Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Global DNS Infrastructure Hijacking Campaign


 

Systems Affected


Domains belong to government, telecommunications, Internet infrastructure entities and commercial organizations across the globe.

Threat Level


High


Overview


It has been reported a large scale DNS infrastructure Hijacking campaign across the Globe. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the malicious actors to redirect traffic from companies all over the globe through their own malicious servers, obtaining valid encryption certificates for an organization’s domain names, and recording company credentials for future attacks.


Description


Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
  ✦   The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  ✦   Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  ✦   Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.


Impact



Solution/ Workarounds


  ✦   Update the passwords for all accounts that can change organization&rsquos DNS records.
  ✦   Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  ✦   Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
  ✦   Conduct an internal investigation to assess whether attackers have gained access to your environment.
  ✦   Search for encryption certificates related to domains, revoke any fraudulently requested certificates.


References


https://www.us-cert.gov/ncas/alerts/AA19-024A
https://www.cert-in.org.in


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.