What is the threat?
Organized cyber attackers have hijacked many Domain Name Servers (DNS) and manipulated them in ways which allow them to redirect traffic to/from a victim network and harvest usernames, passwords, and domain credentials for organizations which they have targeted. Attackers can accomplish this by using compromised account credentials. They can also gain access to valid encryption certificates for an organization’s domain names which makes the organization vulnerable to man-in-the-middle attacks.
Why is this noteworthy?
DNS records and certificate authorities are trusted resources and the backbone of the internet. They are owned/operated by third party organizations. Cyber attackers can manipulate the behavior of these trusted resources and set-up sophisticated attacks against unknowing victim organizations. This is important because it is very difficult for organizations to detect this activity, since the manipulations are carried out on infrastructure that they do not own/control.
What is the exposure or risk?
Credential leakage is the main risk of this attack, and this can happen without the organization having a clue that its credentials are being stolen.
What are the recommendations?
While it can be challenging to defend against DNS hijacking attacks, SKOUT has the following recommendations:
- Enable multi-factor authentication on your domain’s administrative portal as well on systems which are used to modify DNS records.
- SSL certificates should only be accepted if they match the domain they are attempting to visit via the web browser. This should come through user education. Users should not trust the “green lock” symbol in the address bar of their web browser which shows an encrypted connection. They should read the warning page their web browser is displaying about the non-traditional SSL certificate and should NOT proceed to the webpage.
- Revoke any fraudulent encryption certificates related to domains.
- Ensure that any changes made in the A records and NS records are validated.
- Source IPs in OWA/Exchange logs should be validated.
- Review internally to ensure that their hasn’t been any unauthorized access to your environment.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Secure Intelligence Center.