CERT mailing list archives

Previous By Date Next
Previous By Thread Next

AA19-024A: DNS Infrastructure Hijacking Campaign

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Thu, 24 Jan 2019 15:31:50 -0600
U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:



AA19-024A: DNS Infrastructure Hijacking Campaign [ https://www.us-cert.gov/ncas/alerts/AA19-024A ] 01/24/2019 03:01 PM 
EST 
Original release date: January 24, 2019

Summary

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure 
Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using 
compromised credentials, an attacker can modify the location to which an organizations domain name resources resolve. 
This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption 
certificates for an organizations domain names, enabling man-in-the-middle attacks.

See the following links for downloadable copies of open-sourceindicators of compromise(IOCs) from the sources listed in 
the References section below:


  * IOCs (.csv) [ https://www.us-cert.gov/sites/default/files/publications/AA19-024_IOCs.csv ] 
  * IOCs (.stix) [ https://www.us-cert.gov/sites/default/files/publications/AA19-024_IOCs.stix.xml ] 

These files will be updated as information becomes available.

Technical Details

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for 
other networked services.


  * The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that 
can make changes to DNS records. 
  * Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, 
replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user 
traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, 
should they choose. This creates a risk that persists beyond the period of traffic redirection. 
  * Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an 
organizations domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since 
the certificate is valid for the domain, end users receive no error warnings. 

Mitigations

NCCIC recommends the following best practices to help safeguard networks against this threat:


  * Update the passwords for all accounts that can change organizations DNS records. 
  * Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records. 
  * Audit public DNS records to verify they are resolving to the intended location. 
  * Search for encryption certificates related to domains and revoke any fraudulently requested certificates. 

References

  * Cisco Talos DNSpionage Campaign Targets Middle East  [ 
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html ] 
  * CERT-OPMD [DNSPIONAGE]  Focus on internal actions [ https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/ 
] 
  * FireEye Global DNS Hijacking Campaign: DNS Record Manipulation at Scale  [ 
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
 ] 

Revisions

  * January 24, 2019: Initial version 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: normal; font-style: normal; color: 
#333333; } ________________________________________________________________________

A copy of this publication is available at www.us-cert.gov [ https://www.us-cert.gov ]. If you need help or have 
questions, please send an email to info () us-cert gov. Do not reply to this message since this email was sent from a 
notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT () 
ncas us-cert gov to your address book. 

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ]  

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: