• Login
  • Let's Talk
  • Login
  • Let's Talk
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Careers
    • Leadership
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Partners
    • Reseller Partners
    • Technology Partners
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Linkedin
  • Twitter
01.10.19

Threat Report

DNS Infrastructure Hijacking Campaign

By Steve Pellegrino

Two days ago CISA released an emergency directive for US government agencies due to a DNS tampering attack which primarily targeted government agencies, telecom providers, and ISPs. NCCIC has shared 3 mitigation recommendations.

Overview

On January 10, 2019, The National Cybersecurity and Communication Integrations Center (NCCIC) became aware of a Domain Name System (DNS) infrastructure hijacking campaign which utilizes compromised credentials of users, and on January 22nd the Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to government branches documenting the tracking of several incidents involving the DNS hijacking campaign.

The attack mainly targeted government agencies, telecommunication providers, and ISPs.

Technical Overview

Attackers are leveraging a DNS tampering attack, by compromising a user’s credentials, in order to begin making changes to an organization’s DNS records. Upon gaining access to the DNS records, an attacker begins altering the DNS records to redirect any traffic or requests to attacker-owned systems. This redirection of traffic or requests to attacker-owned systems permits the manipulation of full inspection of the traffic to pass to an attacker with the potential to allow the attacker to persist in the environment for a longer amount of time.

In addition to being able to alter DNS values, an attacker is also able to obtain sensitive encryption certificates for the organization’s domain, granting them the capability to redirect and decrypt traffic that could expose sensitive data.

Potential Impact

An organization’s DNS systems could be at risk and allow an attacker to gain persistence as well as access to sensitive information within the organization.

What You Should Do

NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Implement multi-factor authentication on high privileged accounts such as the domain registrar accounts, or on accounts that have access to modify the DNS records of the organization.
  • Verify that all DNS records are pointing to the correct address or hostname, this review should consist of all domains and resource records for the organization.
  • Review all encryption certificates related to the organizations’ domains and revoke any certificates that may be malicious to the organization.

deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

  • https://www.us-cert.gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign
  • https://cyber.dhs.gov/assets/report/ed-19-01.pdf
  • https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
  • https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Linkedin
  • Share by Mail

Subscribe to the deepwatch Insider Blog

Related Posts

Threat Report

03.03.21

Microsoft Exchange Server Zero-Days

read more

Threat Report

02.26.21

Chasing Silver Sparrow: Keeping an Eye on the Mysterious macOS Malware

read more

Threat Report

02.22.21

Windows Event 4688 - Part I - Eh to Excellent

read more

let’s talk.

let’s talk.

deepwatch delivers results-driven managed security services by extending customers’ cybersecurity teams and proactively advancing their SecOps maturity. Powered by its cloud SecOps platform, deepwatch is trusted by leading global organizations to provide 24/7/365 managed security services.

deepwatch Footer Certification Icons
TRUSTe
  • Linkedin
  • Twitter
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insider Blog
  • Partners
    • Reseller Partners
    • Technology Partners
  • Contact
    • Let's Talk
    • Customer Login
    • Partner Login
  • Services
    • Managed Detection & Response
    • Managed Endpoint Detection & Response
    • Vulnerability Management
  • Company
    • About Us
    • Leadership
    • Careers
    • Industries
  • Contact
    • Let's Talk
    • Customers Login
    • Partner Login
  • Differentiators
    • Squad Delivery Model
    • Cloud SecOps Platform
    • Maturity Model
    • Content Library
    • Threat Hunting
    • Lens Score
  • Resources
    • Resource Library
    • News & Events
    • Insights Blog
  • Partners
    • Reseller Partners
    • Technology Partners
Top

© Copyright 2021 deepwatch incorporated

Sitemap | Privacy Policy

Top
Scroll to top