On October 20, 2020, the National Security Agency (NSA) published a cybersecurity advisory1 on the continued and escalating cyberattack activity from Chinese sponsored threat actors. A large percentage of these attacks use publicly known vulnerabilities. This alert covered the top 25 threats and, in particular, noted one that utilized DNS.
The Chinese state-sponsored threat actors utilize a sophisticated process to plan their attacks. This includes careful identification of the target, the gathering of technical information on the target, assessing, and identifying vulnerabilities. Once a vulnerability is identified, they develop or re-use exploits to target those vulnerabilities and then launch their attack.
The timely implementation of patching and updates are part of the mitigation effort recommended by the NSA. The NSA advisory “provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access (T11332) or external web services (T11903) and should be prioritized for immediate patching. While some vulnerabilities have specific additional mitigations below, the following mitigations generally apply:
- Keep systems and products updated and patched as soon as possible after patches are released.
- Expect that data stolen or modified (including credentials, accounts, and software) before the device was patched will not be alleviated by patching, making password changes, and reviewing accounts a good practice.
- Disable external management capabilities and set up an out-of-band management network.
- Block obsolete or unused protocols at the network edge and disable them in device configurations.
- Isolate Internet-facing services in a network Demilitarized Zone (DMZ) to reduce the exposure of the internal network.
- Enable robust logging of Internet-facing services and monitor the logs for signs of compromise.”
Domain Name System Vulnerability Identified in the NSA Advisory
One of the top 25 vulnerabilities identified by the NSA includes CVE-2020-135045. A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests, aka ‘Windows DNS Server Remote Code Execution Vulnerability.’ This vulnerability was first published in the NIST national vulnerability database on 7.14.2020. This impacts Microsoft Windows Server 2008 through 2019.
Mitigations include keeping the system and product updated and patched. If an update cannot be applied immediately, the following workaround will prevent the vulnerability from being exploited, per Microsoft’s® recommendation. The workaround configures Windows® DNS servers to restrict the size of acceptable DNS message packets over TCP to 65,280 bytes (0xFF00). Applying the workaround requires a restart of the DNS service. Apply the patch as soon as possible and remove the workaround once the patch is applied.
Another mitigation is to launch an elevated PowerShell prompt:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters -Name TcpReceivePacketSize -Type DWord -Value 0xFF00
No Surprise – Most Malware Leverages DNS in the Attack Chain
Every story is different, but the common thread used by many threat actors is to exploit and leverage DNS. DNS is continually used to set-up and execute attack chains. The attack may involve DNS queries when the victim’s system is compromised and infected. DNS is almost always used when an infected system communicates with the command and control (C&C) servers.
Threat intelligence can bring you a very current set of malicious hostnames, domains, IP addresses that you can use such that your DNS servers can then detect and block command and control (C&C) communications to malicious destinations. Advanced techniques such as behavioral analytics and machine learning on real-time DNS queries can rapidly detect and stop zero-day DNS tunneling, DGA, data exfiltration, Fast Flux, lookalike domains, and more. Infoblox DDI (DNS, DHCP, IPAM database) data has valuable information about device activity and actionable network context (like what type of device it is, where it is in the network, who it is assigned to, lease history). This information can be used for essential visibility into ongoing attacks and for remediation strategy.
The integration of data with SIEM and SOAR infrastructure can provide significant reductions in time for the detection of threats and the automation of incident response. When Infoblox detects something malicious, a new device, or virtual workload on the network, it automatically shares that event information and context with existing security infrastructures like endpoint EDR, SIEM, SOAR, and other solutions. This data can trigger the security tools to prevent access to the network or scan for vulnerabilities until it is deemed compliant with policy.
For more information on BloxOne Threat Defense: https://www.infoblox.com/products/bloxone-threat-defense/.
If you want to know more, please reach out to us directly via https://info.infoblox.com/contact-form.