Security researchers from Netlab – a network threat hunting unit of Chinese cybersecurity giant Qihoo 360 – discovered the first ever malware strain, named Godlua, seen abusing the DNS over HTTPS (DoH) protocol. The Godlua malware is written in Lua to work on Linux Servers. The attackers are using Confluence exploit (CVE-2019-3396) to infect outdated systems, and early samples uploaded on VirusTotal have mislabeled it as a cryptocurrency miner.
Internet Emgineering Task Force’s (IETF) RFC 8484 provides more details of DoH protocol
Social Media Reaction:
Anthony Chadd, SVP, Global Sales at Neustar:
“Whether using common methods such as amplification or flooding, the DNS is often at the heart of a variety of DDoS attacks. With some of the largest attacks on record aimed at DNS, it was only ever going to be a matter of time before malicious actors found ways to abuse the new HTTPS protocol. For organisations, the stakes are simple, yet high: no functioning DNS, no website or internet presence.
With hackers deploying a variety of methods to ensure communication between bots and webservers, it’s essential that businesses are taking a pro-active approach to installing a Web Application Firewall (WAF) – a crucial technique for preventing bot-based volumetric DDoS attacks, including threats that target the application layer.
Thanks to constantly increasing connectivity, the ability for bots to cause chaos at great scale have risen dramatically, and as such, 75% of organisations surveyed by the Neustar International Security Council (NISC) reported concerns over bot traffic posing a threat to data security. As the threat landscape continues to change, so should the detection and protection measures businesses are putting in place. It may be DNS over HTTPS today, but there is every potential that it will be DNS over something else tomorrow, and that’s what organisations need to prepare for.”