Cyber Crime

Cyber Crime in general. Not necessarily DNS related

DNS Hijacking campaign revisited

DNS Hijacking campaign - Revisited

The exposure of the 2019 DNS Hijacking Campaign was one of the most terrifying security news in recent years. The implications of these attacks are potentially far worse than any cyber attack known so far.

Background

This article was published in October 2021, almost three years after the exposure of the DNS Hijacking Campaign and with a pandemic that has held the world in its grip for the last year and a half. The news of the DNS hijacking campaign has since long left the spotlight of the security tabloids and more recent cyber-attacks have taken its place. Does this mean that we managed to contain and stop the campaign and the danger is over? Have the hackers been deterred, arrested or incarcerated?

Certainly not! After a few months of running around screaming bloody murder, installing security patches, bought a few new security gadgets and updated a few passwords we've turned our attention to other, "more pressing matters". But the threat actors are still out there, relentlessly doing what they do.

But let's start this article with a recap. The 21st of January 2019 the DHS CISA issued its first ever Emergency Directive (ED 2019-01) concerning attacks targeting DNS servers and their content in a globally widespread DNS Infrastructure Hijacking campaign. Every major national CERT organisation were put on red alert and helped spread the bad news.

The DNS hijacking campaign were identified as two completely different campaigns by at least two state sponsored APT groups with cyber-espionage as the primary objective. These campaigns, dubbed DNSpionage and Sea Turtle, have been with moderate certainty traced back to Iran. Some articles written about the subject have the two campaigns mixed up due to the limited information at hand at the time.

In any case the DNS hijacking campaign should really have served as a wake-up call! The threat actors are getting more sophisticated using innovative tactics, multiple techniques and procedures to reach their objectives. These groups are not deterred if they are exposed, they usually withdraw to regroup, adjust their tactics and attack you again.

The campaign (Sea Turtle)

12 days before the ED 2019-01 was issued, on the 9th of January 2019, the security firm FireEye posted the article Global DNS Hijacking Campaign: DNS Record Manipulation at Scale on their Threat Research blog describing their findings! FireEye’s research team discovered that these types of attacks had been ongoing since (at least) 2017 but had escalated over the last few months. The phrase “This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success” is quoted from that article and brings chills down the spine. The Cisco Talos Intelligence group have also been deeply involved in the research of this campaign.

As the research articles from FireEye and Cisco Talos indicate, there are three major concerns regarding these attacks.

The sheer scale

First of all, the sheer scale of the attacks is daunting. The attackers targeted multiple layers of the DNS and domain infrastructure all over the globe to establish control and gain access to systems facilitating their primary objectives. The primary targets appears to have been Middle Eastern and North African governments, military organisations, intelligence agencies and energy organisations. The attackers also compromised secondary targets like Telco services, ISP's, IT firms and Registrars to achieve their objectives. The secondary targets were mostly concentrated to the MENA area but victims have been found in both Europe and North America.

The success rate

Second, the high degree of success. By using everything from rudimentary hacker tricks to highly sophisticated techniques the attackers managed to compromise an alarmingly high number of DNS servers and peripherals around the globe. We will probably never find out how many DNS servers and organisations that were compromised nor will we be even close of knowing how many gigabytes of data were stolen during the attacks. To pull off this magnitude of successful attacks is proof enough that we're dealing with formidable adversaries.

Detection avoidance

And finally third, avoiding detection. It should be made very clear that the targets of these attacks listed above are technologically very capable on the subjects of IT- and Information security. And still, the fact that these attacks were ongoing for two full years without detection is another indication of the level of sophistication of the attackers. To avoid detection for two full years for attacks on this scale is simply astonishing and yet again a clear demonstration of the attackers ability!

The techniques

Although many of the breaches and techniques used throughout these attacks are still shrouded in secrecy, bits and pieces have been made public and some information might still be just rumours or guesses.

In late 2018 researchers had discovered another, less sophisticated campaign which also relied on DNS servers to reach their objective. That campaign were dubbed DNSpionage partly due to its use of DNS over TLS to exfiltrate data from planted malware. Other than that it had little resemblance to the newly discovered Sea Turtle campaign, even though some articles from that time credited DNSpionage for breaches committed by the Sea Turtle campaign. While the DNSpionage campaign used social engineering, spear-phishing and false job websites to plant malware the Sea Turtle campaign targeted the DNS infrastructure as foothold for further attacks.

Focused on gaining access to the DNS infrastructure and modifying DNS records the actors behind the Sea Turtle were (are) able to launch MitM attacks to harvest large number of user credentials and possibly other sensitive data which in turn was used to launch penetrating attacks against target networks. Both campaigns used spear-phishing as one of the attack vectors to gain access to user credentials and plant malware. But the resemblance stops there.

