation of the backdoor. A very interesting technology was used to detect promising victims: the backdoor data was sent to the C&C server as part of a DNS query. If the organization was of interest, a response request would arrive, directing the backdoor to a second C&C server, and data was stolen when interacting with it. Most likely, out of 18,000 possible victims, dozens of companies were actually affected.
DNS and IoT health devices
In recent years, the speed of digitization in the healthcare sector has increased significantly. Devices and applications in hospitals are increasingly connected, while patient data is recorded and distributed in new and innovative ways. COVID-19 has definitely accelerated these trends as demand in the telehealth market is at an all time high.
Although the rapid digital transformation in hospitals and other medical institutions comes with extraordinary benefits, the growing use of IoT devices – from wireless heart rate monitoring armbands to magnetic resonance imaging (MRI) devices connected to hospital networks – also creates compromises. A major drawback is that digital products and services provide an entry point for attackers, with DNS often being used as an attack vector.
According to Global DNS Threat Report 2021, the average cost per DNS attack targeting healthcare rose to $862,630. Additionally, the healthcare organizations each experienced an average of 6.71 DNS attacks over a 12-month period, and it took an average of 6.28 hours to mitigate each one, which is above the industry average. whole sector.
“Without going overboard, a medical company with over 1,500 employees and 145,000 patients a year was recently hit by a cyber attack, exploiting vulnerabilities in DNS. We have detected malicious traffic passing through an X-ray machine,” comments Leonard AntichiCTO at Sababa Security
How to protect your business?
Being often overlooked and underestimated, DNS is the perfect choice for adversaries. For this reason, it is essential to use a DNS security solution capable of preview outbound traffic via DNS, checking domain reputation and blocking malicious domains.
Another solution can be Network detection and response. This helps examine multiple security processes on the corporate network and spot malicious patterns associated with DNS traffic.