Pierluigi Paganini July 14, 2019

The UK’s National Cyber Security Centre (NCSC) issued a security advisory to warn organizations of DNS hijacking attacks and provided recommendations this type of attack.

In response to the numerous DNS hijacking attacks the UK’s National Cyber Security Centre (NCSC) issued an alert to warn organizations of this type of attack.

“In January 2019 the NCSC published an alert to highlight a large-scale global campaign to hijack Domain Name Systems (DNS).” reads the security advisory.

“Since that alert was published we have observed further activity, with victims of DNS hijacking identified across multiple regions and sectors. This Advisory covers some of the risks for organisations around DNS hijacking activity and gives advice on ways the risks can be mitigated.”

DNS hijacking is the practice of subverting the resolution of Domain Name System (DNS) queries to carry out several malicious activities. It can be achieved using a malicious code that modifies the computer’s TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

The Domain Name System (DNS) is the service responsible for pointing the web browser to the right IP address when we navigate to a web domain.

According to a report recently published by Avast, for nearly a year, Brazilian users have been targeted with router attacks. In the first half of 2019, hackers have modified the DNS settings of over 180,000 Brazilian routers with even more complex attacks.

This year, security experts at Avast have blocked more than 4.6 million cross-site request forgery (CSRF) attempts carried out by crooks to modify DNS settings of targeted routers.

Recently, experts at Cisco Talos published a detailed analysis of the DNS hijacking campaign conducted by Sea Turtle threat actor for espionage purposes.

UK’s NCSC explains the variety of motivations and objectives behind DNS hijacking attacks ranging from taking down or defacing a website, to intercepting data.

The main risks enumerated in the report are:

• Creating malicious DNS records;
• Obtaining SSL certificates;
• Transparent Proxying for traffic interception;

To prevent phishing attacks, NCSC recommends using unique, strong passwords, and enabling multi-factor authentication when the option is available.

To prevent registrar accounts from being compromised using familiar Account Take Over (ATO) techniques (i.e. Phishing, Credential stuffing, Social engineering) the agency suggests regularly checking the details linked to the account. It is important that they are up to date and point to the organization rather than an individual.

Restricting access to these accounts only to personnel charged with the management of the registrar accounts.

“Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed.” continues the report. “A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner.”

In case an organization runs its own DNS infrastructure, the NCSC recommends implementing access and change control systems that can provide backup and restore function for DNS records. It also recommends enforcing strict access to the systems hosting DNS services.

NCSC also recommends implementing SSL monitoring and Domain Name System Security Extensions (DNSSEC) specifications.

Early 2019, DHS issued a notice of a CISA emergency directive urging federal agencies of improving the security of government-managed domains (i.e. .gov) to prevent DNS hijacking attacks.

Pierluigi Paganini

(SecurityAffairs – DNS hijacking, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]