Network and security administrators for organizations, service providers and domain name registrars have received another warning of the importance of securing their domain name server infrastructure.
In a column this week security reporter Brian Krebs detailed recent hijacking campaigns against DNS infrastructure that are siphoning huge volumes of email passwords and other sensitive data from governments and private companies by temporarily capturing network traffic. The bulk of the attacks so far have centered in the Middle East. However, North American organizations should also be aware of the danger.
It is serious enough that in January the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the login credentials for their Internet domain records, Krebs notes.
Domain name servers translate domain names (like itworldcanada.com) into numeric Internet addresses. Hijack a domain and all the traffic — including VPN traffic — that runs under the subdomains can be diverted to another address. Compromise a top-level domain for a government and the result can be catastrophic.
How the domains are taken over isn’t clear. In a December, 2018 posting, Cisco Systems’ Talos intelligence service said initial attacks involved a copy of a legitimate document from the website of Canada’s Suncor Energy, but this document included a malicious macro. Ultimately a remote access tool would be downloaded that will lead to a DNS infection.
In January, FireEye released a follow-up report describing the attacks as “DNS hijacking at scale.” It also notes that the attack is achieved by logging into the DNS provider’s administration panel with previously compromised credentials, as well as forged certificates.
Then Crowdstrike published a blog listing virtually every Internet address known to be (ab)used by the espionage campaign to date.
Undoubtedly the attack could in part be checked if DNS administrators use multi-factor authentication to protect their login credentials.
As Krebs points out, there’s another defence for DNS hijacking: DNSSEC (DNS Security Extensions), which protects applications from using forged or manipulated DNS data by requiring that all DNS queries for a given domain or set of domains be digitally signed.
However, DNSSEC has to be configured right by a service provider and its customers. Even then, Krebs writes, one source estimates only about 20 percent of the world’s major networks and Web sites have enabled it.
Krebs discovered that one victimized provider admitted attackers targeted company servers that were not DNSSEC protected. A third system that was protected was compromised when attackers were able to briefly disable the safeguard because they already had access to its registrar’s systems and obtain SSL certificates for two internal email servers. For some reason the hacker failed to press their attack or they could have made off with more information.
Krebs also notes that DNS monitoring services apparently didn’t catch these attacks.
So what should CISOs do? Krebs quotes John Crain, chief security, stability and resiliency officer at ICANN, which oversees the global domain name industry offering this advice:
-Use DNSSEC (both signing zones and validating responses);
-Use registration features like Registry Lock that can help protect domain names records from being changed;
-Use access control lists for applications, Internet traffic and monitoring;
-Use two-factor authentication, and require it to be used by all relevant users and subcontractors;
-In cases where passwords are used, pick unique passwords and consider password managers;
-Review accounts with registrars and other providers;
-Monitor certificates through logs or other processes.
