View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

NCSC Warns Over DNS Hijacking, As Frequency and Cost of Attacks Soar

"Consider robust change control processes"

By CBR Staff Writer

The UK government’s cybersecurity centre, the NSCS, has come out with a stark warning to organisations that they need to put extra security in place or face the consequences, amid a rise in DNS hijacking attacks.

The NCSC warned this week that it has “observed various attacks which exploit the DNS system at different levels. Since the NCSC’s alert in January further activity has been observed, with victims of DNS hijacking identified across multiple regions and sectors.”

The NCSC’s warning follows attacks in May (described by Cisco’s Talos as “highly capable and brazen”) that compromised a wide range of top-level country code domains; effectively intercepting the traffic of every domain in multiple countries to target national security, and energy organisations.

DNS is a hierarchical delegated infrastructure that the internet uses as an address book. DNS is responsible for pointing each web browser towards the correct IP address when a user wishes to access a web domain.

See also – .UK Domain is Safe  from Sea Turtle DNS Attacks, Says Nominet, Citing Layered Security

Tampering with DNS in a malicious manner is known as DNS hijacking. Manipulating a DNS can allow a threat actor to create malicious DNS records that can be used to setup phishing websites within an organisation’s familiar domain. DNS records can also be used to obtain SSL certificates, or an attacker can simply set up a connection where all traffic to a site is redirected to their own IP address.

The most commonly encountered DNS attacks include payment or phishing exhibitions where a threat actor has installed a rogue DNS in front of a website and simulated the web page in order to steal money or credentials. In the IDC’s 2019 Global DNS Threat Report, the research house found that all industries are susceptible to a DNS attack.

Image Source: IDC

Cybersecurity firm Avast recently noticed a Netflix styled attack that copied the login for the site.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
NCSC DNS Warning

Image Source: Avast

“The source code is very short and shows that the footer links are just for show, and are just a formatted list of items that behave like links when a mouse scrolls over them. The action form contains a PHP script named “get_pay.php”, typical for phishing websites,” Avast notes.

NCSC DNS Warning Attack Mitigation

One of the most common DNS hijacking occurrences is when a hacker gains access to a registrant’s account. These are generally taken over using the tried and trusted attack methods of Credential Stuffing, phishing and social engineering.

To avoid these types of attacks the NCSC is advising that organisations use Multi-Factor Authentication and regular audits with regards to account access.

It is also warning against the risk of insider attacks, saying: “It is not advisable to use individuals’ email addresses for any of the domain contacts, as this gives effective control to an individual who may leave or be absent.” Specific role account should be created to mitigate this risk such as hostmaster@.

NCSC DNS Warning

Image Source: IDC

Some registers offer a domain or registry locking service which can, for a fee, act as an extra layer of security. These services, once engaged, prevent domain registrant and nameservers from being changed.

The NCSC warns that it is up to companies to secure their own infrastructure: “If operating your own DNS infrastructure, consider robust change control processes to manage any changes to your zone file. Ideally you should use a DNS zone file that is managed through a version control system, such as git. This will provide a backup of your DNS records, allow change-auditing and easy rollback. Enforce levels of organisational approval which is monitored before changes are made.”

See Also: EU Cyber Sanctions: A Welcome Tool, or Vapid Posturing?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.