Today > vulnerabilities   -   You can now download lists of IOCs here!

No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection

Oct. 7, 2024, 9:03 a.m.

Description

This article analyzes four previously undisclosed DNS tunneling campaigns identified through a new campaign monitoring system. The system detects tunneling domains based on common techniques and attributes used in malicious campaigns. Four new campaigns were uncovered: FinHealthXDS (targeting finance and healthcare), RussianSite (over 100 domains sharing a Russian nameserver), 8NS (domains with 8 NS records), and NSfinder (domains combining words ending in 'finder'). The campaigns exploit DNS protocol vulnerabilities to establish covert communication channels for data exfiltration and infiltration. Common attributes within campaigns include shared infrastructure, DNS configurations, payload encoding methods, domain registration patterns, and attack targets. The monitoring system has been implemented in Palo Alto Networks' Advanced DNS Security service to provide enhanced protection against emerging DNS tunneling threats.

Date

Published: Oct. 5, 2024, 8:33 a.m.

Created: Oct. 5, 2024, 8:33 a.m.

Modified: Oct. 7, 2024, 9:03 a.m.

Attack Patterns

Hiloti

RedLine stealer

IcedID - S0483

Cobalt Strike - S0154

T1590.001

T1584.001

T1568

T1583.001

T1071.004

T1102.002

T1589.002

T1571

T1132

Additional Informations

Technology

Healthcare

Education

Finance

Government

Manufacturing

Russian Federation