By Aamir Lakhani | July 01, 2020
FortiGuard Labs Threat Research Report
Affected platforms: Windows 7, Windows 10, Windows Server 2016
Impacted parties: Windows 10 version 1809 + and Windows Server version 1903 +
Impact: Command and Control & User-Privacy Settings Violation
Severity level: Informational
Other: Other systems that use DNS may be affected if client-side exploit is available
At FortiGuard Labs, we see numerous evasion techniques that attackers use to bypass egress filtering solutions and establish command and control (C&C) within organizations. These targeted organizations typically have firewalls, IPS systems, end-point detection, and remediation protection all within their organization.
In this blog, we will discuss one of them which is DNS tunneling and how it works. We will look at well-known DNS tunneling attack rootkits and how to configure them to test the security and detection capabilities in your environment. Lastly, we will review some industry best practices and show how the FortiGuard Labs Threat Intelligence Services embedded in our products mitigate this attack.
DNS Tunneling occurs when attackers encode and embed data and protocols in DNS traffic, primarily to achieve command and control inside an organization’s protected network. In addition to command and control, attackers also use DNS tunneling to deliver and distribute malicious payloads, such as remote access trojans and ransomware, to victim computers inside an organization.