State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

APT34 Employs DoH in Recent Attacks

NJCCIC Alert

Original Release Date: 8/6/2020

Summary

An Iranian advanced persistent threat (APT) group, known as APT34 or OilRig, is employing the DNS-over-HTTPS (DoH) protocol via the DNSExfiltrator open-source project in recent attacks. DNSExfiltrator creates covert communication channels and uses traditional and DoH requests to exfiltrate data from compromised networks by hiding it in non-standard protocols. This technique is used to evade detection and monitoring during the exfiltration process.

Recommendations

The NJCCIC recommends those whose networks may be considered high-value targets for APT activity ensure they implement a defense-in-depth cybersecurity strategy that includes following the principle of least privilege, utilizing intrusion detection and prevention technologies, running an endpoint detection and response program, keeping hardware and software patched with the latest updates, and establishing a comprehensive data backup plan. For more information on APT34’s use of DoH in recent incidents, review the ZDNet article.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.