According to a warning from the Department of Homeland Security, a large number of DNS hijacking attacks have targeted government agencies and infrastructure providers in recent weeks.
DNS is one of the most important and yet least thought about components of the internet. The Domain Name System is a hierarchical directory that maps domain names to IP addresses, allowing us to use friendly web addresses like www.futurehosting.com. Domain names are for the benefit of human users. The internet’s routers and switches use IP addresses to route traffic around the web. Every site and app on the web relies on DNS, which makes it a juicy target for online criminals. If they can hijack a domain’s DNS, they can redirect traffic to a server under their control.
Once the attackers have control over the domain, they can intercept sensitive data sent to a business’s servers, including passwords and emails. Even worse, with control over a domain’s DNS records, attackers can create SSL certificates that browsers will consider trustworthy. There will be no browser security notification if traffic is redirected from a legitimate server to a server under the attacker’s control.
The warning, which was issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, reveals multiple successful domain hijacking attacks against executive branch agencies. FireEye, a security company, believes that the attacks may be sponsored by Iran, but they aren’t limited to government targets and also include infrastructure providers. The same techniques are likely to be effective on any improperly secured DNS server.
According to FireEye:
“A large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates. They include telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities.”
The attackers appear to use standard strategies to compromise the DNS servers, including phishing attacks.
Because DNS is such an important aspect of a business’s online presence, it’s worth considering any potential security weaknesses.
- Use a secure password on your DNS administration panel and, if you manage your own DNS server, on the server itself. Secure means long, random, and unique.
- Talk to employees about the dangers of phishing attacks. It seems that several of the reported attacks against government agencies used phishing attacks against employees who had the ability to modify domain records.
- Check A and NS DNS records to make sure they point where they are supposed to.
- Check to see whether SSL certificates have been issued for your domain without your knowledge. Certificate Authorities use Certificate Transparency logs, which can be used to search for certificates issued for a specific domain.
For more information about how criminals are using DNS hijacking, take a look at the FireEye report, which details three techniques, including modification of DNS A and NS records the use of DNS redirection.
About the Matthew Davis:
Matthew works as a writer for Future Hosting, a leading provider of VPS hosting. He focuses on data news, cybersecurity, and web development topics. You can usually find his hiding behind a computer screen, searching for the next breaking news in the tech industry. For more great articles, check out FH's blog.