Skip to main content

Alert (AA19-024A) DNS Infrastructure Hijacking Campaign

Summary

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:
Note: these files were last updated February 13, 2019, to remove the following three non-malicious IP addresses:
  • 107.161.23.204
  • 192.161.187.200
  • 209.141.38.71

Technical Details

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

Mitigations


NCCIC recommends the following best practices to help safeguard networks against this threat:
  • Update the passwords for all accounts that can change organizations’ DNS records.
  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  • Audit public DNS records to verify they are resolving to the intended location.
  • Search for encryption certificates related to domains and revoke any fraudulently requested certificates.

Comments

Post a Comment

Popular posts from this blog

Be fraud aware - What are phishing, smishing and vishing.

  You may have heard the terms phishing, smishing or vishing before, but what exactly do they mean? At their core, all three terms are a type of financial fraud which tricks unsuspecting victims into giving out sensitive personal information, handing over money or installing malware onto their device. The only difference between each term is the channel via which you can be targeted; phishing refers to scam emails, smishing refers to scam text or WhatsApp messages and vishing takes place over the phone. Phishing The most common phishing method encourages victims to visit a malicious website through a fake email message, which appears to be sent from a legitimate company or source (e.g. from a bank, HMRC, a delivery company or the NHS). For example, you might receive an email which appears to be from an organisation who you’re familiar with, asking you to click on a link. At this point you will be taken to a webpage on which you’re asked to submit sensitive data, such as passwords, ...
Post a Comment
Read more

How Cybersecurity Enables Government, Health, EduTech Cope With COVID-19

The advent of the Covid-19 pandemic and the impact on our society has resulted in many dramatic changes to how people are traveling, interacting with each other, and collaborating at work. There are several trends taking place as a consequence of the outbreak, which has only continued to heighten the need for the tightest possible cybersecurity. Tools for Collaboration There has been a massive spike in the adoption of Tools for Collaboration as a consequence of COVID-19. Concerns about the coronavirus have caused an enormous increase in remote working, with many organizations requiring or at least encouraging their workers to stay at home—especially when cities, states, and even some entire nations are ultimately into lock down in a bid to spread the stem of the disease. Meanwhile, with millions working from home for many weeks now, there has been a spike in the video conferencing and online collaboration software, many of which are fortunately entirely free, allowing organizations...
Post a Comment
Read more

March – Threat Intelligence Bulletin

Top Attacks and Breaches Global fear of the Corona virus epidemic continues to be exploited for malicious cyber operations. Check Point Research  reports  of thousands of newly registered coronavirus related domains, which are 50% more likely malicious than other domains. CPR also informed of a Trickbot campaign using a fake health warning document to target Italian users. Colorado based space and defense parts manufacturer, Visser Precision, has fallen victim to a DoppelPaymer  ransomware  Information stolen from Visser and its customers, including Tesla, Lockheed Martin, SpaceX and Boeing, has been published online in  another  attempt to extort ransom payment. An unidentified demographic and financial information database, hosted on Google cloud, has been left  unsecured  for more than a month. Containing over 200 million records, the exposed information included name, address, email address, credit rating, income, net worth property ...
Post a Comment
Read more