How Adversaries Are Abusing Network Blind Spots - Edmund Brumaghin and Earl Carter

Oh welcome everybody today we're going to talk about you heard in the keynote he talked about lack of monitoring well we're gonna talk about an area that involves everybody cuz face it you can't surf the web if you don't do DNS I mean most people don't remember IP addresses specially with ipv6 now so we're gonna talk about how the tax have been evolving and becoming much more sophisticated if you will specifically targeting ways to use that vector of using DNS to get into your network so give you a little background on myself like Brian I've been doing this forever I've been in security since security wasn't the thing with the internet you know the internet wasn't there when I

started been doing lots of things I've got patents on security I've got written cyber security books pretty much everything you can think of evolved from pen testing and now I'm actually doing malware research there's lots of different things but as I said the problem just keeps evolving keeps changing it's not going to go anyway any time soon keeps us all employed but I wish it would get a little bit better so we're gonna start a tag team our presentation today we're gonna cover the evolution of it somewhat Passover Evan LED and talked about what you know where he started what he does and then we'll get into some of the cool stuff yeah thank you besides both us so my name is

Edmund brummagem I'm also a security researcher with Cisco talos so just a little bit about me I love malware that's that's what I do day in day out neck deep in malware figuring out how it works and how to make sure our customers are protected so I've been with Telus for about three and a half years prior to joining Telus I spent the prior decade doing digital forensics Incident Response I've held pretty much every role you can hold an is security operations team protecting critical infrastructure so nuclear energy power generation financial services high-tech for coming over to the research side also is a hobby I'm super into music that's that's kind of the thing that I like besides security

so what are we gonna cover today so we're gonna start out with a kind of a crash course on the on the DNS protocol and and how the specification works we're not going to dissect like the RFC or anything super boring like that but we're we're gonna cover some topics that are relevant to how attackers are abusing this specific protocol to compromised organizations we're also going to talk a little bit about how you can detect this sort of malicious activity how you might be able to put security controls in place to help make sure that you know you're not compromised and if you are you're able to at least detect it just to show of hands how many people are

actively monitoring the content of DNS queries and the Associated responses I mean now they're networked so it so a few yeah I talk to a lot of organizations I talk to a lot of security professionals and that that's kind of a weak spot right now everyone's good at you know monitoring HTTP HTTPS you know some of the more conventional protocols FTP SMTP but not a lot of people actually you are monitoring the content of the DNS traffic that's ingressing and egressing their network and then we're going to talk about ways that you can defend against this sort of abuse so let's start out with that crash course so DNS right I'm going to date myself a little bit I still remember

landlines and when you didn't necessarily remember everyone's phone number you had to go into a big yellow book and like you remember their name and you have to go see what number you had to dial on the phone to like actually reach them so DNS is very similar right you enter a rememberable address into the the address bar in your browser and DNS is responsible for taking that and converting that into an IP address that you can then route to to access whatever content is hosted there so that's that's kind of how that works at a high level but when you really think about it there's a lot of moving parts in DNS that makes that name

resolution possible so with a lot of the the attacks that that we're gonna cover today you know I talk to people and one of the things that I hear a lot is well we don't allow our endpoints inside of our network to communicate to DNS servers directly well that that's not necessarily a protection against a lot of the attacks that are making use of the DNS protocol because when you think about it if you've got an endpoint in your environment that is trying to reach you know server X Y Z domain X Y Z hostname X Y Z they're not reaching directly out to that name server they're typically going to request resolution from a server inside your network right

your DNS servers and those DNS servers are going to go upstream to your ISPs DNS servers which are they gonna go upstream even more and they'll eventually reach the name server this respond for the namespace of the domain that you're trying to resolve so attackers are leveraging this because it doesn't require any sort of direct command and control or any sort of direct communications from the endpoint to the attacker control server they're basically hopping through legitimate infrastructure so if you're if you're relying on a firewall blocking you know UDP or TCP 53 not necessarily gonna help you in this case because they're just gonna leverage your legitimate internal DNS servers to facilitate that connectivity so we're

gonna talk about a few ways that attackers are actively leveraging DNS to successfully compromise organizations a lot of organizations have gotten much more mature in recent years as far as detecting abuse of FTP HTTP SMTP but they're not necessarily looking at DNS in the right way so what we're seeing is adversaries are starting to tunnel malicious code through DNS txt records basically leverage dns for a command and control protocol to facilitate the execution of arbitrary commands on systems interact with shells things like that we're seeing that through TFC records a records we're actually seeing attackers start to abuse the inherent trust relationship within DNS itself in targeting the core and Internet protist ruk sure that's responsible for

facilitating dns for the internet to continue to work so let's talk a little bit about DNS tunneling so most people are pretty familiar with protocol tunneling right if you use a VPN to connect to your organization's network you're using protocol tunneling all right you got a VPN tunnel and you're tunneling traffic HTTP HTTPS other traffic through that VPN tunnel so protocol tunneling is pretty common and it's possible using the DNS protocol as well you can tunnel other protocols typically custom design protocols leveraging DNS communications so a practical example of this is a DNS tunneling to bypass captive portals right so when you think about you know Wi-Fi free Wi-Fi in a coffee shop around an airplane or in other scenarios a lot

of times when you connect to the wireless network and you're doing your thing you can actually load the website that allows you to put your PII in and you're in your your credit-card information to get free wife or to get Wi-Fi and if you try to browse to other websites typically they're not gonna work right it's gonna tell you know you don't have connectivity to the Internet but one of the things you'll notice that is that in a lot of configurations even in those scenarios DNS works just fine so there are applications like a couple of the examples on the screen where you can leverage DNS tunneling to facilitate connectivity to the internet without having to actually pay for it or enter

your credentials or enter your information into the the captive portal because they're filtering HTTP they're filtering HTTP and filtering all these other protocols but DNS is not filtered and that's one of the one of the weaknesses and a lot of organizations security postures that attackers are actively leveraging so I want to talk a little bit about txt records so txt records are an interesting element within DNS right everyone's used to like a records cname records things like that deity HT records are pretty interesting because they're used really commonly nowadays when DNS first came about and when txt records were first a thing they were typically used to append information about different assets that an organization might be interested in

so you'd have a DNS record and you put a txt record that says this is Jim server or this server is located in Dana's data center XYZ so it's effectively a record that contains text content that gives you information about an asset so nowadays they're used for a lot more than than just that sort of thing they're used for a lot of security relevant functions so when you think about a SPF a sender policy framework or DKIM or D mark these are all technologies designed to secure mail flow so you protect from phishing that may be targeting your brand things like that and so they're really regularly used they're very very common in a lot of

organizations nowadays but they're also able to be used to facilitate the transfer of information from an external server to an internal asset all leveraging DNS so I want to talk about a DNS tunneling kind of case study and this came about back in I think 2017 and this was a malware family that we discovered that we refer to as DNS messenger it's pretty interesting example of how this sort of txt record is being leveraged to facilitate command and control so in this particular case it started with a tweet right so we had somebody tagged us on Twitter and they were likes well somebody doesn't really like Sourcefire much and they they pasted a snippet of

PowerShell and inside the powershell was a base64 encoded blob you can see on the screen and when you decode that it's a source fire sucks well we kind of took note of that because if you're familiar with Cisco right a cisco acquired source fire so you know we saw that and we were kind of interested to see where exactly that was what was that relevant to so we started trying to figure out exactly what we could to figure out where in an infection chain this was all we had was the base64 encoded blob and the snippet of PowerShell we didn't have any other IO C's so a researcher and myself we basically started looking to see if we

could reconstruct the the attack that was associated with this string and we were actually able to reconstruct this using a lot of open source intelligence and we were able to basically tie this back to the initial infection vector associated with DNS messenger and DNS messenger was actually being transmitted and distributed via email spam campaigns so they were sending targeted phishing emails that contain malicious office documents and an example of one is on the screen there you can see it's a malicious Word document one of the interesting things they did was they used McAfee branding inside of the the mal doc it's pretty similar to what you see a lot with with mal spam campaigns right they they put a decoy image in and

they say hey enable macros enable content so that the attackers code can start to execute that can facilitate the the infection process for a lot of organizations McAfee bait may be really common right what if you use McAfee on your endpoints most of your users are going to be super comfortable seeing a McAfee logo and entrusting it so this was actually the the first stage of about a four stage infection process that was really interesting because it leveraged a lot of techniques that are commonly associated with fireless malware so the only way that this particular malware family would actually leave artifacts on a system was if they chose to achieve persistence during stage two so when you open the word

document and you enable macros basically VBA macros kick off that extract in start to execute a stage 1 PowerShell routine that in that PowerShell routine contains stage 2 that's encoded they decode that and then they do a check to see if they should enable persistence so should they persist across reboot so every time you reboot a system malware kicks back off and so if they chose to do that they would either write the contents of stage 3 of this malware into the registry or they would write it to an alternate data stream so not your conventional file storage of malware payload they were using non-traditional ways to facilitate that persistence so persistence as I mentioned was acquired during stage 2

and it was responsible for going out retrieving stage 3 and then if necessary if configured properly by the attacker would basically store stage 3 in a non-traditional way so that each time the system was rebooted the stage 3 power shell itself would be extracted from the registry kicked off and then executed on the system so stage 3 was responsible for retrieving stage 4 and that's where DNS really came in so the equation here because stage 4 was delivered using the contents of DNS txt record responses so the let's look at how that works so effectively the way that this works is inside of that stage 3 PowerShell they would basically look at an array list of domains that the

attacker controlled the nameservers for and so they would pick one of these domains and they would go out and they would retrieve that would make a DNS txt record request and the response of that that record request as you can see in the bottom of the slide there I'm actually contained encoded PowerShell command so it was basically PowerShell that was encoded using base64 so the malware would kick off it would go out to an attacker control name server using that normal DNS hierarchy it would basically just say hey I want a txt record associated with you know subdomain XYZ of one of these domains and then the response from the attackers server would just be transmitted through

that hierarchy back into the internal DNS servers and then forwarded over to the endpoint and what it would do is it would basically take that base64 encoded blob that it received inside of the DNS txt record response decode it and then execute it within the confines of the existing PowerShell process that was running so what this stage 4 would do is it would actually execute the Windows command processors so cmd.exe would redirect standard in standard out in standard air into the powershell process itself it would select a second domain from a list another ArrayList and then they would basically leverage a custom command and control protocol that all made use of DNS txt records they would send a syn

message a way to response and then they would send the output of that to send the output of the command line processor over standard out in standard air using DNS record record requests so just to kind of illustrate that so when I say syn I don't mean like TCP syn packets this is actually what they called that stage of the command control protocol so syn would be used to basically stand up the command control protocol and then message queries would be used to facilitate the transfer of information from an infected endpoint to an attacker controlled DNS server all over that DNS txt request and then associated response so you can see the the message query

itself the query is from the end point so the end point saying hey please resolve the txt record associated with this really long string of alphanumeric characters but when you actually decode that using you know the the encoding mechanism that they were using what they were basically doing is they were sending requests for DNS txt records but when you decoded the contents on the attacker controlled server it was the output of the Windows command line processor so the responses from the server could be used to say hey go execute this command on a Windows in point and then the output would be sent back over that DNS stream and this kind of just shows the command control

protocol that was being leveraged by the adversary so syn would stand up the the C 2 protocol they would just do that message query in response as long as the attacker wanted shell access to the system and then when the attacker was done controlling the endpoint they would send us in a fin query and a fin response and they actually created a full custom command and control protocol for this and you can see kind of the packet structure that they created for this particular command control protocol so that was the initial campaign associated with DNS messenger a few months later we actually detected some additional campaigns and they were actually leveraging an updated version of DNS messenger so once again Mouse

spam campaigns in this case they were making them appear as if they were from the Securities and Exchange Commission the Edgar system if you're not familiar with it in the US on the sec has the editor system that allows companies to make filings and put in the documentation they need to so they basically spoofed SEC sent emails in that said hey you know there's important information from the SEC open this attach document to find out what it is so when you open the document they actually branded it to make it appear as if it was you know associated with the SEC they put the appropriate branding in and whatnot in there in this case they

weren't using macros though they were using a dynamic data exchange dd which is a feature set that was present in word that attackers were abusing pretty heavily so when you open the document it pops up it says hey this this document links to other your files do you want to update the document and if you say yes that causes of Microsoft Word to go out to the predefined resource on the internet pull down contents and then start to execute it so in this case if you clicked yes what it would do is it would call the Windows command line processor which would then call PowerShell which would echo SCC gov in a little window on the screen to make it

