US-CERT- AA19-024A: DNS Infrastructure Hijacking Campaign

Started by Netwörkheäd, February 06, 2019, 12:07:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Netwörkheäd

February 06, 2019, 12:07:51 PM
AA19-024A: DNS Infrastructure Hijacking Campaign

Original release date: January 24, 2019 | Last revised: February 06, 2019

   

Summary


   

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization's domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization's domain names, enabling man-in-the-middle attacks.

See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:

These files will be updated as information becomes available.

   

Technical Details


   

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization's domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
   

Mitigations


   

NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Update the passwords for all accounts that can change organizations' DNS records.
  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  • Audit public DNS records to verify they are resolving to the intended location.
  • Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
   

References


   
   

Revisions


   

                   
  • January 24, 2019: Initial version

    •            
  • February 6, 2019: Updated IOCs, added Crowdstrike blog

    •        

   

   

This product is provided subject to this Notification and this Privacy & Use policy.

   

Source: AA19-024A: DNS Infrastructure Hijacking Campaign
Let's not argue. Let's network!

deanwebb

#1
February 07, 2019, 09:17:29 AM
So... about that DNS... yeaaaahhhhh...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

#2
February 07, 2019, 09:52:34 AM
The government response to this: https://cyber.dhs.gov/ed/19-01/ I said it in another topic here. I am glad DNS isn't my concern.

-Otanx

icecream-guy

#3
February 07, 2019, 10:55:04 AM
Quote from: Otanx on February 07, 2019, 09:52:34 AM
The government response to this: https://cyber.dhs.gov/ed/19-01/ I said it in another topic here. I am glad DNS isn't my concern.

-Otanx

be glad be glad...  especially if you work for US government,  i do  part time hostmaster for .gov domains.  yeeesh,  it's ugly.
especially for the Feb 5th data call.   was jumping around like kangaroo last week.

:professorcat:

My Moral Fibers have been cut.

Otanx

#4
February 07, 2019, 02:53:54 PM
Oh, I am. I got roped into that data call for historical knowledge. They found some really old legacy entries that pointed to space we gave up about six years ago. People were starting to panic a little bit till we gave them the old IP lists that showed we used to use those addresses. The side benefit is external DNS is clean now.

-Otanx
Print
Go Up Pages1
User actions