The Sea Turtle campaign were (are) at an entirely different level of sophistication. The actors behind Sea Turtle utilised multiple attack vectors in combination, amongst them spear-phishing and multiple known vulnerability exploits through where they managed to gain access or to move laterally on compromised networks. The wide range of attack vectors in combination with attacks on third-party entities show a determination and methodology which is quite extraordinary.

Below is a selection of what the Sea Turtle actors were able to do to the DNS infrastructure.

  • Using stolen credentials the actors managed to abuse the Extensible Provisioning Protocol used for communicating domain updates between registrars and registries. This abuse was detected and the damage was (allegedly) kept to a minimum.
  • With access to registrar accounts (once again stolen) they were able to alter names and IP addresses to name servers redirecting queries to DNS servers under their own control.
  • By exploiting implementation vulnerabilities in the Registry Registrar Protocol they were allegedly able to inject bogus glue records.
  • By gaining administrative access to any authoritative DNS server for a targeted domain the actor were and are able to
    • replace or add IP addresses in A and AAAA resource records to reroute traffic.
    • modify TTL for any record to manipulate cache times.
    • manipulate SOA serial numbers to avoid updates if a slave zone.
    • replace or add NS resource records to reroute DNS queries.
    • replace or add MX resource records to reroute mail traffic.
    • modify CCA records to allow certificate requests from illicit issuers.
    • add validation TXT records to validate new certificates

All the bullets above can be used to prepare for as well as set up MitM attacks for credential and data harvesting.

Flying under the radar

Perhaps the most intriguing part of the DNS hijacking campaign is how the actors were able to avoid detection for so long given the technical skills of their victims. There are probably a multitude of reasons why these attacks took so long to detect but there are two distinctive areas importance that need to be reviewed.

Technical skill level

It is abundantly clear that the security community in large have underestimated the skills of these APT groups.

As described in this article the actors behind the Sea Turtle campaign possessed (and still possesses) extraordinary skills in Internet and DNS infrastructure as well as a multitude of hacking techniques and programming. But let's go in to a few details that is known.

  • They were very careful and selective when altering DNS records. Some of the NS resource records changed bore the resemblance of the original NS record so at a brief inspection nothing seemed out of the ordinary.
  • A modification of a type A or AAAA record is usually easy to get away with. How many of us have memorised every IPv4 and IPv6 address in our DNS servers? This attack simply prove this point.
  • Some changes made were only active for a short period of time, less than 24 hours and some even less than an hour. Still more than enough time to poison the cache of dozens, maybe hundreds or thousands of DNS resolvers.
  • Modified resource records could also have altered TTL's depending on how long the attacker wanted it to be cached by resolvers.
  • An additional txt record with a verification code among a few others might not be something anyone react upon.

All in all, it is quite easy to sneak in changes to zone records unless you actively monitor records and alert on every change.

Complacency

Organisations around the globe spend billions of dollars on IT- and Information security. There are hardly any organisation that is unaware of the cyber-threats we face. But throwing money on the problem doesn't make it go away. Regardless if the money is spent on security products or services every organisation seems to put their blind trust in whatever security defence system they build that it will work and continue to work. Without flaws.

This statement might seem a bit excessive but just look at the organisations successfully targeted by the DNS hijacking campaign. They all believed that their security infrastructure would make it impossible for an attacker to penetrate their defence without they getting noticed.

They had no idea that were under attacked.

The countermeasures

What countermeasures can be taken to prevent these types of DNS and domain hijacking attempts?

Let's start with the four required actions from ED-2019-01. The following actions aim to establish if any DNS server had been attacked and at the same time increase the security.

Action One: Audit DNS Records

Audit public DNS records on all authoritative DNS servers to verify they resolve to the intended location. Prioritise NS records and records associated with and central to the key services including MX records and other services with high utilisation.

This action is necessary to establish the validity of every DNS record. Keep in mind that the actors avoided detection by modifying records for only short periods of time before restoring them to its original values. This action should be performed on a regular basis, preferably automated with a tool. Like the one DNSmonitor provides.

Action two: Change DNS Account Password

Update passwords for all accounts on systems that can make changes to DNS records. CISA recommends the use of Password managers to facilitate complex and unique passwords.

Action three: Add Multi-Factor Authentication to DNS Accounts

Implement MFA for all accounts on systems that can make changes to DNS records.

Action four: Monitor Certificate Transparency Logs

Monitor for certificates issued but not requested by the organisation.

Beside these very directed actions there are a few others that help bump up the security surrounding your domains and DNS servers.

Activate Registry Lock

A registry lock prevent changes to your domain like changing or replacing DNS servers and transfer your domain to other registrars. Changes can still be made but it will require strong authentication like MFA to succeed.

Activate DNSSEC

DNSSEC enabled zones, resolvers and clients could have prevented many of the MitM attacks.

