Kaspersky Lab Software Gone? Think Again
Kaspersky Lab has been in the news a lot lately, due to a series of leaks alongside troubling revelations – and new discoveries just keep on rolling in.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article describes how DHS and the 2017 National Defense Authorization Act effectively banned Kaspersky Lab software from federal networks due to security concerns, prompting many organizations to remove the software. BlueCat encountered real-world operational impact during a customer deployment: residues of Kaspersky code continued to beacon to Kaspersky servers from devices that were thought to be cleaned, and existing firewalls and agents did not detect or attribute that activity. By deploying BlueCat DNS Edge at the client DNS hop, the team linked DNS beaconing to specific IPs and devices, enabling ongoing detection, blocking and verification of remediation while illustrating DNS as a powerful control point for security and migration validation.
Why did the Department of Homeland Security and Congress ban Kaspersky Lab software from federal networks?
The Department of Homeland Security issued a directive in September 2017 ordering removal of Kaspersky Lab software from federal networks after public leaks and revelations raised concerns about potential connections between Kaspersky Lab and the Russian government. In December 2017, Congress codified that directive in Section 1634 of the National Defense Authorization Act of 2017 (Public Law 115-91), which prohibits any federal entity from using hardware, software, or services developed or provided in whole or in part by Kaspersky Lab. Agencies were required to comply by October 1, 2018, and DHS was empowered to measure compliance across government agencies.
How did BlueCat DNS Edge detect lingering Kaspersky Lab activity that other security controls missed?
BlueCat DNS Edge sits at the first client DNS hop and inspects DNS queries, which allowed it to observe signatures indicative of Kaspersky Lab software—regular checks of Kaspersky upgrade servers and activation attempts—originating from devices believed to be cleaned. Because the DNS sensor is client-facing, it could directly link beaconing to specific IP addresses and devices without needing to correlate multiple log sources. Existing filters, firewalls and client agents either didn’t catch the activity or couldn’t attribute it; DNS Edge provided the granular attribution and continuous tracking needed to identify non-compliant devices and ongoing beaconing.
What operational and security benefits does DNS-based detection like DNS Edge provide beyond malware detection?
DNS-based detection provides both security and operational value: it verifies that cybersecurity remediation is effective by tracking whether software continues to ‘call home,’ and it helps network admins validate migrations by confirming queries resolve to expected targets. Because nearly all software depends on DNS for network communication, DNS is an authoritative signal for what is actually happening on the network, and DNS Edge provides shared visibility and control over internal and external DNS traffic from a single platform. This enables teams to detect and block cyberattacks, trace lingering issues back to specific devices, simplify DNS operations, and improve network performance while supporting ongoing monitoring and DNS-level policy enforcement.
With a series of leaks about high-level security incidents and revelations about the company’s potential connections to the Russian government, Kaspersky Lab has been in the news a lot recently.
While Kaspersky lab denies the allegations and is fighting the issue in court, the Department of Homeland Security decided to take immediate action.
DHS issued a directive in September 2017 ordering all Federal government departments to remove Kaspersky Lab software from their networks – a ban that continues to have ripple effects across the private sector as well.
In December, the directive was enshrined into law by Section 1634 the National Defense Authorization Act of 2017 (Public Law 115-91), which says that “no department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by Kaspersky Labs.” Agencies were given a hard deadline of October 1, 2018 to comply with the law, and DHS was given the power to measure compliance across government agencies.
Removal leads to troubling discovery
As it happens, removing Kaspersky Lab software isn’t as simple as hitting the delete button. According to a recent report, Kaspersky Lab code is “embedded deep within infrastructure, in routers, firewalls, and other hardware—and nobody is certain how to get rid of it.”
BlueCat knows about this problem firsthand.
During a recent deployment of our DNS Edge security capability at a customer that had decided to remove Kaspersky Lab’s software, we found a great deal of activity on the network after the customer believed they had the issue under control.
DNS Edge picked up signatures indicative of installed Kaspersky Lab software from clients where it was supposed to be absent. The signatures included regular checks of the Kaspersky upgrade servers and attempted activations. Most of these beacons happened irregularly, suggesting periodic searches for updates. A few devices exhibited a great deal more activity, however, pinging Kaspersky sites several times each day.
The customer’s existing filters, firewall, and client agents were not catching any of this activity. While these and other layers of security could have been configured to catch and alert, we believe that DNS is painfully underutilized as an obvious signal and control point. Software that depends on the network ultimately must use DNS as a normal course of action, whether for appropriate or inappropriate intent. This simple fact makes it an incredible source of intelligence as to what is actually happening on the network.
Leveraging DNS exposed what other solutions didn’t
Since DNS Edge is client-facing on the first DNS hop, it was able to link Kaspersky-related beaconing activity to specific IP addresses and tangible devices on the network without any additional need to correlate logs or integrate with other systems. Prior to deploying DNS Edge, the customer was unaware of any beaconing activity – its external facing firewalls either weren’t catching it or weren’t able to pinpoint a source for the problem.
Reviewing the DNS Edge data with the customer, BlueCat was able to point out the ongoing presence of Kaspersky Lab software on the network and identify the non-compliant devices it originated from. With DNS Edge constantly keeping track of beaconing activity, the customer can continue to track any attempts to connect with Kaspersky Lab sites. Knowing that this software may still be lurking on the network, the customer can also create security policies which monitor or block any DNS queries right at the client level.
Using DNS for security needs and beyond
The use case for DNS as a confirmation mechanism goes beyond security as well. Network administrators often use DNS as a way to test the viability of migrations. If DNS queries aren’t resolving to the right place, then something wasn’t placed correctly. Just as DNS Edge can trace the beaconing from the remnants of legacy software, it can also trace the “calls home” from software that was recently reconfigured or moved.
This is why DNS-based security is a vital tool for both network administrators and security departments – it verifies the effectiveness of cybersecurity measures and provides the granular visibility needed to trace any lingering issues back to specific devices, while at the same time providing visibility into “normal” network operations. DNS Edge provides shared visibility and control over internal and external DNS traffic through a single platform in order to help detect and block cyberattacks, simplify DNS operations and improve network performance.
Want to learn more about how DNS-based security can identify lingering pieces of malware on your network? Delve into the details of DNS Edge here.
Published in:
BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.