Threat Report

DNS Infrastructure Hijacking Campaign

By Steve Pellegrino

Two days ago CISA released an emergency directive for US government agencies due to a DNS tampering attack which primarily targeted government agencies, telecom providers, and ISPs. NCCIC has shared 3 mitigation recommendations.

Overview

On January 10, 2019, The National Cybersecurity and Communication Integrations Center (NCCIC) became aware of a Domain Name System (DNS) infrastructure hijacking campaign which utilizes compromised credentials of users, and on January 22nd the Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to government branches documenting the tracking of several incidents involving the DNS hijacking campaign.

The attack mainly targeted government agencies, telecommunication providers, and ISPs.

Technical Overview

Attackers are leveraging a DNS tampering attack, by compromising a user’s credentials, in order to begin making changes to an organization’s DNS records. Upon gaining access to the DNS records, an attacker begins altering the DNS records to redirect any traffic or requests to attacker-owned systems. This redirection of traffic or requests to attacker-owned systems permits the manipulation of full inspection of the traffic to pass to an attacker with the potential to allow the attacker to persist in the environment for a longer amount of time.

In addition to being able to alter DNS values, an attacker is also able to obtain sensitive encryption certificates for the organization’s domain, granting them the capability to redirect and decrypt traffic that could expose sensitive data.

Potential Impact

An organization’s DNS systems could be at risk and allow an attacker to gain persistence as well as access to sensitive information within the organization.

What You Should Do

NCCIC recommends the following best practices to help safeguard networks against this threat:

• Implement multi-factor authentication on high privileged accounts such as the domain registrar accounts, or on accounts that have access to modify the DNS records of the organization.
• Verify that all DNS records are pointing to the correct address or hostname, this review should consist of all domains and resource records for the organization.
• Review all encryption certificates related to the organizations’ domains and revoke any certificates that may be malicious to the organization.

Deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

• https://www.us-cert.gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign
• https://cyber.dhs.gov/assets/report/ed-19-01.pdf
• https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
• https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html