About Me

My photo
Hello, my name is Ian Ali, I am a Lead IT Security Consultant with RRIT Security Consultants Inc. Over the next while I am going to review technical IT security articles and break it down for non-technical and technical readers alike so everyone can understand what they need to do to stay safe online.

Wednesday 30 January 2019

DNS Infrastructure Hijacking Campaign



According to the National Cyber security and Communications Integration Center (NCCIC), a DNS (domain name system) infrastructure hijacking campaign is currently underway. An attacker can redirect user traffic to an attacker controlled infrastructure by modifying the location to which an Organization's domain name resolve, that is, where internet style names are converted to IP addresses. If an attacker gains access by using compromised credentials, goes unnoticed, obtains the Organization's valid encryption certificates, a "man-in-the-middle" attack can be launched.

According to Norton man-in-the-middle attack is like eavesdropping. When data is sent between a computer and a server, a cyber criminal can get in between and spy.

An extract of the open source indicators of compromise can be seen below:







How attackers intercept and redirect mail and web traffic:

a) Attacker compromises credentials of user account that can make changes to DNS records
b) Once inside, the attacker alters DNS records such as Address (A), Mail Exchange (MX) or Name Server (NS), replacing the valid address with an address the attacker controls. User traffic is directed to the attacker's infrastructure for manipulation/inspection before passing it to the legitimate service (if they choose). 

c) The attacker can not only set DNS record values but also obtain valid encryption certificates for the Organization’s domain names. Redirected traffic can be decrypted, exposing user-submitted data. Since the certificate is valid for the domain, end users do not receive any error warnings.


The following best practices have been recommended by the NCCIC to help safeguard networks:
  • Passwords for accounts that can change DNS records should be updated regularly
  • Multi-factor authentication should be set on domain registrar accounts or on other systems which are used to modify DNS records
  • Public DNS records should be audited to ensure they are resolving to the intended location
  • Perform a search for encryption certificates related to domains and revoke fraudulent requested certificates
Source:
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)