Recently, Alibaba cloud researchers found evidence of the exploit kit used by Tofsee across hundreds of cloud machines. How? The secret was to leverage DNS. Tofsee is malware which recruits compromised systems to the Tofsee Spam Botnet. Once a system is infected, the new systems are, in turn, used to help propagate Tofsee to other systems. Tofsee has various modules which enable cryptocurrency mining and click fraud. Tofsee can bring financial loss, the exfiltration of confidential data, and worse.
Typically, Tofsee has been detected by software controls that would recognize the previously identified signatures of Tofsee. As we know, threat actors are constantly remanufacturing and repacking code to modify the signatures. Legacy signature based detection approaches require that the newly modified signature be identified first, and then this newest signature will be recognizable and detectable until the code is modified again.
The analysis of DNS traffic has opened new and better doors to identifying and stopping Tofsee and other threats. Machine learning and analytics have identified correlation between the domain name (DNS) patterns and malicious behavior patterns to identify Tofsee Trojan activity.
The researchers started with a single domain “work[.]a-poster[.]info“ that was reported by a cybersecurity research firm only a few months prior. This domain was noted at the time as presenting a “generic Windows command and control” threat. By applying machine learning techniques, research teams have been able to correlate and link the domain to additional domain names. All of these domain names appear to be related to the Tofsee botnet. It was a short step for further analysis to find all the cloud systems impacted by the Tofsee botnet.
DNS can be an important defensive weapon in your arsenal. DNS security brings a full security stack for clouds, on-premise resources, and remote workers. We already know that DNS is in the kill chain for most cyberattacks. DNS may be used during the reconnaissance phase when it is a targeted attack. DNS is also used in the delivery phase, as potential victims unknowingly make DNS queries for IP addresses involved in the attack. DNS will also be used in the email delivery process when the ransomware propagates via spam campaigns. The exploitation phase may involve DNS queries when the victim’s system is compromised and infected. Finally, malware must connect back to command & control. DNS is then used as a hidden communication channel for this purpose.
Standard security controls and technologies such as next-gen firewalls, IPS, and gateways generally do not inspect DNS for detecting malicious communications. These security controls are frequently unable to prevent specific attacks such as DNS data exfiltration. Most importantly, they are not able to detect the subtleties of newly created malicious addresses and domains.
Infoblox BloxOne Threat Defense® enables government and business to better leverage DNS to improve security posture. DNS security provides broad visibility into malicious activity, so threat actors can be shut down as early as possible in the kill chain of events. BloxOne Threat Defense uses highly accurate threat intelligence and machine learning based analytics to detect modern malware, ransomware, phishing, exploit kits, DNS-based data exfiltration, Domain Generation Algorithms, DNS Messenger, fast-flux attacks, and more.
Finally, it is also important to note that DNS Security has long gone mainstream. Don’t be a late adopter! A June 2021 Gartner report recommends organizations leverage DNS logs for threat detection and forensic purposes with their Security Information and Event Management platforms. The U.S. National Security Agency (NSA) has also provided explicit direction on DNS in the publication Selecting a Protective DNS Service.
To find out more about how Infoblox can help and to reach out to our sales team, please reach out to us via https://info.infoblox.com/contact-form/.