Keep in mind that if a DNS master account is compromised and the changes are made on the master, the new resource record will be correctly signed and the signature will be valid.

Patch your systems

This is the oldest and possibly the most effective security measure to be taken. Even though the system is not directly linked to the DNS infrastructure remember that the attackers among other things moved laterally between systems to achieve their goals.

Every security measure taken make it a bit harder for the adversaries. But keep in mind that security is a moving target and you can never let your guard down. A countermeasure you can't monitor closely and keep up to date will probably be the one that gets you owned.

Conclusions

"A persistent problem with DNS-based attacks is that a great deal of organisations tend to take much of their DNS infrastructure for granted. For example, many entities don't even log DNS traffic, nor do they keep a close eye on changes made to their domain records."

This quote is borrowed from the article A Deep dive on the Recent Widespread DNS Hijacking Attacks by Brian Krebs and is a conclusion from interviews with multiple security experts on the subject. It is a viable explanation to why these attacks could go unnoticed for two full years.

But this is just one part of a bigger picture. There are plenty more reasons why many organisations aren't able to keep their guard up. One that comes to mind is the growing number of applications, services and platforms that need to be supported by a crew that rarely have enough resources as it is. This could definitely result in less time to spend and keep up to date with core services like the DNS. And we all know that less time spent on these core services depletes the competence in these areas which in turn very well could be the underlying cause of successful cyber-attacks.

Another example which can be deduced as a result of the former reason is the ongoing trend to outsource Internet based services like the DNS to third party actors like CDN's, Registrars and DNS service providers. Instead of keeping and maintaining a high competence level in-house it is much more affordable to outsource for example the DNS service. Never mind gambling with security in the process. This is not saying that the third party actors do a bad job, on the contrary, but the matter of fact is that in many ways the organisations trade away security for cost savings.

In the Background section of this article we hoped that the DNS hijacking campaign would served as a wake-up call.

Are you awake yet?

Posted by Henrik Dahlberg in Cyber Crime, DNS Security
DNS Hijacking Campaign

DNS Hijacking campaign

In late January 2019 the DHS CISA issued its first ever Emergency Directive (ED 2019-01) concerning attacks targeting DNS servers and their content in a globally widespread DNS Infrastructure Hijacking campaign. Every major national CERT organisation were put on red alert and helped spread the bad news.

12 days before, on the 9th of January, the security firm FireEye posted the article Global DNS Hijacking Campaign: DNS Record Manipulation at Scale on their Threat Research blog describing their findings! FireEye’s research team discovered that these types of attacks had been ongoing since (at least) 2017 but had escalated over the last few months. The phrase “This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success” is quoted from the article and brings chills down the spine.

As the research article from FireEye indicates, the news here are the sheer scale and that the targets are DNS servers. My personal guess is that the majority of the breaches were made on accounts for managed DNS services. Managed DNS services have becoming increasingly popular over the past years (if you have a problem, outsource it and the problem goes away, right?), and why not? I can relate to why organisations select managed DNS services over in-house management. A managed DNS service don't require skilled and expensive staff to manage and features like DNSSEC are readily available. But it comes with a price!

DNSSEC is great for detecting man-in-the-middle attacks, so why is it obviously ineffective with these new kind of attacks? The answer is very simple. Man-in-the-middle attacks like the popular Cache poisoning attack some years back were targeted to intercept ongoing DNS traffic to and from DNS resolvers and inject phony IP addresses into the resolver cache redirecting traffic through the attacker controlled sites. If you read the articles, these attacks are quite similar, but very different. They inject the phony IP addresses at the source. Before the DNS resource record is signed! And hence, when a validating resolver performs validation on the record it will show up as legit and the end users will never be aware that their communication is routed through the attackers servers! With that in mind these attacks are quite devious in its way of "hiding in plain sight". At a quick glance you won't make out if an IP address have been changed, especially if you are not looking for it!

FireEye discovered that there are three types of records that are most likely targeted to be used to carry out the different traffic redirections: NS, MX and A (AAAA). The NS records are used to identify which name servers (DNS) that are authoritative for a domain/zone. By altering these records an attacker can redirect all DNS queries through his own DNS infrastructure. The MX records will tell the MTA to where an email will be sent. By altering these records, all incoming mail traffic will be redirected, read and forwarded to the originally intended mail servers. And finally the A and AAAA records, which will redirect traffic through IP addresses the attacker controls.

The only way to detect these types of attacks is by constantly monitoring key DNS records!

DNS monitor can make a difference!

We provide continuous monitoring of your DNS resource records, and will give you a heads up whenever it is modified.
Our DNS monitoring system provide an Internet view of your DNS infrastructure and the domains you monitor for its data integrity and availability.

Posted by Henrik Dahlberg in Cyber Crime, DNS Security