A threat actor has found a new way to evade phishing detection defenses: Manipulate the .arpa top-level domain (TLD) and IPv6-to-IPv4 tunneling to host phishing content on domains that shouldn’t resolve to an IP address.
For the uninitiated, the .arpa domain is an Address and Routing Parameter Area domain meant to be used exclusively for internet infrastructure purposes. Primarily this is for mapping IP addresses to domains, providing reverse records.
However, according to a report from Infoblox, a threat actor discovered a feature in the DNS record management control of at least one provider that allows them to, instead of adding the expected PTR records, create A records for the reverse DNS names.
“From there,” says Infoblox, “they can do whatever they like at the hosting provider. It’s a pretty clever trick.”
Infoblox first discovered that trick when it was being used against a US-based DNS provider called Hurricane Electric and content delivery provider CloudFlare. It also confirmed that some other providers have been abused, and that it has notified them of the issue..
The tactic “can definitely bypass a significant number of security platforms,” Dave Mitchell, senior director of threat research at Infoblox, said in an interview. “I think it’s definitely a risk.”
So far, Infoblox has seen two types of consumer-oriented spam: One group pretends to be from major brands of department, supermarket and hardware chains, offering a gift for completing a survey. Other lures claim the victim’s online service or antimalware subscription has been interrupted, or that their cloud storage quota has been exceeded, and they must pay to restore service. But Mitchell said there’s no reason why the tactic couldn’t be used for spear phishing attacks against businesses.
In the examples Infoblox has seen, when the victim clicks on the lure image — which hides an embedded hyperlink — a series of redirects sends them to a malicious landing page where the victim is asked to enter their credit card number, which is captured by the hacker, to supposedly pay for shipping of the gift.
“The abuse of the .arpa TLD is novel in that it weaponizes infrastructure that is implicitly trusted and essential for network operations,” says the Infoblox report. “By using IPv6 reverse DNS domains as malicious links, the threat actor has discovered a delivery mechanism that bypasses security tools.
“The impact is immediate and cannot be overstated,” the report adds. “Security that depends on detecting suspicious domains using things like reputation, registration information, and policy blocklists is ineffective for these domains. These domains have an implicitly clean reputation, no registration information, and aren’t usually blocked by policy.”
[Related content: Poor DNS hygiene is leading to domain hijacking]
In the examples found by Infoblox, the attacker got addresses for IPV6 to IPV4 tunneling from Hurricane Electric as part of a free service offered by the provider. Customers of the service are allowed to designate the DNS in the allocated space to a DNS provider. What’s supposed to happen then is that an IT department or individual uses that space build a DNS zone to map IP addresses to names – jones.com, smith.org, and so forth. But in these attacks, the hacker turned to CloudFlare name servers, added the IPV6 .arpa allocations, and instead of only creating reverse DNS records, they created forward DNS records that went to malicious websites.
This tactic won’t necessarily work with all providers because of the way they have their systems set up, Mitchell said. For example, when testing the tactic on a number of other providers, Infoblox found that some prevented its researchers from claiming ownership of a .arpa domain, either by explicitly denying the request or by the request failing.
Advice for CSOs and admins
All DNS and IPV6 providers need to ensure their services aren’t abused this way, Mitchell said.
IPV6 tunnel providers should make sure they are auditing customers asking for the service, determining what the addresses they get are being used for – which Mitchell admits may not be easy. DNS providers should make sure they only allow a DNS record to be created for proper purposes.
CSOs and domain and network admins need to know that even if they have protective DNS or next gen firewalls, the .arpa domain is always set to be trusted. They need to understand whether their current security controls will identify abuse. A firewall rule saying “Show me any DNS traffic that goes to ‘IP6.arpa’” will help, as will tracing where web traffic goes from that link. And admins should check if the organization’s email security vendors are flagging these streams within email messages.
Gateway providers should look for and quarantine long strings that end in .ip6.arpa that are embedded in images or HTTP links, Mitchell added.
Enterprise networks should already be deploying DNS monitoring as a primary network detection and defense resource, said Johannes Ullrich, dean of research at the SANS Institute. This should make it easy to alert on and possibly block suspicious records, he said.
He pointed out that “.arpa” queries are typically pointer (PTR) queries for reverse lookups. In the malicious queries, normal address (A or AAAA) queries will be used. The hostname will also be atypical. A normal in-addr.arpa hostname has a very specific format, with an IP address followed by the in-addr.arpa suffix. Anything else with that suffix should be blocked, or at least alerted on, he said.
“It’s a brilliant, old school move to find vulnerabilities in the complexity of the evolution of the internet,” said David Shipley, head of Canadian security awareness training provider Beauceron Security. “To figure out how to combine the newest part of the web, IPV6, with the oldest, Arpanet, may qualify as one of the most interest hacks so far this year.
“The fact these were used for fairly basic scam-type phishes is likely the result of someone learning this trick recently, but my gut says it’s been abused a lot longer, by far more sophisticated groups for more targeted attacks. Clever hacks like this are great evidence to keep in mind the next time a vendor says they stop 99.9% of phishing,” he added.