The Morphus Labs warns this week about another major threat. Renato Marinho and Victor Pasknel treated a domain hijacking incident, a threat that can completely subvert your information security strategy. They give details in this article how the incident was handled and how we can prevent similar scenarios.
It’s Saturday morning and you, the CSO of a huge company, start to receive messages from various sources, including press, informing that all of your organization Internet addresses are getting visitors to fake websites offering malicious content in form of fake security modules and/or updates.
What appeared to be a website defacement attack, turned out to be something much worse. In examining more closely, you realize that cybercriminals did, in fact, the kidnapping of the entire organization domain and directed all addresses to fake websites aiming to steal information from your customers and spreading malicious code. The worst thing is that there was no action that depended exclusively on you to solve the problem immediately.
In this article, we describe the incident response to the scenario described above and how this threat, being capable to subvert your entire strategy and security investment, can be mitigated with very simple actions.
To better understanding what happened, it’s important to understand some basic DNS concepts. If you are familiar with this subject, just jump to section 3.
DNS stands for Domain Name System and works as a foundation for the Internet . All addresses names we use daily to reach Websites and other Internet services have to be translated to IP (Internet Protocol); the translation or resolution process between an internet address name and IP address is the main role of DNS Servers.
DNS Servers work as a hierarchy of sorts, where the resolution requests are passed through it to the right server that is in charge of resolving the names for a certain domain, is reached. The root of this hierarchy, that is the invisible domain dot (“.”) in the end of any Internet address, is controlled by a group of DNS Servers distributed in different places around the world. Those root DNS Servers have to know the IP address of the DNS Servers that are in charge of all Top Level Domains (TLD), like the “.com”. The “.com” DNS servers in turn, have to know the IP address of the DNS Servers that are in charge of your company’s domain name, like “yourdomain.com” and so on.
For example, when someone asks for “www.yourdomain.com.”, the request reaches the root servers (“.”) that in turn, reaches the “.com” servers, that in turn, reach your company’s DNS servers, that finally resolves the address “www” and return the correct IP address.
The TLDs are controlled and managed by registry operators, also called Network Information Center (NIC). The registry operators manage the registration of domain names within the domains for which they are responsible. So, the “.com” registry operator is the organization that will hold the configuration of the DNS Servers IP addresses that are in charge of resolving the IP address of a domain like “yourcompany.com”.
For you to register or manage a domain in any registry operator, you have to previously create an account (basically, username and password) on their web portal. This account will be used to manage the IP addresses of the DNS Servers that will point to the IP addresses of your website or e-mail servers.
Note that the access credentials to the portal operator are extremely sensitive information. Someone malicious in possession of such information would be able to change any configuration of your domains, including IP addresses of the DNS servers. In short, could hijack the Internet Domain of your company and target websites and emails to any address he wanted.
In the incident we treated at Morphus Labs, that’s exactly what happened. The bad actors stole the registry operator’s credentials and changed the primary and secondary DNS servers configuration pointing them to the criminals’ ones. After that, all the company’s customers were directed to a fake company website to download malicious content they were suggested by the fake content. We can imagine what the criminals’ strategy was had they had success spreading their malware.
Needless to say, the crooks changed the password after gaining access to the portal. In other words, they hijacked the domain and made the recovery dependable of the registry operator. “Manual” account recover is usually not easy nor fast.
Unlike the majority of cyber incidents, you have almost nothing to do in your infrastructure itself to revert the situation, like recovering backup or configurations. Like what happened in this incident, all servers were intact.
And works as the foundation of the internet “ou” and works as a foundation for the internet.
Please, revise if the meaning was kept.
Bad actors? Is this expression clear to the reader?
About the Author:
Edited by Pierluigi Paganini
(Security Affairs – Domain Hijacking, cybercrime)