Hello, welcome to the Tuesday, June 14th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

DNS command control channels and covert channels in general over DNS remain popular because, well, first of all,

DNS usually works even through firewalls and such via recursive resolvers and also often

does height sort of in all the DNS traffic, so not always that easy to spot.

We have a recent example with the Saitama backdoor,

a backdoor that's commonly attributed to the Iranian-backed group APT-34.

What's sort of special about this particular DNS command control channel

is that as typical, we sort of have an

artificial looking and the fairly kind of obvious host name that's being looked up, but it just

looks up an A record. And a lot of covert channels, you have like text records, but here it just

looks up an A record. So all you get

back is an IPV4 address or multiple IPV4 addresses, and then the backdoor basically decodes

these addresses to actual the command that's supposed to be executed. In today's diary, Renato is

going over how this encoding scheme works, and he also does

have a decoder for you in case you're running into this kind of traffic, you're

then able to decode the traffic easily.

And users of the freight here of Travis CI, the continuous integration platform,

should be aware that logs are not only easily accessible via the API without authentication,

but also that these logs may contain credentials,

like, for example, access tokens that you're using

for sites like GitHub.

...