On October 28th, an alert titled “Ransomware Activity Targeting the Healthcare and Public Health Sector” was jointly published by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS). The report highlighted how malicious actors are actively targeting healthcare organizations using the Ryuk ransomware for financial gain.
One interesting aspect is the critical role that DNS has played in the execution of this particular malware campaign. It is common knowledge that DNS is the main control plane by which most adversaries send commands to compromised machines as described in the MITRE ATT&CK™ framework. This is clearly evident in the advisory analysis that highlights how the anchor_dns tool at the core of the campaign uses DNS as the control plane to execute PowerShell command scripts that lay at the heart of the attack.
What is perhaps more significant is the critical role that DNS plays as the data exfiltration vector. Building on other malware campaigns’ success often focused around retail/point of sale campaigns, adversaries have realized that DNS is the soft underbelly of many enterprise networks. Organizations rarely focus on DNS, preferring to use Next-Generation Firewalls and other security platforms to focus on HTTP and Email. Anchor_dns avoids those platforms by focusing on DNS as a means to smuggle out data undetected, knowing that most traditional security platforms lack the means to differentiate between legitimate and malicious data exfiltration DNS requests.
The Role of DNS in Mitigation
Since DNS lies at the heart of this campaign, the DNS servers within these healthcare institutions have a front-row seat and are thus ideally placed to provide mitigation. Here are some of the critical controls a DNS server can mitigate the threat from this campaign.
Command and Control
With the extensive use of DNS as the command and control channel for the anchor_dns tool, the advisory has identified a number of domains as being core to the malware campaign. By using threat intelligence from Infoblox or by manually adding these domains to the DNS blacklist, healthcare organizations are able to break the critical control channel and prevent the execution of the ransomware by blocking the resolution of these domains. Infoblox BloxOne Threat Defense customers had visibility of these malicious domains as early as April 2020 as part of the Infoblox Cyber Intelligence team’s ongoing efforts to track Trickbot and other malware campaigns toolsets proactively.
kostunivo[.]com
chishir[.]com
mangoclone[.]com
onixcellent[.]com
These domains are critical to resolving the IP addresses of the command and control servers used to maintain control of compromised machines.
23[.]95[.]97[.]59
51[.]254[.]25[.]115
193[.]183[.]98[.]66
91[.]217[.]137[.]37
87[.]98[.]175[.]85
Given the criticality of DNS in the attack and the pervasive deployment of DNS servers, organizations should carefully monitor DNS activity to identify whether this campaign impacts their environment. By leveraging Infoblox’s Cloud Data Connector tool, it is possible to export all the suspicious DNS queries across the entire Infoblox DNS infrastructure into popular SIEM tools to enable security analysts to identify signs of compromise and take action quickly.
DNS as an Early Warning System
Detection and mitigation of this and other threats do not stop with blocking the specific domains that anchor_dns uses. The Anchor toolset (which includes anchor_dns) is a new module supplementing the long-standing trojan capabilities commonly known as Trickbot. Trickbot originally started life as a banking trojan first identified in 2016 and has long been used as a vehicle for a wide variety of malware campaigns.
Infoblox has been tracking the distribution and evolution of this toolset over many years. Infoblox’s Cyber Intelligence team has recently published cyber campaign briefs highlighting how adversaries have used noteworthy news events as the basis for tricking users into compromising their systems. In June, the focus was around campaigns referencing the Black Lives Matter protests. In April, an email, posing as a message related to COVID from the World Health Organization, also leveraged the Trickbot trojan. In many ways, this latest advisory highlights how adversaries continue to prey on public fears around the COVID-19 global health emergency as a means to launch ransomware campaigns.
You can read more about the WHO Trickbot here and the BLM Trickbot here. To learn more about the Ryuk ransomware, click here.
DNS Data Exfiltration
What makes anchor_dns distinctive is the focus on DNS as the exfiltration channel. This custom DNS tunneling tool leaves most traditional security appliances blind as their inspection of DNS is often highly rudimentary, with most deployments policy being to allow all outbound DNS traffic by default. The adversaries behind this campaign have used this to their advantage. Indeed, they can also count on the fact that most security platforms that claim to have even basic DNS tunneling detection work based on either threat intelligence or signatures for known tunnels. This is a problem for healthcare organizations because this new variant does not use existing tunneling tools, making signatures ineffective. It leaves them reliant on threat intelligence providers to detect the malicious domains in other customer networks as an active campaign. While we may have a list of the current domains used in the campaign, this could easily change, requiring the threat intelligence solutions to play catch up to any changes.
Infoblox has developed and refined machine learning analytics to detect these Day Zero threats for the last four years. Leveraging the specific experience Infoblox has as the market leader in DNS, our team of experts has built machine learning models that allow Infoblox platforms to distinguish between legitimate requests and those that are exfiltrating data. These patented algorithms, which are part of Threat Insight in Infoblox’s BloxOne Threat Defense solution, have allowed Infoblox to detect data exfiltration across various network deployments. It is important to note that simply blocking DNS tunnels is a business risk as many traditional security platforms claim to do. Many legitimate, benign applications also tunnel data out over DNS. Simply blocking DNS tunnels can often lead to blocking security tools such as Anti-Virus that rely on DNS tunneling to bypass firewalls to update endpoints. Only through detailed knowledge of how DNS truly works when combined with machine learning can organizations protect themselves against these forms of Day Zero DNS exfiltration attacks without the unintended consequence of blocking legitimate applications leveraging the same exfiltration techniques.
Infoblox and Government partnerships
This advisory is an excellent example of the role that government agencies can play to protect specific industries and, indeed, the whole country, especially in difficult times as we are experiencing right now. Infoblox already partners with these agencies to improve government and civilian agencies’ security posture, having worked to identify threats that have sought to exploit the current global health emergency COVID-19. This is in addition to the role Infoblox plays in disseminating critical threat-related information via the MS-ISAC.
Infoblox and Healthcare
With Infoblox DNS platforms deployed pervasively across the healthcare industry, there is an opportunity to leverage these deployments to provide effective mitigation to break the control channels of these campaigns and prevent the exfiltration of data over DNS. Through the use of Infoblox Threat Intelligence which is customized for deployment on DNS combined with the industry-leading machine learning analytics to detect DNS exfiltration, organizations with Infoblox appliances and the Blox One Threat Defense services are ideally positioned to immediately mitigate this particular threat.
References and Additional Resources
- Healthcare Case Study: Many healthcare organizations rely on Infoblox to protect their networks. One great example is Geisinger Health System, which was able to detect a compromised ultrasound machine before any sensitive patient data was breached with the help of Infoblox.
- Solution Note: BloxOne Threat Defense for Healthcare
- Solution Note: Preventing DNS Based Data Exfiltration Using Threat Insight
- Tolly recently evaluated Infoblox BloxOne Threat Defense and a competitor on a comprehensive suite of test cases that included data exfiltration, malware infiltration, malware detection, local specific threats, and more. The results clearly showed Infoblox performing significantly better than the competition in all categories. For example, under the data exfiltration test, multiple techniques of DNS based data exfiltration were used to mimic real-world variations used by attackers. Infoblox blocked all variations of the attack. Read the full report here.