Security researchers from Netlab – a network threat hunting unit of Chinese cybersecurity giant Qihoo 360 – discovered the first ever malware strain, named Godlua, seen abusing the DNS over HTTPS (DoH) protocol. The Godlua malware is written in Lua to work on Linux Servers. The attackers are using Confluence exploit (CVE-2019-3396) to infect outdated systems, and early samples uploaded on VirusTotal have mislabeled it as a cryptocurrency miner.
Internet Emgineering Task Force’s (IETF) RFC 8484 provides more details of DoH protocol
Social Media Reaction:
Spoiler: there will be more. Lots, lots more. DoH is going to break a lot of security controls. https://t.co/Eo8QqP3Mmd
— Kevin Beaumont (@GossiTheDog) July 2, 2019
DNS over HTTPS is an *AWFUL* hack being necessitated by moronic blocking practices. Now this has been mentioned in the Lords, HMG are going to make DoH illegal int he UK, aren't they? pic.twitter.com/B0zbHRcXLC
— Benjamin Lewis (@tc1415) May 15, 2019
Anthony Chadd, SVP, Global Sales at Neustar:
“Whether using common methods such as amplification or flooding, the DNS is often at the heart of a variety of DDoS attacks. With some of the largest attacks on record aimed at DNS, it was only ever going to be a matter of time before malicious actors found ways to abuse the new HTTPS protocol. For organisations, the stakes are simple, yet high: no functioning DNS, no website or internet presence.
With hackers deploying a variety of methods to ensure communication between bots and webservers, it’s essential that businesses are taking a pro-active approach to installing a Web Application Firewall (WAF) – a crucial technique for preventing bot-based volumetric DDoS attacks, including threats that target the application layer.
Thanks to constantly increasing connectivity, the ability for bots to cause chaos at great scale have risen dramatically, and as such, 75% of organisations surveyed by the Neustar International Security Council (NISC) reported concerns over bot traffic posing a threat to data security. As the threat landscape continues to change, so should the detection and protection measures businesses are putting in place. It may be DNS over HTTPS today, but there is every potential that it will be DNS over something else tomorrow, and that’s what organisations need to prepare for.”