DNS Hijacking. Yikes! - Threatwire Crosspost (Patreon)

FireEye’s Mandiant Incident Response and Intelligence teams discovered a huge amount of DNS hijacking that appears to have stemmed from actors with relationships to Iran. The DNS attack targeted governments, telecommunications, and internet infrastructure companies in the Middle East, North Africa, Europe, and North America. We’ve seen DNS attacks before, but this one is important due to it’s immense global scale. In fact, it’s so large, that the Department of Homeland Security issued an alert about this campaign as of last Thursday.

DNS stands for Domain name server, and is the technology that links a computer friendly IP address to human-speak domain name. It’s what makes 8.8.8.8 match up to google.com. The attacks manipulate the Domain name server or DNS records, which in turn divert target traffic through malicious servers. The attackers use several different encryption certificates and VPS hosts to avoid detection.  And while evidence of attacks is minimal, FireEye suspects an actor with ties to Iran because of the IP addresses (even though that’s a “weak indicator”), as well as the motive - since the Iranian government would have lots of interest in data from these places and companies.

Mandiant says the attacks have been happening from January 2017 all the way through this month and attackers are using three techniques. The first is by altering DNS A Records. The second attack alters DNS NS Records. And the third involves using one or two, then combining it with a DNS Redirector. These require some sort of recon attack beforehand, such as a phishing attack to steal login creds from admins. Once the attacks are in place, an end user visiting the site in question wouldn’t be able to tell the difference, even if their login creds were getting stolen during the exploit.

While it’s hard to prevent these kind of attacks, FireEye recommends implementing 2FA if you haven’t already on domain admin portals, validate any A and NS record changes, search for SSL certs related to the domain and revoke malicious ones, validate source IPs in logs, and conduct internal investigations to access intrusions.

While little is known about who is causing these incidents, it does go to show that DNS exploits are gaining in popularity with attackers.