The manipulation game

UPDATED A large-scale net infrastructure hijacking campaign involving multiple techniques to manipulate the DNS records of multiple organisations worldwide has been exposed.

The DNS records of government, telcos, and internet infrastructure organizations are all being hacked in the multi-pronged campaign. Three different techniques – one of which relies (in part) on fraudulent SSL certificates – are at play.

Organizations across the Middle East, North Africa, Europe, and North America are all been targeted as part of the offensive, which is said to have been running for two years, since January 2017.

The attacks are geared towards harvesting sys admin credentials. Access to compromised credentials allows the unidentified hackers behind the attack to modify the location to which an organization’s domain name resources resolves. This, in turn, enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

The techniques involve either altering DNS A records, messing with DNS NS records or using a DNS redirector. The DNS redirector technique is used in conjunction with either of the other two approaches in order to carry out a hack.

The initial vector of the attacks has yet to be confirmed, but it’s likely to involve some form of phishing, according to a detailed technical write-up by threat intel firm FireEye.

It is difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors, are using multiple techniques to gain an initial foothold into each of the targets described above.

FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation.

Additionally, while the precise mechanism by which the DNS records were changed is unknown, the company said it believes that at least some records were changed by compromising a victim’s domain registrar account.

“This is a widespread campaign and notable because the attacker can get access to sensitive information without ever getting inside your network perimeter,” according to Ben Read, senior manager, cyber-espionage analysis at FireEye iSIGHT Intel, one of the main security researchers behind the report.

“We’re still researching, but so far have found dozens of manipulated domains. Most are in the Middle East and North Africa, but we've found them in Europe and North America as well.”

“Preliminary evidence points to Iranian sponsorship, but we can’t tie to a tracked group yet,” he added.

Defending against these attacks ought to involve securing domain administration portal with 2FA technology, a sensible general precaution against this type of malfeasance.

DNS hijacking attacks are a well understood threat, at least among the enterprise security savvy. It’s the scale of the latest campaign that has caused security experts particular concern.

“A very effective, and relatively simple, technique used by an attack group (possibly multiple) to compromise entities at scale. Organizations who are not actively hunting for this will probably miss it,” warned FireEye Mandiant security consultant Hussein Khalifa.

Cricket Liu, the chief DNS architect at Infoblox, told The Daily Swig: “Based on the analysis by FireEye, the techniques used to change DNS data aren’t really new: Their [hacker] techniques involve [either] using compromised credentials to change DNS data on a victim’s authoritative DNS servers or in delegation information.”

DNS – historically compared to a phone book – is the distributed naming service for the internet. It maps domain names and addresses that surfers might type into a browser to IP addresses. The same technology is also used to route emails.


This article has been updated to feature comments from Cricket Liu.


RELATED ‘Middle-aged’ DNS tech still has legs to kick on