Collect 100 spin link below
The U.S. National Security Agency (NSA) on Friday said DNS over HTTPS (DoH) — if configured appropriately in enterprise environments — can help prevent “numerous” initial access, command-and-control, and exfiltration techniques used by threat actors.
“DNS over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), often referred to as DNS over HTTPS (DoH), encrypts DNS requests by using HTTPS to provide privacy, integrity, and ‘last mile’ source authentication with a client’s DNS resolver,” according to the NSA’s new guidance.
Proposed in 2018, DoH is a protocol for performing remote Domain Name System resolution via the HTTPS protocol.
One of the major shortcomings with current DNS lookups is that even when someone visits a site that uses HTTPS, the DNS query and its response is sent over an unencrypted connection, thus allowing third-party eavesdropping on the network to track every website a user is visiting.
Even worse, the setup is ripe for carrying out man-in-the-middle (MiTM) attacks simply by changing the DNS responses to redirect unsuspecting visitors to a malware-laced site of the adversary’s choice.
Thus by using HTTPS to encrypt the data between the DoH client and the DoH-based DNS resolver, DoH aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by MiTM attacks.
To that effect, the NSA recommends using only designated enterprise DNS resolvers to achieve the desired cybersecurity defense, while warning that individual client applications that enable DoH using third-party DoH resolvers can completely circumvent the enterprise DNS service.
One consequence is that “malware can also leverage DoH to perform DNS lookups that bypass enterprise DNS resolvers and network monitoring tools, often for command and control or exfiltration purposes.”
The gateway, which is used to forward the query to external authoritative DNS servers in the event the enterprise DNS resolver does not have the DNS response cached, should be designed to block DNS, DoH, and DNS over TLS (DoT) requests to external resolvers and DNS servers that are not from the enterprise resolver, the agency added.
DoH is not a panacea
Although DoH protects DNS transactions from unauthorized modification, the NSA cautioned the technology “is not a panacea” and can bring “a false sense of security.”
“DoH does not guarantee protection from cyber threat actors and their ability to see where a client is going on the web,” it said. “DoH is specifically designed to encrypt only the DNS transaction between the client and resolver, not any other traffic that happens after the query is satisfied.”
What’s more, the encryption does nothing to prevent the DNS provider from seeing both the lookup requests as well as the IP address of the client making them, effectively undermining privacy protections and making it possible for a DNS provider to create detailed profiles based on users’ browsing habits.
Oblivious DNS-over-HTTPS (ODoH), announced last month by engineers at Apple, Cloudflare, and Fastly, aims to address this issue. It prevents the DoH resolver from knowing which client requested what domain names bypassing all requests via a proxy that separates the IP addresses from the queries, “so that no single entity can see both at the same time.”
Put differently, this means the proxy does not know the contents of queries and responses, and the resolver does not know the IP addresses of the clients.
Secondly, the use of DoH also doesn’t negate the possibility that resolvers that communicate with malicious servers upstream could still be susceptible to DNS cache poisoning.
“Enterprises that allow DoH without a strategic and thorough approach can end up interfering with network monitoring tools, preventing them from detecting malicious threat activity inside the network, and allowing cyber threat actors and malware to bypass the designated enterprise DNS resolvers.”
Joker’s Stash, the largest dark web marketplace notorious for selling compromised payment card data, has announced plans to shut down its operations on February 15, 2021.
In a message board post on a Russian-language underground cybercrime forum, the operator of the site — who goes by the name “JokerStash” — said “it’s time for us to leave forever” and that “we will never ever open again,” according to twin reports from cybersecurity firms Gemini Advisory and Intel471.
“Joker goes on a well-deserved retirement. Joker’s Stash is closing,” the post read. “When we opened years ago, nobody knew us. Today we are one of the largest cards/dumps marketplace[s].”
The exact reason for the shut down is still unclear.
Joker’s Stash, since its origins in 2014, emerged as one of the biggest players in the underground payment card economy over the years, with over $1 billion generated in revenues.
The news of the imminent shutdown comes weeks after the US Federal Bureau of Investigation (FBI) and Interpol allegedly seized proxy servers used in connection with Blockchain-based domains belonging to the site last month, briefly disrupting its operations.
Adding to the mounting troubles was a “severe decline” in the volume of stolen data posted on the site, leading to complaints from clients about the poor quality of the payment card data.
Then in late October, the site’s routine activities also suffered after the actor who allegedly runs the site claimed to have contracted COVID-19 and had been spending more than one week in a hospital.
Gemini Advisory pointed to Bitcoin’s recent spike as another reason that may have led to the website’s demise.
Bitcoin hit a record high of $40,000 last week, lifting the total value of the cryptocurrency market above $1 trillion for the first time ever.
“JokerStash was an early advocate of Bitcoin and claims to keep all proceeds in this cryptocurrency,” the researchers said. “This actor was already likely to be among the wealthiest cybercriminals, and the spike may have multiplied their fortune, earning them enough money to retire.”
Joker’s Stash’s shut down isn’t the end of the road, however, as vendors are expected to transition to other dark web marketplaces to advertise their services.
The site’s administrator had a few parting words of advice for cybercriminals.
“We are also want to wish all young and mature ones cyber-gangsters not to lose themselves in the pursuit of easy money (sic),” the post concluded. “Remember, that even all the money in the world will never make you happy and that all the most truly valuable things in this life are free.”