Cyber crime headline

DNS Hijacking campaign

In late January 2019 the DHS CISA issued its first ever Emergency Directive (ED 2019-01) concerning attacks targeting DNS servers and their content in a globally widespread DNS Infrastructure Hijacking campaign. Every major national CERT organisation were put on red alert and helped spread the bad news.

12 days before, on the 9th of January, the security firm FireEye posted the article Global DNS Hijacking Campaign: DNS Record Manipulation at Scale on their Threat Research blog describing their findings! FireEye’s research team discovered that these types of attacks had been ongoing since (at least) 2017 but had escalated over the last few months. The phrase “This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success” is quoted from the article and brings chills down the spine.

As the research article from FireEye indicates, the news here are the sheer scale and that the targets are DNS servers. My personal guess is that the majority of the breaches were made on accounts for managed DNS services. Managed DNS services have becoming increasingly popular over the past years (if you have a problem, outsource it and the problem goes away, right?), and why not? I can relate to why organisations select managed DNS services over in-house management. A managed DNS service don't require skilled and expensive staff to manage and features like DNSSEC are readily available. But it comes with a price!

DNSSEC is great for detecting man-in-the-middle attacks, so why is it obviously ineffective with these new kind of attacks? The answer is very simple. Man-in-the-middle attacks like the popular Cache poisoning attack some years back were targeted to intercept ongoing DNS traffic to and from DNS resolvers and inject phony IP addresses into the resolver cache redirecting traffic through the attacker controlled sites. If you read the articles, these attacks are quite similar, but very different. They inject the phony IP addresses at the source. Before the DNS resource record is signed! And hence, when a validating resolver performs validation on the record it will show up as legit and the end users will never be aware that their communication is routed through the attackers servers! With that in mind these attacks are quite devious in its way of "hiding in plain sight". At a quick glance you won't make out if an IP address have been changed, especially if you are not looking for it!

FireEye discovered that there are three types of records that are most likely targeted to be used to carry out the different traffic redirections: NS, MX and A (AAAA). The NS records are used to identify which name servers (DNS) that are authoritative for a domain/zone. By altering these records an attacker can redirect all DNS queries through his own DNS infrastructure. The MX records will tell the MTA to where an email will be sent. By altering these records, all incoming mail traffic will be redirected, read and forwarded to the originally intended mail servers. And finally the A and AAAA records, which will redirect traffic through IP addresses the attacker controls.

The only way to detect these types of attacks is by constantly monitoring key DNS records!

DNS monitor can make a difference!

We provide continuous monitoring of your DNS resource records, and will give you a heads up whenever it is modified.
Our DNS monitoring system provide an Internet view of your DNS infrastructure and the domains you monitor for its data integrity and availability.