The UK government’s cybersecurity centre, the NSCS, has come out with a stark warning to organisations that they need to put extra security in place or face the consequences, amid a rise in DNS hijacking attacks.
The NCSC warned this week that it has “observed various attacks which exploit the DNS system at different levels. Since the NCSC’s alert in January further activity has been observed, with victims of DNS hijacking identified across multiple regions and sectors.”
The NCSC’s warning follows attacks in May (described by Cisco’s Talos as “highly capable and brazen”) that compromised a wide range of top-level country code domains; effectively intercepting the traffic of every domain in multiple countries to target national security, and energy organisations.
DNS is a hierarchical delegated infrastructure that the internet uses as an address book. DNS is responsible for pointing each web browser towards the correct IP address when a user wishes to access a web domain.
Tampering with DNS in a malicious manner is known as DNS hijacking. Manipulating a DNS can allow a threat actor to create malicious DNS records that can be used to setup phishing websites within an organisation’s familiar domain. DNS records can also be used to obtain SSL certificates, or an attacker can simply set up a connection where all traffic to a site is redirected to their own IP address.
The most commonly encountered DNS attacks include payment or phishing exhibitions where a threat actor has installed a rogue DNS in front of a website and simulated the web page in order to steal money or credentials. In the IDC’s 2019 Global DNS Threat Report, the research house found that all industries are susceptible to a DNS attack.
Cybersecurity firm Avast recently noticed a Netflix styled attack that copied the login for the site.
“The source code is very short and shows that the footer links are just for show, and are just a formatted list of items that behave like links when a mouse scrolls over them. The action form contains a PHP script named “get_pay.php”, typical for phishing websites,” Avast notes.
One of the most common DNS hijacking occurrences is when a hacker gains access to a registrant’s account. These are generally taken over using the tried and trusted attack methods of Credential Stuffing, phishing and social engineering.
To avoid these types of attacks the NCSC is advising that organisations use Multi-Factor Authentication and regular audits with regards to account access.
It is also warning against the risk of insider attacks, saying: “It is not advisable to use individuals’ email addresses for any of the domain contacts, as this gives effective control to an individual who may leave or be absent.” Specific role account should be created to mitigate this risk such as hostmaster@.
Some registers offer a domain or registry locking service which can, for a fee, act as an extra layer of security. These services, once engaged, prevent domain registrant and nameservers from being changed.
The NCSC warns that it is up to companies to secure their own infrastructure: “If operating your own DNS infrastructure, consider robust change control processes to manage any changes to your zone file. Ideally you should use a DNS zone file that is managed through a version control system, such as git. This will provide a backup of your DNS records, allow change-auditing and easy rollback. Enforce levels of organisational approval which is monitored before changes are made.”