How to protect against the new wave of sophisticated DNS attacks

Network and security administrators for organizations, service providers and domain name registrars have received another warning of the importance of securing their domain name server infrastructure.

In a column this week security reporter Brian Krebs detailed recent hijacking campaigns against DNS infrastructure that are siphoning huge volumes of email passwords and other sensitive data from governments and private companies by temporarily capturing network traffic. The bulk of the attacks so far have centered in the Middle East. However, North American organizations should also be aware of the danger.

It is serious enough that in January the U.S. Department of Homeland Security issued a rare emergency directive ordering all U.S. federal civilian agencies to secure the login credentials for their Internet domain records, Krebs notes.

Domain name servers translate domain names (like itworldcanada.com) into numeric Internet addresses. Hijack a domain and all the traffic — including VPN traffic — that runs under the subdomains can be diverted to another address. Compromise a top-level domain for a government and the result can be catastrophic.

How the domains are taken over isn’t clear. In a December, 2018 posting, Cisco Systems’ Talos intelligence service said initial attacks involved a copy of a legitimate document from the website of Canada’s Suncor Energy, but this document included a malicious macro. Ultimately a remote access tool would be downloaded that will lead to a DNS infection.

In January, FireEye released a follow-up report describing the attacks as “DNS hijacking at scale.” It also notes that the attack is achieved by logging into the DNS provider’s administration panel with previously compromised credentials, as well as forged certificates.

Then Crowdstrike published a blog  listing virtually every Internet address known to be (ab)used by the espionage campaign to date.

Undoubtedly the attack could in part be checked if DNS administrators use multi-factor authentication to protect their login credentials.

As Krebs points out, there’s another defence for DNS hijacking: DNSSEC (DNS Security Extensions), which protects applications from using forged or manipulated DNS data by requiring that all DNS queries for a given domain or set of domains be digitally signed.

However, DNSSEC has to be configured right by a service provider and its customers. Even then, Krebs writes, one source estimates only about 20 percent of the world’s major networks and Web sites have enabled it.

Krebs discovered that one victimized provider admitted attackers targeted company servers that were not DNSSEC protected. A third system that was protected was compromised when attackers were able to briefly disable the safeguard because they already had access to its registrar’s systems and obtain SSL certificates for two internal email servers. For some reason the hacker failed to press their attack or they could have made off with more information.

Krebs also notes that DNS monitoring services apparently didn’t catch these attacks.

So what should CISOs do? Krebs quotes John Crain, chief security, stability and resiliency officer at ICANN, which oversees the global domain name industry offering this advice:

-Use DNSSEC (both signing zones and validating responses);

-Use registration features like Registry Lock that can help protect domain names records from being changed;

-Use access control lists for applications, Internet traffic and monitoring;

-Use two-factor authentication, and require it to be used by all relevant users and subcontractors;

-In cases where passwords are used, pick unique passwords and consider password managers;

-Review accounts with registrars and other providers;

-Monitor certificates through logs or other processes.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now