According to the National Cyber security and Communications Integration Center (NCCIC), a DNS (domain name system) infrastructure hijacking campaign is currently underway. An attacker can redirect user traffic to an attacker controlled infrastructure by modifying the location to which an Organization's domain name resolve, that is, where internet style names are converted to IP addresses. If an attacker gains access by using compromised credentials, goes unnoticed, obtains the Organization's valid encryption certificates, a "man-in-the-middle" attack can be launched.
According to Norton A man-in-the-middle attack is like eavesdropping. When data is sent between a computer and a server, a cyber criminal can get in between and spy.
An extract of the open source indicators of compromise can be seen below:
How attackers intercept and redirect mail and web traffic:
a) Attacker compromises credentials of user account that can make
changes to DNS records
b) Once inside, the attacker alters DNS records such as Address
(A), Mail Exchange (MX) or Name Server (NS), replacing the valid address with an address the attacker controls. User traffic is directed to the attacker's infrastructure for
manipulation/inspection before passing it to the legitimate service (if they choose).
c) The attacker can not only set DNS record values but also obtain valid encryption certificates for the Organization’s domain
names. Redirected traffic can be decrypted, exposing user-submitted data. Since the certificate is valid for the domain, end
users do not receive any error warnings.
The following best practices have been recommended by the NCCIC to help safeguard networks:
- Passwords for accounts that can change DNS records should be updated regularly
- Multi-factor authentication should be set on domain
registrar accounts or on other systems which are used to modify DNS records
- Public DNS records should be audited to ensure they are resolving
to the intended location
- Perform a search for encryption certificates related to domains
and revoke fraudulent requested certificates
Source: