The medical community has been warned: On October 28, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Health and Human Services (HHS) published Ransomware Activity Targeting the Healthcare and Public Health Sector to alert the community that malicious actors are once again using the Ryuk ransomware against medical organizations.
The federal advisory’s analysis highlights how the anchor_dns tool at the core of the Ryuk campaign uses DNS as the control plane to execute PowerShell command scripts that lay at the heart of the attack. All security pros know that DNS serves as the main control plane by which most adversaries send commands to compromised machines as described in the MITRE ATT&CK framework. But more significantly, this campaign shows that adversaries are exploiting DNS for data exfiltration, which follows the path of other malware campaigns focused around retail point of sale campaigns. Organizations rarely focus on DNS, preferring to use next-generation firewalls and other security platforms to focus on HTTP and email. Anchor_dns avoids those platforms by focusing on DNS as a means to smuggle out data undetected, knowing that most traditional security platforms lack the means to differentiate between legitimate and malicious DNS requests.
Precisely because DNS sits at the heart of this campaign, the DNS servers inside these health care institutions are ideally placed to mitigate this campaign. Here are three ways that DNS servers can help medical organizations identify and block these ransomware attacks:
- Blacklist specified DNS domains.
With the extensive use of DNS as the command and control channel for the anchor_dns tool, there are a number of domains that have been identified by the advisory as being core to the malware campaign. By using threat intelligence or by manually adding these domains to the DNS blacklist, health care organizations can break the critical control channel and prevent the execution of the ransomware by blocking the resolution of these domains. By using threat intelligence from Infoblox, security teams gained visibility into these malicious domains as early as April 2020 as part of the threat hunting team’s ongoing efforts to track Trickbot and other malware campaign toolsets:
kostunivo[.]com
chishir[.]com
mangoclone[.]com
onixcellent[.]com
These domains are critical to resolving the IP addresses of the command and control servers that are used to maintain control of compromised machines:
23[.]95[.]97[.]59
51[.]254[.]25[.]115
193[.]183[.]98[.]66
91[.]217[.]137[.]37
87[.]98[.]175[.]85
Given the criticality of DNS in the attack and the pervasive deployment of DNS servers, organizations should more carefully monitor DNS activity to identify if this campaign has impacted their environment.
- Leverage DNS as an early warning system.
Detection and mitigation of this and other threats don’t stop with the blocking of the specific domains that anchor_dns uses. The Anchor toolset module (which includes anchor_dns) supplements the long-standing trojan capabilities commonly known as Trickbot. First identified in 2016 as a banking trojan, Trickbot has long been used as a vehicle for a wide variety of malware campaigns. We have been tracking the distribution and evolution of this toolset over many years with recent campaigns in June and April, respectively leveraging the Black Lives Matter protests and COVID-19 emails spoofing the World Health Organization to deliver Trickbot. The CISA advisory highlights how adversaries continue to prey on public fears around the pandemic as a means to launch ransomware campaigns.
- Integrate machine learning with DNS to identity data exfiltration.
The focus on DNS makes anchor_dns a distinctive exfiltration channel. This custom DNS tunneling tool leaves most traditional security appliances blind as their default DNS inspection policy allows all outbound DNS traffic to pass by without DNS specific threat detection. The adversaries behind this campaign are deliberately exploiting this blindspot. They also count on the fact that most security platforms that claim to have even basic DNS tunneling detection work on the basis of either threat intelligence or signatures for known tunnels. This has become a problem for health care organizations because this new variant does not use existing tunneling tools, making signatures ineffective. This active campaign leaves organizations reliant on threat intelligence providers to detect the malicious domains in other customer networks, forcing targeted cyber defenders to play catch-up.
A more proactive defense uses machine learning detection trained on DNS data that can distinguish between legitimate requests and exfiltration attempts. Just blocking DNS tunnels creates a business risk as there are many legitimate applications that also tunnel data out over DNS. Simply blocking DNS tunnels often prevents security tools such as antivirus that rely on DNS tunneling to bypass firewalls to update endpoints. Only through combining detailed knowledge of how DNS truly works with machine learning can organizations protect themselves against these zero-day DNS exfiltration attacks without creating collateral damage.
The federal advisory demonstrates the effective role government agencies can play to protect specific industries, even the entire country in the case of public health. These alerts are especially helpful in difficult times when cyber adversaries can manipulate human emotions in addition to technical flaws and overlooked configurations.
Craig Sanderson, vice president, security products, Infoblox