Skip to content

vSOC SPOT Report: DNS Infrastructure Hijacking Campaign

Posted by: GuidePoint Security

2 min read

Overview

On January 10, 2019, The National Cybersecurity and Communication Integrations Center (NCCIC) became aware of a Domain Name System (DNS) infrastructure hijacking campaign which utilizes compromised credentials of users and on January 22nd the Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to government branches documenting the tracking of several incidents involving the DNS hijacking campaign.

Technical Overview

Attackers are leveraging a DNS tampering attack by compromising a user’s credentials in order to begin making changes to an organization’s DNS records. Upon gaining access to the DNS records, an attacker begins altering them in order to redirect any traffic or requests to attacker-owned systems, which allows the manipulation of full inspection of the traffic to pass to an attacker with the potential to allow the attacker to persist in the environment for a longer amount of time.

In addition to being able to alter DNS values, an attacker is also able to obtain sensitive encryption certificates for the organization’s domain, granting them the capability to redirect and decrypt traffic that could expose sensitive data.

Potential Impact

An organization’s DNS systems could be at risk and allow an attacker to gain persistence as well as access to sensitive information within the organization.

What You Should Do

NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Implement multi-factor authentication on high privileged accounts such as the domain registrar accounts, or on accounts that have access to modify the DNS records of the organization.
  • Verify that all DNS records are pointing to the correct address or hostname, this review should consist of all domains and resource records for the organization.
  • Review all encryption certificates related to the organizations’ domains and revoke any certificates that may be malicious to the organization.

GuidePoint’s vSOC will provide additional information as it is made public.

Supporting Information

Contributing Authors

Sam Harris, vSOC Practice Manager

Steve Pellegrino, vSOC Threat Hunter

Categories: News
Tags:DNSDNS tamperingDomain name system

GuidePoint Security

The Brick House CISO Partner Exclusive: Identity Outside the Lines
05-29-25 | 12:00 pm
As AI becomes integral to business and cybersecurity, effective governance is critical. Join industry experts to learn more about responsible AI principles, risk management, compliance and the keys to a trustworthy AI framework.
Register Now

Related Articles

View All

  • GRIT® Blog
Interlock Intrusion: How Interlock Achieves Encryption
Posted by: Jean-Pierre Mouton
Read More 9 min read
  • Cloud Security
Are You Using CNAPP to Its Full Potential, or Just Paying for It?
Posted by: Eliott Farquharson
Read More 2 min read
  • GRIT® Blog
Insights from the GRIT 2025 Q1 Ransomware & Cyber Threat Report
Posted by: Ben MartinMooney
Read More < 1 min read