DNS (Domain Name System) is a protocol that exists in almost every network. It works like “yellow pages”, translating human-friendly domain names into IP addresses, which are used by computers to communicate to each other.
According to different research, over 80% of malware uses DNS to communicate with command-and-control (C&C) servers, exfiltrate data or redirect traffic to malicious sites. The dangers are often hidden in innocent applications, documents, and websites, invisible to firewalls and other security solutions.
DNS is extremely difficult to lock down because it was designed to be an open protocol. Therefore, it is often used by less advanced cyber-criminals, who are looking for an always up and running, often overlooked protocol that they can use for C&C communication and compromising hosts.
The SolarWinds attack shows how a sophisticated cyberattack can spread through the supply chain staying undetected for at least eight months, and how most organizations are woefully unprepared to prevent and detect such threats.
SolarWinds is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. Among the company’s products is SolarWinds Orion Platform – an infrastructure monitoring and management platform, used by thousands of public and private customers. Attackers broke into SolarWinds and inserted weaponized Trojans into the SolarWinds Orion update package. This package was distributed to 18,000 customers, and because it was digitally signed by SolarWinds, it was trusted and deployed in their internal networks, bypassing EDR systems and antivirus by default. Once installed, the malicious code opened backdoors that communicated to third-party servers, giving the hackers remote access to emails, confidential documents, and other sensitive information.
“Eighteen thousand customers was our best estimate of who may have downloaded the code between March and June of 2020,” said Sudhakar Ramakrishna, SolarWinds president and CEO, “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less”.
The malicious code – dubbed SUNBURST – was written to ensure maximum secrecy: for example, the first communication with the C&C server took place two weeks after the backdoor was installed. A very interesting technology was used to pick up promising victims: data from the backdoor was sent to the C&C server as part of a DNS request. If the organization was of interest, a response request arrived, directing the backdoor to a second C&C server, and data was stolen while interacting with it. Most likely, out of 18,000 possible victims, dozens of companies were actually impacted.
In recent years, the speed of digitization in the healthcare industry has increased significantly. Devices and applications in hospitals are ever more connected, while patient data is being recorded and distributed in new and innovative ways. COVID-19 has definitely accelerated these trends, as the demand in the telehealth market is at an all-time high.
Though the fast digital transformation in hospitals and other medical institutions comes with extraordinary benefits, the growing use of IoT devices – from wireless heart rate monitoring cuffs to Magnetic Resonance Imaging (MRI) machines connected to hospital networks – also creates tradeoffs. One major drawback is that digital products and services provide an entry point for attackers, with DNS often being used as a vector for the attack.
According to the 2021 Global DNS Threat Report, the average cost per DNS attack targeting healthcare increased to $862,630. Moreover, healthcare organizations each suffered an average of 6.71 DNS attacks over a 12-month period, and it took an average 6.28 hours to mitigate each of them, which is higher than the all-industry average.
“Without going too far, a medical company with 1500+ employees and 145000 patients a year was recently hit by a cyber-attack, exploiting vulnerabilities in the DNS. We detected malicious traffic going via an X-Ray machine”, comments Leonardo Antichi, CTO at Sababa Security
Being often overlooked and underestimated, DNS is the perfect choice for adversaries. For this reason, it’s essential to make use of a DNS Security solution that is capable of overviewing the outgoing traffic through DNS, checking the domain reputation, and blocking malicious domains.
Another solution can be Network Detection and Response. It helps looking through the multiple security processes on the corporate network and spotting out malicious patterns associated with the DNS traffic.