vSOC SPOT Report: DNS Infrastructure Hijacking Campaign
Overview
On January 10, 2019, The National Cybersecurity and Communication Integrations Center (NCCIC) became aware of a Domain Name System (DNS) infrastructure hijacking campaign which utilizes compromised credentials of users and on January 22nd the Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to government branches documenting the tracking of several incidents involving the DNS hijacking campaign.
Technical Overview
Attackers are leveraging a DNS tampering attack by compromising a user’s credentials in order to begin making changes to an organization’s DNS records. Upon gaining access to the DNS records, an attacker begins altering them in order to redirect any traffic or requests to attacker-owned systems, which allows the manipulation of full inspection of the traffic to pass to an attacker with the potential to allow the attacker to persist in the environment for a longer amount of time.
In addition to being able to alter DNS values, an attacker is also able to obtain sensitive encryption certificates for the organization’s domain, granting them the capability to redirect and decrypt traffic that could expose sensitive data.
Potential Impact
An organization’s DNS systems could be at risk and allow an attacker to gain persistence as well as access to sensitive information within the organization.
What You Should Do
NCCIC recommends the following best practices to help safeguard networks against this threat:
- Implement multi-factor authentication on high privileged accounts such as the domain registrar accounts, or on accounts that have access to modify the DNS records of the organization.
- Verify that all DNS records are pointing to the correct address or hostname, this review should consist of all domains and resource records for the organization.
- Review all encryption certificates related to the organizations’ domains and revoke any certificates that may be malicious to the organization.
GuidePoint’s vSOC will provide additional information as it is made public.
Supporting Information
- https://www.us-cert.gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign
- https://www.guidepointsecurity.com/wp-content/uploads/2019/01/ed-19-01.pdf
- https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
- https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
Contributing Authors
Sam Harris, vSOC Practice Manager
Steve Pellegrino, vSOC Threat Hunter
GuidePoint Security