DNS Hijacking Presents Itself as a Dangerous New Attack in 2019
Mar Wed, 2019
The Secuvant team attended and gathered valuable insights at this year’s RSA Conference held in San Francisco during the first week of March. Aside from connecting and networking with like-minded individuals and our industry’s most forward-thinking cybersecurity experts, we attended sessions that predicted how the industry will evolve as hackers become smarter at attacking organizations. One interesting keynote included a panel that discussed The Five Most Dangerous New Attack Techniques and How to Counter Them, presented by the SANS Institute. The panelists, Ed Skoudis; Heather Mahalik; and Johannes Ullrich presented the five attacks including DNS hijacking and domain fronting.
With the recent global cyberespionage campaign occurring, the Secuvant team felt it was important to dive deeper into this top exploit and further explore DNS hijacking and how it can affect your business, review the recent emergency directive that was issued on DNS hijacking regarding the global campaign, and understand how to protect your organization from this attack.
What is DNS Hijackjing?
Domain name system (DNS) hijacking is a technique that cybercriminals use to attack a user by redirecting them to different servers or websites under hacker control. The attack involves stealing credentials to gain access into a domain registry system through a man-in-the-middle attack or malware to change information such as an IP address of a resource linked to a specific domain name, in order to intercept DNS queries and redirect traffic.
Ed Skoudis stated that the manipulation of the DNS has significantly impacted organizations in the last few months with over a “bajillion” credentials being compromised to log into DNS providers and name registrars to manipulate DNS records.
DNS hijacking can put your organization’s network at risk redirecting your users to malicious sites that use phishing techniques to steal credentials and gain access to personally identifiable information (PII), financial information, intellectual property, and more.
DNS Hijackers Target U.S. Organizations
On January 22, 2019, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued its first Emergency Directive 19-01, “Mitigating DNS Infrastructure Tampering”, directing Federal civilian agencies to take a series of immediate actions in response to a global DNS hijacking campaign., which was revealed by FireEye and Cisco Talos researchers.
Christopher Krebs, Director of CISA, compared the DNS hijacking to “someone lying to the post office about your address, checking your mail, and then hand delivering it to your mailbox. Lots of harmful things could be done to you (or the senders) depending on the content of that mail”.
He stated the hijackers are targeting government organizations and with the collaboration of National Institute of Standards and Technology (NIST) they’ve directed agencies to conduct the following:
- Verify their DNS records;
- Update DNS account passwords;
- Add multi-factor authentication; and
- Monitor Certificate Transparency logs.
In addition to the prevention best practices stated above, implementing a VPN service to encrypt your organization’s internet traffic will help prevent a hacker from deciphering your traffic, thereby protecting your users and network, and allowing employees to work from any location while connecting to external WIFI networks.
Secuvant’s Security Analysts watch for suspicious DNS queries involving hostile domains, DGA NXDomain responses, DNS zone transfer responses, and trojan-like sinkhole replies as part of the MDR / Soc-as-a-Service. Contact our security professionals to learn more about how you can protect your organization of cyber attacks at firstname.lastname@example.org or 855-732-8826.