DNS Hijacking is a Dangerous New Attack
Sep 05, 2019
DNS hijacking has become one of the most dangerous attacks in the cyber security world. At RSA 2019, the keynote speech, “The Five Most Dangerous New Attack Techniques,” alerted the cyber security community of the top five methods for DNS hijacking. With the recent global cyberespionage campaign occurring, it’s important to dive deeper into this top exploit and further explore DNS hijacking and how it can affect your business, review the recent emergency directive that was issued on DNS hijacking regarding the global campaign, and understand how to protect your organization from this attack.
What is DNS Hijacking?
Domain name system (DNS) hijacking is a technique that cybercriminals use to attack a user by redirecting them to different servers or websites under hacker control. The attack involves stealing credentials to gain access into a domain registry system through a man-in-the-middle attack or malware to change information such as an IP address of a resource linked to a specific domain name, in order to intercept DNS queries and redirect traffic. Ed Skoudis stated that the manipulation of the DNS has significantly impacted organizations in the last few months with over a “bajillion” credentials being compromised to log into DNS providers and name registrars to manipulate DNS records.
DNS hijacking can put your organization’s network at risk redirecting your users to malicious sites that use phishing techniques to steal credentials and gain access to personally identifiable information (PII), financial information, intellectual property, and more. So, what are the top five attacks to be aware of when it comes to a potential DNS hijacking attack?
Attack #1: DNS Manipulation
Arguably the most threatening new attack, DNS manipulation is when an attacker uses stolen credentials to log into domain registry systems and change information. In order to combat this, experts recommend deploying DNS security (DNSsec) and multi-factor authentication to improve the authenticity of your DNS records.
Attack #2: Domain Fronting
This attack is designed to obscure where the command and control are coming from, where the attacker is located, and where the data is exfiltrating to. Domain fronting tricks systems into trusting content by abusing cloud content delivery network. To limit this risk, do not blindly trust traffic that is coming from and going to cloud providers.
Attack #3: Targeted Individualized Attacks
In individualized attacks, hackers gain access to a user’s information in a variety of ways, one of which is users simply sharing too much information. With the information readily available, this lets hackers get access to user accounts. This can be avoided by users reviewing cloud settings to double-check what is publicly available and then limiting that information.
Attack #4: DNS Information Leakage
Unfortunately, DNS information isn’t secured by default. This makes it easier for a potential attacker to hack the DNS server. However, this can be useful to a user as they can determine how the attack traffic is coming in. Encrypting DNS traffic can help resolve this issue, but this also makes it more challenging for defenders to spot attacks early on.
Attack #5: Hardware Flaws in Baseboard Management Controllers
BMC or Baseboard Management Controllers monitor and manage firmware and hardware. These are important aspects of modern IT systems. However, these systems can have vulnerability and attackers can exploit that weakness. Removing unneeded management utilities and monitoring access to management consoles can reduce the risk of this DNS attack.
Understanding and evaluating the potential attacks is a great start to protecting your organization and valuable information. There are methods to combat these, but it’s important to understand what a potential DNS hijacking attack could look like. Our Security Analysts can implement these preventative measures for you, so you can have peace of mind knowing that your company and important information is safe.
DNS Hijackers Appear to Target U.S. Organizations
On January 22, 2019, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued its first Emergency Directive 19-01, Mitigating DNS Infrastructure Tampering, directing Federal civilian agencies to take a series of immediate actions in response to a global DNS hijacking campaign, which was revealed by FireEye and Cisco Talos researchers.
Christopher Krebs, Director of CISA, compared the DNS hijacking to “someone lying to the post office about your address, checking your mail, and then hand-deliver it to your mailbox. Lots of harmful things could be done to you (or the senders) depending on the content of that mail.”
He stated the hijackers are targeting government organizations and with the collaboration of National Institute of Standards and Technology (NIST) they’ve directed agencies to conduct the following:
- Verify their DNS records
- Update DNS account passwords
- Add multi-factor authentication; and
- Monitor Certificate Transparency logs
In addition to the prevention best practices stated above, implementing a VPN service to encrypt your organization’s internet traffic will help prevent a hacker from deciphering your traffic, thereby protecting your users and network, and allowing employees to work from any location while connecting to external WiFi networks. Luckily, Secuvant is here to help so you can feel safe and secure.
Secuvant is Here to Help Prevent DNS Hijacking
Secuvant’s Security Analysts watch for suspicious DNS queries involving hostile domains, DGA NXDomain responses, DNS zone transfer responses, and trojan-like sinkhole replies as part of the MDR / Soc-as-a-Service. At Secuvant, our goal is to keep your company feeling safe and secure. As your security partners, our experts assist you in protecting your important information and any threat to your DNS. To learn more about how you can protect your organization of cyber attacks, contact us today. As security professionals, we will help you implement best practices to keep your equipment safe from a cyber attack while ensuring that your business continues to run efficiently. Get started protecting your DNS and more with our exclusive services. To speak to a Security Analyst directly, get in touch with us at firstname.lastname@example.org or 855-732-8826.