look legit right and then it would basically go out to a compromised Louisiana government website where they had been hosted the the next stage of the infection process it would pull down the contents from that URL that TRT do-e Louisiana gov /font txt and then it would execute it on the system so when you actually go out to that and pull down that the contents associated with that external resource I truncated it for for slide sake but what you would get is PowerShell and inside that PowerShell was a base64 encoded blob so that basic ste 4 encoded blob would then be decoded and then executed within the confines of the existing powershell process on the system and it was

responsible for storing stage 2 in in the Windows registry similar to what we saw with the previous versions of DNS messenger it would also check to see if it was already running so it would check to see if a specific mutex was present on the system if you're not familiar with mutexes they're pretty common ways for programs to avoid executing multiple times on a system so they would check to see if this this mutex was present if it was that meant that DNS messenger was already running on the system and they would just terminate execution if it wasn't it would continue to kick off and go into later stages of the infection process so stage 2 persistence was cray

so they had a bunch of different ways that they could achieve persistence on an end point so this is just a screenshot of some of the the ways that they could attempt to do this within the Windows registry so there were a lot of if-then statements present and based on the the results of those operations that would make a decision on how to persist on the system so they could write to a bunch of different locations within the registry to store that that powershell blot that would be kicked off every time the system was rebooted so in addition to the registry they also had the capability of creating a scheduled task one of the interesting things about the

scheduled tasks this is pretty common with malware write schedule task points to an hour code every time the system reboots malware code kicks off and the infection continues but in this case they actually set a random delay so they had a random delay set up so that each time the system rebooted a different amount of time would pass before the the malware would kick itself back off which is you know kind of interesting if you're running this in a sandbox environment or if you're you know just trying to analyze it you might look at it after a reboot and said well nothing's happening but reality is there there was a wait timer set in addition

to the registry in addition to the scheduled tasks they also had the capability of using alternate data streams or WMI subscriptions in the windows management instrumentation database on a Windows endpoint so these are a couple of non-traditional ways to persist on a Windows in point they could create a subscription in the WMI database and then leverage that for persistence as well so stage 3 was was pretty interesting so this is where the command and control protocol would really kick off and they would start to reach out to an attacker controlled server in the way that they would determine you know how to operate is they would obtain the system serial number and then they would generate an

md5 hash of the serial number that would take the first 10 bytes and use that to generate a DNS hostname that they would use to communicate out to an attacker controlled name server so what they would do is they would take that host name they would basically append a hard-coded string in this case it was stage then they had a counter setup that would iterate each time a DNS request was made it started with 0 1 2 3 4 etc and then they would randomly select a root domain from an array list similar to what I talked about in the last version of DNS and that's the host name that they would use to create DNS

requests for two Qwest that name resolution so just as an example let's that's an example of one of the the host names that they would attempt to request name resolution for so they would first request an a record and then they would take the the the IP address that was returned from the name server associated with that a record and then they would request the txt record and they would take the first part of that txt record and it would perform a cryptographic operation on it they would perform the same cryptographic operation on the a record and they would compare the values how kind of is a data integrity checksum if you will so you

can kind of see here so you've got an a record that returns an IP address they perform that cryptographic operation on it and an integer value is returned and then they do the same thing with the txt record and they compared the two integer values that's that data verification so in this particular command control protocol if the integer value matches that means that you know command and control is good to go and they would take the rest of the txt record contents and they would store it in a variable and then they would iterate the counter and they would make another DNS request it would return base 64 they would perform that data verification and if it matched they

would take the rest of the txt and they would append it to the end and they would just keep building this blob base64 encoded information on they would then basically wait for the process to either fail that data integrity check or if 0.0.0.0 was returned from the attacker controlled server that meant that the transmission of information was complete in the resulting base64 encoded blob is stage-four they would decode that pass it to powershell and execute it to initiate stage 4 so stage 4 it was a rat basically it functioned as a remote access Trojan you could execute arbitrary commands it would use DNS to retrieve what commands to run on the system based on the contents of those

