Introduction
A critical vulnerability dubbed Underminr has exposed a fundamental flaw in how we trust domain reputation. By manipulating DNS resolution, attackers can utilize approximately 88 million domains to funnel malicious command-and-control (C2) traffic behind the veneer of trusted infrastructure. This isn't just a theoretical bypass; it effectively neutralizes standard DNS filtering solutions that rely on blocklists of known "bad" domains. For SOC analysts and defenders, this means a malicious connection to a threat actor's server may look identical to a legitimate connection to a trusted CDN or service provider in your logs. If you rely solely on domain-based blocklists, your visibility is currently compromised.
Technical Analysis
The Mechanism of Attack The Underminr vulnerability primarily leverages misconfigurations or specific weaknesses in DNS providers—often involving Dynamic DNS (DDNS) services or loose wildcard record management. Attackers register subdomains on legitimate, often whitelisted, parent domains. Because the parent domain and the hosting provider have high reputation scores, security appliances allow the connection. However, the A-record resolves to an IP address controlled by the attacker (e.g., a VPS or residential proxy).
Affected Infrastructure While the specific vulnerable services are vast (the 88 million figure), the attack vector typically targets:
- Dynamic DNS Providers: Services that offer free or easy subdomain registration.
- Mismanaged Wildcard DNS: Zones where a wildcard record (*) resolves to a user-controlled IP rather than a hardened infrastructure IP.
Exploitation Status Proof-of-concept (PoC) code is available in the wild. We are seeing this technique transition from research to active use in initial access brokering and data exfiltration stages, as it bypasses perimeter defenses like Secure Web Gateways (SWG) and DNS-layer security.
Detection & Response
Detecting Underminr requires shifting focus from Domain Reputation to IP Reputation and Correlation. A trusted domain resolving to a "low reputation" or unexpected ASN (e.g., a consumer ISP or a cheap VPS provider when a CDN is expected) is the primary indicator.
Sigma Rules
---
title: Potential Underminr Activity - Trusted Domain to Suspicious IP
id: 9a1b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects DNS resolutions where a commonly whitelisted or trusted domain (potential DDNS/Underminr vector) resolves to an IP address associated with high-risk ASNs or non-corporate infrastructure.
references:
- https://attack.mitre.org/techniques/T1071/004/
author: Security Arsenal
date: 2024/05/20
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
category: dns
product: windows
detection:
selection:
QueryName|endswith:
- '.ddns.net'
- '.duckdns.org'
- '.no-ip.com'
- '.hopto.org'
- '.serveblog.net'
- '.myftp.org'
filter_legit:
IpAddress|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection and not filter_legit
falsepositives:
- Legitimate use of dynamic DNS by IT admin tools (rare in enterprise)
level: high
---
title: High Entropy Subdomain on Trusted Domain
id: b2c3d4e5-6f78-9012-3456-7890abcdef12
status: experimental
description: Detects requests to subdomains with high entropy (randomized characters) on legitimate domains, a common tactic to bypass filtering while using a trusted parent domain.
references:
- https://attack.mitre.org/techniques/T1071/004/
author: Security Arsenal
date: 2024/05/20
tags:
- attack.command_and_control
- attack.t1071.004
logsource:
category: dns
product: windows
detection:
selection:
QueryName|matches: '^[a-z0-9]{32,}\..*'
filter:
QueryName|contains:
- 'microsoft.com'
- 'google.com'
- 'amazonaws.com'
- 'cloudflare.com'
condition: selection and not filter
falsepositives:
- CDN traffic using randomized tokens
- Office 365/Teams traffic
level: medium
KQL (Microsoft Sentinel)
// Hunt for DNS queries to Dynamic DNS providers often used in Underminr attacks
// correlating with Network Traffic to identify suspicious connections
let DNSTimestamp = ago(1h);
let DDNS_Domains = dynamic(['ddns.net', 'duckdns.org', 'no-ip.com', 'hopto.org', 'myftp.org', 'serveblog.net']);
let SuspiciousDNS =
DnsEvents
| where Timestamp > DNSTimestamp
| where Name has_any(DDNS_Domains)
| project TimeGenerated, Name, IPAddresses, ClientIP;
DeviceNetworkEvents
| where Timestamp > DNSTimestamp
| where RemoteUrl has_any(DDNS_Domains)
or iff(isnotempty(RemoteIP), RemoteIP in (SuspiciousDNS | project IPAddresses), false)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| summarize count() by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessAccountName
| order by count_ desc
Velociraptor VQL
-- Hunt for established network connections to suspicious ports
-- where the remote endpoint is not a known corporate IP range
SELECT Fqdn, RemoteAddress, RemotePort, State, Pid, Name, Username, CommandLine
FROM parse_dt("netstat -anob", columns=["Proto", "LocalAddr", "ForeignAddr", "State", "Pid", "Name", "CommandLine"])
WHERE State = "ESTABLISHED"
AND RemotePort IN (443, 80, 8080)
-- Filter out local/private IPs
AND NOT regex_replace(RemoteAddress, ":.*", "") =~ "^(127\.|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)"
-- Flag connections that might be resolving to dynamic infrastructure
AND Name =~ "(svchost|chrome|firefox|msedge|powershell|cmd|python|pwsh)"
Remediation Script (PowerShell)
# Flush DNS cache to remove poisoned entries if rapid updates are needed
# and block specific Dynamic DNS suffixes via Windows Firewall if applicable
# Flush the local DNS Resolver cache
Clear-DnsClientCache -ErrorAction SilentlyContinue
Write-Host "[+] DNS Client Cache flushed."
# Define a list of Dynamic DNS providers often abused for C2
$abusedTLDs = @("*.ddns.net", "*.duckdns.org", "*.no-ip.com", "*.hopto.org")
# Check and block outbound traffic to these suffixes via Firewall
foreach ($tld in $abusedTLDs) {
$ruleName = "Block Underminr C2 - $tld"
$existingRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue
if (-not $existingRule) {
New-NetFirewallRule -DisplayName $ruleName `
-Direction Outbound `
-Action Block `
-RemoteAddress $tld `
-Profile Domain,Public,Private `
-Enabled True
Write-Host "[+] Created firewall rule for: $tld"
} else {
Write-Host "[-] Firewall rule already exists for: $tld"
}
}
Remediation
-
Network Egress Filtering: Implement strict egress filtering. Do not rely solely on domain names. Block outbound access to known Dynamic DNS providers (e.g.,
no-ip.com,duckdns.org) unless there is a documented business exception. -
DNS Filtering Logic Update: Work with your DNS security vendor to ensure they are checking the Resolution Chain (the final IP) rather than just the queried domain. Enable IP-based threat intelligence feeds on your DNS resolvers.
-
Block List Hygiene: Audit your "Allow Lists". If you have whitelisted entire top-level domains or wildcard domains for specific vendors, tighten this to specific FQDNs (Fully Qualified Domain Names).
-
Patch and Update: Monitor advisories from your DNS infrastructure providers (Microsoft, Cisco, Infoblox, BIND) for patches related to DNS cache poisoning or wildcard handling vulnerabilities associated with Underminr research.
-
Certificate Validation: Enforce strict TLS certificate validation. While Underminr hides the IP, attackers often use self-signed or fraudulent certificates for the C2 endpoint, even if the domain is "trusted."
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.