Last week, FireEye published research identifying a global DNS hijacking attack that is thought to be part of a large and growing espionage operation that began two years ago. The report said the hacking campaign redirected web traffic from companies globally through the hackers’ malicious servers, recording company credentials for future attacks. This is particularly significant due to the nature of the organizations targeted – primarily telecom, internet infrastructure, government and commercial entities – most of which could be of interest to a nation-state attacker.
Although the scope of this campaign appears significant, the methods used are certainly not unique or sophisticated. Like other tactics we’ve seen grow in popularity among cybercriminals, these attacks are low-cost and simple to execute, relying on victims not taking basic security measures.
In DNS hijacking attacks, bad actors take over logins belonging to the DNS providers and registrants and manipulate the victim’s DNS records to redirect their incoming traffic. As a result, an end user device making a DNS query (attempting to visit a website or access an application) is provided false information, sending the user to a fake website masquerading as the legitimate one.
DNS hijacking and other man-in-the-middle attacks, such as DNS cache poisoning and border gateway protocol (BGP) hijacking, are not always obvious. They can go undetected for extended periods of time, often resulting in data theft and direct financial loss. In late 2018, authorities shut down a multi-year ad-fraud scheme that used BGP hijacking to compromise more than one million IP addresses, along with other tactics, to generate nearly $30 million. However, this was an extremely sophisticated and unusual operation. In most cases, these attacks tend to be targeted because they are difficult to execute on a large scale. Often, certain sites are identified for a specific purpose, such as financial gain. Last year investors in cryptocurrency discovered this harsh reality when several sites marked in BGP hijacking campaigns were used to steal credentials, which cybercriminals then used to mine cryptocurrency from users' accounts.
Fortunately, a basic, layered approach to DNS security can dramatically reduce the chances of DNS and BGP-related compromise. Here are three essential, preventative measures that organizations should implement:
Use multi-factor authentication for authoritative DNS and registrar logins
Organizations should implement strict access controls that limit access to legitimate users who are responsible for modifying DNS settings. If a company has multiple DNS administrators, it can assign different functions to different users depending on their role, as well as restrict update access to the zones and records they need to do their job. It's important to strengthen access controls by implementing multi-factor authentication and single sign-on. If a company uses scripts or APIs to update DNS, it should use strong authentication keys and restrict key usage to valid sources only (i.e., IP whitelisting). Finally, organizations should use secure practices in interfacing with their domain registrar and keep the list of authorized contacts with the registrar up to date. This will allow the company to maintain control over its domain name and avoid missing an expiration notice from the registrar.
Monitor authoritative DNS activity logs to quickly spot issues
It might seem overwhelming to consider tracking every DNS response. But by monitoring DNS activity and IDS logs, a company can more easily observe DNS configuration changes and shifting traffic patterns, which can reveal key indicators of compromise. For instance, unexpected and unplanned changes to DNS record configurations or sudden changes in traffic volume can indicate malicious DNS activity.
Enable DNSSEC (Domain Name Security Extensions) and zone signing
DNSSEC operates by offering a mechanism for recursive DNS resolvers to check the authenticity of the information received from the previous authoritative DNS server in the series of lookups required to return a DNS answer to a user. With many businesses handling financial, health or personal data, it’s the organization’s duty to protect customers from this form of attack. DNSSEC protects the integrity of DNS information by having each zone of the DNS digitally signed and verified by the top-level domain.
DNS is a critical technology that connects all aspects of IT infrastructure, applications and online services – everything between the server and the user – which makes it an extremely attractive target for cybercriminals. As organizations around the globe drive more aggressively toward connected, digitally transformed operations, this attack vector will grow in significance. Taking quick action to implement and maintain these basic preventative measures will be imperative in preventing attacks and keeping companies and customer data safe from cybercriminals.