DNS query responses it would execute those commands and then it would post information this time they actually leveraged HTTP for the the data exfiltration and it functioned pretty similar to what you would expect from rats it's all what's up over here so you see they started taking advantage of DNS and anybody who's been in this business knows these guys love to see what their peers doing so they keep adding to it they keep changing we saw Dennis messenger evolved from one that was easy to see on the names to one that was a little harder to look at when I were going to look at Dean espionage Warren and Paul did a great job finding these

attacks so when they first came out and this was probably about a few months later than he was basically like near November October of 2018 they came across the Espionage and this one this first attack actually had two different components the first part we're gonna look at was a rat similar to what DNS messenger was where they were trying to get remote access to a box and what was really interesting is that you know they started like everything else you know they could do spearfishing but they also had some other interesting techniques they were going for tricking users you know users are that one of those weak links in our networks so instead of just

doing phishing emails they would also go to different social media sites like LinkedIn places that people may be looking for a job and they would actually put interesting links up there that sort of confused a regular user most people don't understand how DNS works so we're procom Suncor comm those are valid companies that actually hire people well HR - Suncor comm it's not really related to sun core but it looks that way for a regular user so if I put that up there you're likely to download the file well when you download it it looks like a regular document you know it has information to fill out like I'm getting a job but as usual since it's an

attacker one they put some macros in this document so in this case they actually put two different macros one macro would execute when it first opened up and all I would do is copy a copy of the document down to the system name doc then look really suspicious but then when you close the document another macro would execute and actually do some other things on the system might wonder why'd they put two macros on this system what they're doing is they started realizing that the defenders know aren't they we're trying to always defend against these attackers out there but the attackers know that we're putting roadblocks in their way and one of the things they know is that most people now

have incorporated some type of sandboxing some way to check to see if a foul is malicious or not well they also know a lot of sand boxes aren't the same well if I have a very simple sand box it's gonna open up this document and see if it does anything well in this case if all you did was open it and you don't actually close it in your sandbox you never did the malicious part so it looks pretty benign and you go okay it's fine let it through so they're trying to do some avoidance of those sand boxes that they know in place on all of our networks but if you didn't if you did

actually close it then would actually kick off the actual malicious stage of this payload and in this case as I mentioned it was trying to get a remote access trojan on your box well those Trojans need to communicate with the command and control well we see it could do HTTP we've seen that over the years nothing really unusual nothing new but these attackers also had the capability to take advantage of DNS so if they were going for say a higher value target maybe one that they knew is really monitoring HTTP really well they could actually use DNS before their entire command and control and in this case they actually went a little bit more doing a little different than DNS

messenger remember DNS mission was using those text records which they're becoming more common but you could still look at the text records well in this case these guys went straight for regular DNS a records so what they would do is they would create a domain again you have to develop some type of a domain well they created one that looked like office 360 you know the zero with a little Oh quick look at it most people are going to think it's office 360 and then they need to create a sub domain that went with that domain well in this case they didn't want to repeat their domains over and over again so the blue part that you

can see they just randomly generated some information so that each time they would get a different sub domain and then the gray part they were actually encoding essentially the ID of the system so for this malware each individual system was given a two character identification value like case it was GT so they basically based 32 encoded that into the gray part created that domain shipped it off through DNS went all the way to the attackers name server and they got a reply back of 0.1 0.3 not really a valid IP address DNS doesn't care as long as it's four octet some numbers but in this case it's actually telling the malware on the system that I'm sending you one

command and it's gonna be three characters long so the malware goes okay I'll reissue my DNS command and again the gray part stays the same the blue part which is random get something different but if you'll notice we have a different IP address this time we have 100 105 114 well you've looked at the ASCII chart they basically encode the results of what they're trying to do the 100 is addi the 105 is na and I are so it's telling through DNS the malware that I want to run a directory on the system so they could send whatever command they want it and then they would execute a bunch of DNS requests going back again

given the results this time that gray portion was going to hold pieces of the result they again kept it small because they know if they get too large just like the original DNS messenger it's real easy to spot programmatically but here as long as I keep it fairly small it's much harder to detect they're staying in the noise and now they're transmitting all their information over a protocol in many cases that aren't even monitored and that's one of the advantage they were looking at they were really trying to stay under the radar and when we saw him do this you know we could look in umbrella and investigate tool and see when they were using this

but in reality they didn't use it in that many cases they really used it for more of the high-value targets it wasn't something they went to on a regular basis because they knew again the more they used it the more it was likely to get detected and then people put more roadblocks in place to stop it from working in the future then that was the first half of it but these same threat actors also had another component that they were using to try and get into the network's so instead of you know tunnel stuff through DNS what they also realized was that when you do a DNS request you see the like blue system here we know we got to get that

