Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Education Center
    • Newsroom
    • Events
  • Ready to Talk?
01.10.19

Threat Report

DNS Infrastructure Hijacking Campaign

By Steve Pellegrino

Two days ago CISA released an emergency directive for US government agencies due to a DNS tampering attack which primarily targeted government agencies, telecom providers, and ISPs. NCCIC has shared 3 mitigation recommendations.

Overview

On January 10, 2019, The National Cybersecurity and Communication Integrations Center (NCCIC) became aware of a Domain Name System (DNS) infrastructure hijacking campaign which utilizes compromised credentials of users, and on January 22nd the Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to government branches documenting the tracking of several incidents involving the DNS hijacking campaign.

The attack mainly targeted government agencies, telecommunication providers, and ISPs.

Technical Overview

Attackers are leveraging a DNS tampering attack, by compromising a user’s credentials, in order to begin making changes to an organization’s DNS records. Upon gaining access to the DNS records, an attacker begins altering the DNS records to redirect any traffic or requests to attacker-owned systems. This redirection of traffic or requests to attacker-owned systems permits the manipulation of full inspection of the traffic to pass to an attacker with the potential to allow the attacker to persist in the environment for a longer amount of time.

In addition to being able to alter DNS values, an attacker is also able to obtain sensitive encryption certificates for the organization’s domain, granting them the capability to redirect and decrypt traffic that could expose sensitive data.

Potential Impact

An organization’s DNS systems could be at risk and allow an attacker to gain persistence as well as access to sensitive information within the organization.

What You Should Do

NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Implement multi-factor authentication on high privileged accounts such as the domain registrar accounts, or on accounts that have access to modify the DNS records of the organization.
  • Verify that all DNS records are pointing to the correct address or hostname, this review should consist of all domains and resource records for the organization.
  • Review all encryption certificates related to the organizations’ domains and revoke any certificates that may be malicious to the organization.

Deepwatch will provide additional information to protect its customers and others if and when it becomes available.

Supporting Information

  • https://www.us-cert.gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign
  • https://cyber.dhs.gov/assets/report/ed-19-01.pdf
  • https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
  • https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

IE – Scripting Engine Memory Corruption Vulnerability CVE-2018-8653

Next post

MS Exchange Privilege Escalation Attack

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • Education Center
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2022 Deepwatch incorporated

Trust | Sitemap | Privacy Policy