Organisations using the .uk domain are safe from DNS hjacking attacks, Nominet – the business responsible for the domain’s DNS – said today, after Cisco Talos reported a series of attacks that effectively hijacked and rerouted the domains of entire countries.
Talos had flagged a “highly capable and brazen” attack by a hacker group it dubbed “Sea Turtle” against 40 different organisations that involved compromising a wide range of top-level country code domains; effectively intercepting the traffic of every domain in multiple countries. The group’s primary targets were national security organisations, ministries of foreign affairs, and prominent energy organisations, it said.
(By rerouting DNS traffic an attacker can commit a ‘man-in-the-middle’ attack against a colossal range of targets using the given targeted domain; decrypting the flow of information between internet users and the sites they think they are visiting).
DNS Hijacking: UK is Safe, Says Nominet
Cath Goulding, Head of Cyber Security at Nominet said: “From a .UK perspective, Nominet has taken steps to ensure that the country’s top-level domain and DNS is secure from this sort of attack by applying a layered security approach. This includes two factor authentication (2FA) across our systems and Domain Lock for our registrars.
While 2FA helps verify authenticity, Domain Lock is a tool by which registrars can literally ‘lock’ domains so that no changes can be made without thorough authentication of the domain name owner via 2FA.”
She added: “For businesses that have their own DNS provisions, we would recommend checking your DNS settings manually to ensure they are still pointing to legitimate servers. The issue with this sort of attack is that it’s incredibly difficult to spot. We would recommend implementing stringent access protocols for your DNS settings, such as multi-factor authentication, as this additional layer of security makes it much harder for hackers to gain access to your systems.”
Public Sector: NCSC Offers Own DNS Service
For public sector organisations, the UK’s National Cyber Security Centre (NCSC) offers a protective DNS (PDNS) solution that it funds; this went live in 2017. Users simply need to change their current recursive DNS resolver to the NCSC PDNS server.
John Hultquist, Director of Intelligence at FireEye, noted in a response to yesterday’s Talos report: “FireEye is currently tracking several clusters of activity responsible for the manipulation of DNS records.”
Pointing to a recent FireEye blog that attributed some of this activity to Iranian actors, he added: “We suspect that other actors, and potentially other states, are behind additional unrelated intrusions involving DNS manipulation. We believe this activity included the use of stolen EPP credentials and is likely state sponsored. EPP is an underlying protocol used to manage the DNS system.
“These incidents can be very difficult to detect because evidence of record changes and SSL certificates resides outside a traditional enterprise network and the security of these systems lies with a third party. We have observed this technique used by actors of many different skill levels to support espionage, crime, hacktivism and other motives, and we anticipate that more actors will adopt this technique in the near future. Additionally, though a great deal of the described by TALOS focuses on the Middle East and North Africa, there is no reason to assume DNS manipulation will remain limited to any region or vertical.”