How did the SUNBURST attack manage to evade detection for months on end? The answer is, of course, complicated. Attackers used numerous sophisticated techniques to bypass defenses and mask their movements.
A new security report, from ExtraHop and long-time security analysts Deb Radcliff, details one critical technique used in the SUNBURST attack to evade detection: hiding command and control traffic by taking advantage of known weaknesses with enterprise domain name systems (DNS).
DNS is a popular attack vector for two reasons. First, everyone uses DNS. It's an essential component of the functionality of the internet. Second, it's noisy. The sheer volume of DNS queries make it extremely difficult to monitor. Like shoplifting in a busy store, the amount of activity makes it harder to catch suspicious activity.
According to VeriSign, DNS root servers negotiated 84 billion queries a day in 2020 on average. For enterprises, that number is usually in the millions, making DNS traffic almost impossible to log. It is a common and perhaps necessary practice to disable logging for DNS, but that left a blind spot that attackers used to their advantage.
How Did SUNBURST Take Advantage of DNS?
"SUNBURST DNS tactics began as soon as devices were infected, and they started carefully trying to reach external C2 servers. In a rarely used attack method, the SUNBURST backdoor uses a domain generation algorithm (DGA) to hide C2 traffic inside DNS. According to a January blog from Symantec, this subversion of DGA enabled attackers to identify each infected computer sending information to the C2 servers."
The SUNBURST attack mimicked legitimate traffic from seemingly legitimate domains. Most of these domains were hosted at secondary providers. This enabled the SUNBURST malware to breach and take root in victim organizations, where it used DNS to call out from the inside.
Using the DGA it created unique identifiers for the infected systems so that attackers could pick systems of value to which they wanted to return.