- Hackers are targeting Domain Name System (DNS) infrastructure with a global hijacking campaign across all sectors, according to a new alert from the Department of Homeland Security National Cybersecurity and Communications Integration Center.
The cybercriminals are using compromised credentials to modify the location where the victim organization’s domain name resources resolve. This allows the hacker to redirect user traffic to an attacker-controlled infrastructure and obtain valid encryption certificates for the victim organization’s domain names.
This results in Man-in-the-Middle (MITM) attacks, where the hacker secretly relays and potentially alters communications. During these attacks, researchers found the hackers accessed some of the victims’ infrastructure and were part of past cyber-espionage attacks.
The alert is based on a new report from FireEye researchers who first discovered the campaign. The “wave of DNS hijacking” has impacted government, telecommunications, sensitive commercial, and internet infrastructure companies. The researchers noted the scope and impact of this attack is massive.
The hackers don’t just leverage spear-phishing campaigns to obtain email login credentials, but instead leverage DNS attacks to modify internet traffic within the organization and steal the desired data.
The researchers said this is accomplished through three complex methods: changing DNS records for the victim’s mail server to direct to the hacker’s, modifying legitimate DNS records, and deploying one that combines the other two attack methods with the addition of the “attacker operations box.”
“While the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim's domain registrar account,” the researchers wrote.
“This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success,” the researchers wrote. The researchers have tracked the activity for months, mapping the attack’s tactics, while working closely with victims, law enforcement and other security firms.
“Attribution analysis for this activity is ongoing,” the researchers added. “While the DNS record manipulations described in this post are noteworthy and sophisticated, they may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers.”
In fact, the activity has been ongoing for the last two years, and there are multiple, nonoverlapping groups of actor-controlled domains and IPs included in this activity. The researchers also noted there are a wide range of victims.
The hackers are suspected to be from Iran. The Department of Justice recently indicted two Iranian hackers, who were behind the notorious SamSam ransomware attacks that pummeled the healthcare sector throughout 2018.
DHS said it recommends organizations review FireEye’s analysis to gain technical insight into the threat. Further, IT leaders should implement multifactor authentication on domain registrar accounts or on other systems used to modify DNS records.
Organizations should also ensure verify the DNS infrastructure faces the correct Internet Protocol addresses or hostnames and search for encryption certificates related to domains and revoke any fraudulently requested certificates.