Following recent reports about mass-scale attacks aimed at modifying Domain Name System records, UK’s National Cyber Security Centre (NCSC) released an advisory with mitigation options for organizations to defend against this type of threat.
The Domain Name System (DNS) is the service responsible for pointing the web browser to the right IP address when we navigate to a web domain.
DNS hijacking – altering the DNS settings for malicious purposes, paves the way to a host of grim possibilities. From a user’s perspective, chief among them are phishing and traffic interception, while organizations can suffer a much harder blow that could translate into losing control over a domain.
Thousands of victims
There have been several reports of DNS-hijacking attacks targeting consumers for financial rewards, or various organizations for cyber-espionage.
A report this week with telemetry data from Avast reveals that between February and June at least 180,000 users in Brazil had their routers compromised and the DNS settings altered.
And by the end of March, the antivirus had blocked more than 4.6 million cross-site request forgery (CSRF) attempts that would have changed the DNS settings on the routers.
Researchers at Ixia have also been tracking DNS-hijacking campaigns targeting consumer-grade routers. They noticed a wave in early April that aimed at redirecting victims to fake pages for services such as Gmail, PayPal, Uber, and Netflix, among others from financial institutions and web hosting providers.
Last week, Cisco Talos published an analysis on renewed activity from Sea Turtle, a threat actor that uses DNS hijacking for cyber-espionage purposes; the end result was to redirect victims to attacker-controlled servers.
In a campaign lasting for at least two years, Sea Turtle targeted organizations mainly in the Middle East and North Africa by compromising the third-party entities (telcos, ISPs, IT companies, domain registrar) responsible for DNS services used by its victims.
Fighting the DNS-hijacking risk
UK’s NCSC published a document on Friday outlining the risks that come with DNS hijacking attempts and offering organizations advice to protect themselves from this sort of danger.
Registrant accounts at domain registrar services are high-value targets that can be taken over through common techniques like credential stuffing, phishing, or other forms of social engineering.
As such, the NCSC recommends protection against phishing, using unique, strong passwords, and enabling multi-factor authentication when the option is available.
Regularly checking the details linked to the account and ensuring that they are up to date and point to the organization rather than an individual, are good ways to prevent successful account take over (ATO) attempts.
Restricting access to the account only to company people charged with making changes reduces the risk of an intruder taking control of the account.
Extra protection comes from the “registrar lock” service, available with many domain name registration services. It requires additional authentication before modifying the contact details and nameservers, or to authorize a domain transfer.
For organizations that run their own DNS infrastructure, the NCSC recommends implementing access and change control systems that can provide backup and restore function for DNS records and enforce strict access to the machines managing DNS services.
SSL monitoring and implementing Domain Name System Security Extensions (DNSSEC) specifications are also on NCSC’s list of recommendations.
While SSL monitoring helps keep an eye on the SSL certificates for a company’s domain names, DNSSEC makes sure that DNS records on the server come with cryptographic signatures.
Such mitigations do not apply to consumers, though, who have a much smaller set of options. Keeping their devices updated with the latest firmware, checking that websites have valid certificates and verifying the DNS settings are good ways to lower the risk of falling victim to DNS hijacking.
Some network-level security solutions destined for consumer use may also block exploit attempts that could lead to unauthorized modification of DNS settings and other types of malicious activity.