IP address so that we can actually communicate with the real server but they also knew there's this entire DNS hierarchy that facilitates giving me that IP address so like but what if I go and target that infrastructure first so what if we switch it around so that if i hack the DNS infrastructure so that when the IP address comes back it's not the company's website it's my attacker controlled website I can now become a man in the middle for the actual traffic and if I do that well enough I can still credentials for the users for that company and then go directly to the company with valid creds so a way that really target a company in a much more

stealthy mode you know when you look at the hierarchy there's lots of different tiers to this and that's one of the things in this case these guys were literally going just for the regiment registering accounts because what they realize is that a lot of people have set up these domain accounts they may have said a long time ago they have a really weak password on their register an account if I go in and hack that account I can easily change words pointing to and now I've become a man-in-the-middle I can actually steal credentials get right onto the networks it made a pretty interesting attack so that's what we're going to talk about for the second stage

of DN espionage that's what these guys actually did they went out they set up their own servers you know they picked their own IP addresses they had and then they were actually putting self-signed search and a lot of these so they could make it look like legitimate hosts so if you went there it actually had a certificate a lot of users don't know the difference between self sign and regular sign but then they would create the domains and then basically redirect the a records and again couldn't put the domains when we first did this because they were actually validly still targeting these companies they were like you know military government sites oil and gas certain middle-eastern countries

we could actually track this through passive DNS to see that they were redirecting valid requests for that site to the attacker controlled server and then what was really interesting is they would let you put in your credentials and they would happily redirect you to the real site so that you would actually be logged in to the real company after you gave them the information that they were looking for because it was their site first so that was what we first noticed then actually stepping back we saw that this wasn't just happening near the end of 2018 it had been going on for a couple of years so these guys were taking advantage of a situation where

people don't really look to see that the IP address from my a record is actually getting changed they're not monitoring that just like we don't monitor DNS on our network we don't always monitor what's happening on those named registries either and they took advantage of that fact so they were actually doing that to target networks so again as I talk they keep evolving you know in this case it was it was significant enough at the time that in u.s. homeland security actually sent out and noticed to all of the government agencies and said hey we want you to go and check your register accounts make sure you have a very strong password if you can do two-factor authentication on

it set it up whatever you can do but we feel that they're going to start targeting those registrant accounts for all the government organizations so they really pushed it in the u.s. to try and get people to make sure that they knew that they had strong accounts that weren't going to be hacked I don't know if they're really successful but we'll see as time goes on but now we move even further to I think this is like beginning of 2019 we started seeing attackers that were taking it actually to the next level up these guys went solely for targeting that DNS infrastructure and doing it with more of a clear motive of espionage I mean they

were targeting really high value targets think of governments and telogen organizations you know military but one of the interesting parts is they really went up higher in the food chain so they were taking over like name servers in some cases they were actually taking over like top-level country domains so hey why go for the low guys when I can control all the DNS for an entire country which makes it really scary because you think about it on these situations here these guys were pretty skilled at what they did but DNS holds the Internet together if somebody goes and tries to repeat this and makes a mistake they could like wreak havoc and destroy the operation of lots of

activity on the internet when nothing would work you know and that's one of the scary parts is that these attacks are getting involved as people start repeating that they may or may not have the skills but they can get in and then wreak havoc that they wouldn't think about and in this case you know there was intrude on ously the primary targets these military sites these government organizations but it also involves secondary targets because if you think about it a lot of these registrar's were even in different countries so to get to my final target I had to compromise that part of that infrastructure that DNS setup and those registrar's may be in totally different countries but that's

what they were targeting because they realized that maybe this government entity has very strong security they really take security seriously but what about the Registrar that provided him that account maybe they have some weaknesses they haven't patched something they may have ways I can get in and that's what it's already taking advantage of the fact that there's lots of areas almost like a supply chain if you would that I can take advantage of not going directly to that company as you can see here primary targets there in orange but the secondary ones were those registrar accounts are registered entities registries that were in different countries that they also took advantage of because that's what was

supplying the name servers that these guys actually took control of and in many cases actually stood up their own name servers so instead of just redirecting in single entry they were actually redirecting an entire name server and other spaces so that they could pretty print ready to put whatever they wanted and they would do it short long term at depending on how long they wanted to do the change so give you an idea how this work these guys would go and target one of these registrar's one of these registries find a way to get in some initial access they may be even Spearfish somebody that works for a registrar they would get in start moving

around get more access they would get you know data back to their command-and-control pretty much once they would get in far enough they would actually control some part of this DNS registry so that they could actually then do that changing changing the name register your name server IP address do whatever they need it to because they were actually on the systems that could control it now so now they would do it update whatever entry they wanted maybe it's for your company site and now whenever someone goes to that valid company site they're getting redirected to the attackers controlled name server attackers are called DNS server however you want to put it and then obviously depending on how sophisticated they were

when you connect it sometimes they have self-signed search other instances here one of the interesting thing that they would also do is that all the people that generate certificates these companies are not all created equal some of them do less authentication than others and in this case a lot of times they would see who you had your certificate with and then they would go to a competing certificate registrar a few of the ones who issue the certificates and actually request a certificate for this company site and in many instances there wasn't enough checking done that they actually had a valid cert for your domain so when they stood up their fake server it looked totally legit so obviously they would

let people come in it looked pretty you know legitimate people would log in give their credentials they'd pass you on to legitimate site but now they actually have actual credentials for the targeted network so they could come in really under the radar because they're not even trying to break in because they have valid credentials to start with one of the things that was really I wanna say interesting and sort of scary at the same time when this one happened most of the time you know whenever we find these into attacks we'll publish about it on our blog we'll let everybody in the world know about it and most of the time the attacker is when they see that

we'll sort of back off they'll take a pause and go people are watching this I'm when I like scurry into the dark I don't want to be seen when we published on this one these guys didn't cool off at all they sort of increase what they were doing they could care less they were just like we don't care we're gonna keep doing what we're doing so they were really scary it was one of those that they were aggressively going after their targets and they could care less whether people talked about it or publicized it at all they were still going to keep doing their targeting which was really a scary thing because we hadn't seen that

in the past most of the time they'd always at least cool off for a while but this time they didn't pause at all they just kept moving forward with detects that they were doing and you know I mentioned they did different search and things but one of the really you know things that they really came across here was you know that was the other side of it being able to make it look legitimate they didn't just pause that redirecting you with a man-in-the-middle attack they wanted to make it look as legitimate as possible because that was their key is they were trying to steal it without anybody even being the wiser and in many cases they were very successful at doing

that and sometimes they basically went through so good at it that they were actually targeting a lot of the VPN endpoints that people set up to VPN into their network so they would actually either set up that initial fake one get on the network and still legitimate certs but they would actually set up endpoints that look just like their legitimate VPN endpoint so you would actually be peeing in into the attackers controlled network to get into your own network which meant they were actually getting those valid certain you know valent credentials to get onto the network but people were felt safe I mean when people get into their VPN hey I'm happy now that's my safe spot they

weren't thinking that it was a fake VPN endpoint because these guys had him personally did so well and that's the scary part is they sort of raised the game and really did a much more interesting attack to you know trick people into giving away their data their valuable credentials so I mean you know I'd like to say there was easy solution to this you know I don't think it's going to go away tomorrow because as I said as people see this the Pyrrhus keep up in their game they keep one to do things that other people have already done one of the basics is obviously if you have a register account you know make sure you have strong

credentials on it have to factor if you can that sort of depends on who your registrar is some people offer it some people don't but the more you can secure that account the better you are the more you can monitor that you know if you get a multi-factor that's great just monitoring it to see if it's changing is my IP address being redirected to a new IP address I mean because it's not an easy task to do because some of these attacks we've seen especially with sea turtle they would redirect it in a very small window I mean they may have redirected for five or ten minutes and then they switched it back to the

legitimate name server so they were really doing some very targeted short term attacks to gain what they were trying to gain but the biggest thing is you know keeping the system's patched you know age-old thing we talked about patching all the time but the main thing is don't take dns for granted we have to have it to run our networks but you need to start looking at DNS monitor the activity see what's happening just because that's none of those key data points just like the logs on your network DNS has becoming that vital log that you can't forget you've got to look at it to see what's happening because it's always going to give you an

indication that maybe it's another vector that the attackers are using to try and get into your network so with that I think we're pretty much done hopefully it was useful enjoyable we'll be around you can ask us any questions you have any time just hit us up with the booth whatever see us walking around happy to talk about this I'll go ping Warren make him answer all the questions but that I'll let him switch this on because I think we're going to the next time [Applause] you