Palo Alto Unit 42 researchers present a study on why and how domain name system (DNS) tunneling techniques are used in the wild. Motivated by their findings, they present a system to automatically attribute tunneling domains to tools and campaigns. Attackers adopt DNS tunneling techniques to bypass security policies in enterprise networks because most enterprises implement relatively permissive policies for DNS traffic.
Previous research has shown that malware campaigns such as SUNBURST and OilRig use DNS tunneling for command and control (C2). However, many aspects of how attackers use DNS tunneling in the wild remain unknown. For example, do they use DNS tunneling techniques exclusively for C2? How do they implement and host these techniques? Can we further analyze and provide actionable insights on DNS tunneling traffic?
Read more…
Source: Palo Alto Unit 42