UAT-10027 Targets U.S. Education and Healthcare with Dohdoor Backdoor

---

title: Why Dohdoor Abuses DoH: Anatomy of a Healthcare/Education Breach
date: 2024-06-12
last_updated: 2024-06-12
meta_description: Dohdoor uses DNS-over-HTTPS for covert C2 against hospitals and schools. Prioritize DoH allowlists, egress restrictions, and IAM hardening—here’s how.
last_reviewed_by: Maya S., Senior Incident Response Lead (BlueSec IR), 2024-06-12

Executive Summary

UAT-10027’s Dohdoor is a malware campaign abusing DNS-over-HTTPS (DoH) to evade legacy DNS sensors and exfiltrate data from hospitals and schools.

Block non-approved DoH resolvers, segment critical networks, and audit IAM/service accounts immediately.

Who should read this?
CISOs, SOC leads, IT directors at education and healthcare organizations.

---

One-Line Risk Overview

Dohdoor leverages encrypted DNS traffic for C2/exfiltration—traditional DNS monitoring misses it.
Immediate Ask:
Deploy DoH allowlists and monitor outbound HTTPS to unknown DoH endpoints.

---

Author Byline

By T. K., Senior DevSecOps Incident Responder (BlueSec IR, anonymized for NDA compliance), 9+ years breach response. LinkedIn | GitHub

---

Representative Postmortem: Anatomy of a Breach

Anonymized composite case study, based on 2021–2023 IR engagements with hospitals/EDU.

• Initial Indicator: SIEM logged persistent HTTPS traffic to unfamiliar IP blocks, volume patterns matched DNS tunnels.
• Timeline: Initial compromise via phishing; attacker escalated with service account abusing Domain Admin.
• Pivot Paths:
  • Lateral movement across flat VLANs (no segmentation),
  • Exfil via DoH tunnel from infected container running as root.
• Detection Gap: Network IDS missed exfil, no TLS interception/logging. Endpoint logs showed suspicious parent->child process chains (e.g., scheduled task spawning suspicious binary invoking outbound HTTPS).
• Control Failures:
  • IAM roles granted wildcard privileges (*:*) just "in case",
  • Unpatched Log4j library present in asset portal,
  • Legacy domain accounts unmonitored (service account with Domain Admin),
  • No egress firewall rules on container network.

Example artifact: Outbound HTTPS to sanitized DoH endpoint: doh-example[.]com (example placeholder).

---

Technical Breakdown: How Dohdoor Uses DoH

• DNS-over-HTTPS (DoH): DNS queries tunneled within HTTPS traffic (RFC8484), camouflaged amidst legitimate web activity.
  • Result: Bypasses traditional DNS resolvers/monitoring; defenders see only encrypted HTTPS outbound.
  • Artifacts: TLS SNI to DoH resolver hostnames, IP address fingerprints, JA3/JA3S signatures on unusual connections, process-level outbound network calls.
• Dohdoor Behaviors:
  • ATT&CK Techniques: T1071.001 (Application Layer Protocol: Web Protocols), T1048 (Data Exfiltration Over Alternative Protocol).
  • Observed IOAs: High-frequency HTTPS connections to non-local DoH endpoints; unexpected parent-child process pairs.

---

Sector Impact: Why Healthcare & Education Get Hammered

• Common Profile: Underfunded IT, out-of-date software (e.g., 15-year-old PHP portals), network policies built for "ease of access" not security.
• External Evidence:
  • CISA Alert AA22-117A: Targeting healthcare sector.
  • EDU Breach Trends (US CERT): Schools disproportionately hit due to low security budgets.

---

Detection Recipes: What Actually Works

SIEM/EDR Example:

• Splunk:

  index=network sourcetype="stream:tcp" dest_port=443 
  | stats count by dest_ip, dest_domain
  | where dest_domain IN (list_of_known_DoH_resolvers) OR count > threshold
  

• ElasticQL:

  filter @network.port == 443 
  and @destination.ip IN known_doh_resolvers
  and @event_count > 100
  

• Zeek:

  Notice::Type == "DoH_Usage" && Host == "doh-example.com"
  

  (custom script: flag outbound HTTPS to high-profile DoH endpoints)

Suricata Rule Example:

• Alert on outbound TLS SNI matching known/public DoH resolver hostnames.

Host-Level Checks:

• Identify processes launching HTTPS connections to unfamiliar resolver IPs.
• Look for anomalous parent/child process pairs (schtasks spawning unknown exe).

Network Forensics:

• High-volume HTTPS to non-standard IPs with DNS request/response pattern.
• Correlate JA3/JA3S TLS fingerprints against baseline.

Telemetry Sources:
Bind/PowerDNS logs, Windows DNS logs, Zeek, Suricata, proxy/firewall logs, EDR (CrowdStrike, SentinelOne), SIEM (Splunk, Elastic, Azure Sentinel).

---

Indicators & IOAs

No current public IoCs for Dohdoor/UAT-10027 available as of publication.
Monitor for behavioral IOAs:

• Outbound HTTPS to unfamiliar DoH resolver domains/IPs (e.g., cloudflare-dns[.]com, dns.google)
• High-frequency HTTP(S) POST to known DNS API endpoints.
• Service accounts with excessive privileges accessing endpoints outside normal baseline.

---

Prioritized Remediation Checklist

P0 — Immediate (Today):

• Block known malicious domains/IPs and public DoH endpoints not required for ops.
• Add DoH resolver allowlist for all outbound HTTPS DNS activity.
• Apply emergency egress firewall rules across container and server subnets.

P1 — Short-Term (7–30 days):

• Deploy enterprise DoH inspection (proxy/TLS termination with legal sign-off).
• Enforce MFA on admin/service accounts and review privilege escalation paths.
• Begin network segmentation: VLANs for sensitive devices (MRI, finance, student records).

P2 — Long-Term (Quarterly):

• Least-privilege IAM across all cloud and on-prem roles; regularly audit for drift.
• Vault credentials; restrict service account sprawl—monitor for Domain Admin privilege creep.
• Schedule IR tabletop/purple team exercises—test DoH policy bypass scenarios.

Downloadable SOC Checklist:
PDF Checklist – SOC DoH Response Actions

---

Vendor Reality Check

• Demand demonstrable DoH inspection from "next-gen firewall" vendors—test for latency, logging completeness, and manageability.
• Ask for clear DoH allowlist/-block capabilities, granular alerting, and integration with your SIEM or EDR.
• Evaluate proxy/TLS interception options together with legal/privacy/compliance.

---

Further Reading & Authoritative Sources

• CISA — DoH and Evasion Tactics
• MITRE ATT&CK — T1071.001 Web Protocols
• Palo Alto — DoH Security Advisory
• US-CERT — Sector Breach Trends
• CrowdStrike — Detection of DNS Tunneling TTPs
• Internal Guide: Container Network Segmentation

---

Ops Checklist — Skimmable Actions

P0:

• Block public DoH endpoints
• Audit IAM/service accounts
• Segment critical VLANs
• Monitor outbound HTTPS patterns

P1:

• Implement DoH inspection
• Enforce MFA
• Review segmentation policies

P2:

• Automate IAM drift detection
• Vault all credentials
• Purple team test for DoH bypass

---

The Kicker

If you’re still reading, ask yourself: will your DNS logs flag encrypted traffic when the next campaign hits—or will you be writing another postmortem hoping nobody notices the gaps you left wide open?