How Attackers Are Abusing DNS for Covert Command and Control in 2024
Executive Summary
In October 2024, security researchers highlighted a critical technique enabling Command and Control (C2) communication over DNS channels by encoding arbitrary byte values in DNS queries—even when traversing third-party infrastructures like Cloudflare and Google. Using custom-crafted DNS packets, attackers can bypass traffic inspection and filtering, exploiting DNS to exfiltrate or transfer data using modified BASE64 or expanded ASCII, which can evade many traditional network defenses due to protocol limitations and inconsistent validations among DNS providers. This creates a covert path for malware to communicate without detection by standard security tools.
This incident underscores a rising trend where attackers leverage ubiquitous protocols—such as DNS—for covert C2, presenting profound challenges for organizations seeking to secure east-west traffic and detect advanced threats. Awareness is crucial, as advanced C2 techniques are increasingly observed in malware campaigns exploiting gaps in DNS monitoring and anomaly detection.
Why This Matters Now
DNS is a foundational protocol often overlooked by traditional security controls. As threat actors exploit DNS for stealthy command and control channels—using advanced encoding and packet crafting tactics—even encrypted or segmented environments are vulnerable. Organizations must enhance DNS monitoring, leverage anomaly detection, and revisit egress policies to mitigate these evolving attack vectors.
Attack Path Analysis
The attacker initially compromised a cloud workload, possibly via phishing or exposed credentials. They attempted to escalate privileges to gain broader access within the environment. Lateral movement ensued, potentially leveraging east-west traffic to discover and access other internal resources. For command and control, the adversary established covert outbound communications using custom-encoded data over DNS queries to bypass typical detection methods. Data exfiltration occurred through the same DNS covert channel, transferring sensitive payloads outside the environment. Impact could include theft of proprietary information or staging for further disruption, though direct destruction was not confirmed.
Kill Chain Progression
Initial Compromise
Description
Attacker gains initial access to a cloud workload, likely via phishing, credential abuse, or exploiting a misconfiguration.
Related CVEs
CVE-2025-61430
CVSS 7.5Improper handling of DNS over TCP in Simple DNS Plus v9 allows a remote attacker with querying access to the DNS server to cause the server to return request payloads from other clients.
Affected Products:
JH Software Simple DNS Plus – v9
Exploit Status:
no public exploitCVE-2024-25728
CVSS 5.3ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration, potentially exposing sensitive information.
Affected Products:
ExpressVPN ExpressVPN for Windows – < 12.73.0
Exploit Status:
no public exploitCVE-2024-8418
CVSS 7.5A flaw in Aardvark-dns allows a remote attacker to cause a Denial of Service by keeping a TCP connection open indefinitely.
Affected Products:
Aardvark-dns Aardvark-dns – All versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Application Layer Protocol: DNS
Non-Application Layer Protocol
Exfiltration Over Alternative Protocol
Data Obfuscation
Dynamic Resolution: Domain Generation Algorithms
Obfuscated Files or Information
Data Encoding: Standard Encoding
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Review logs and security events
Control ID: 10.6.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management—Protection and Prevention
Control ID: Art. 5(2)(b)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Network Traffic Monitoring
Control ID: Network Pillar: Monitoring and Visibility
NIS2 Directive – Risk Management—Security in Network and Information Systems
Control ID: Art. 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
DNS-based command and control channels threaten transaction security and customer data, requiring enhanced egress filtering and zero trust segmentation controls.
Health Care / Life Sciences
Patient data exfiltration via covert DNS channels violates HIPAA compliance, necessitating encrypted traffic monitoring and anomaly detection capabilities.
Information Technology/IT
IT infrastructure faces direct exposure to DNS C2 techniques, demanding inline IPS deployment and multicloud visibility for threat detection.
Telecommunications
Network operators must secure DNS infrastructure against malware communications while maintaining service reliability through encrypted traffic inspection and segmentation.
Sources
- Bytes over DNS, (Mon, Oct 27th)https://isc.sans.edu/diary/rss/32420Verified
- Infoblox Uncovers DNS Malware Toolkit & Urges Companies to Block Malicious Domainshttps://www.infoblox.com/news/news-events/press-releases/infoblox-uncovers-dns-malware-toolkit-urges-companies-to-block-malicious-domains/Verified
- DNS Abuse Detection: DNS Beacons - C2 Communicationhttps://www.first.org/global/sigs/dns/stakeholder-advice/detection/dns-beacons-c2-communicationVerified
- Talos team spotted a PowerShell malware that uses DNS queries to contact the C&C serverhttps://www.cyberdefensemagazine.com/talos-team-spotted-a-powershell-malware-that-uses-dns-queries-to-contact-the-cc-server/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust Segmentation, egress policy enforcement, and advanced traffic visibility provided by CNSF controls would have significantly limited the attacker's ability to establish covert DNS channels, move laterally, and exfiltrate data. Inline inspection and anomaly detection could have identified or blocked the unauthorized use of DNS for command and control and data transfer.
Control: Zero Trust Segmentation
Mitigation: Limits access scope and reduces attack surface for initial compromise.
Control: Multicloud Visibility & Control
Mitigation: Enhances detection of abnormal privilege changes and network access.
Control: East-West Traffic Security
Mitigation: Restricts lateral movement between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized outbound DNS or detects suspicious usage.
Control: Threat Detection & Anomaly Response
Mitigation: Identifies and alerts on anomalous DNS exfiltration behavior.
Reduces persistence and enables rapid containment.
Impact at a Glance
Affected Business Functions
- Network Operations
- Security Monitoring
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive DNS query data leading to information leakage.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Zero Trust Segmentation to minimize initial compromise and lateral movement risk.
- • Enforce strict egress controls and FQDN filtering to detect and block covert DNS channels.
- • Implement centralized traffic visibility and baselining for early detection of abnormal communications.
- • Activate real-time threat detection and anomaly response for rapid identification of exfiltration attempts.
- • Continuously review and update cloud workload policies to ensure least privilege and isolation are enforced.
