Thursday, January 24, 2019

AA19-024A: DNS Infrastructure Hijacking Campaign

 

U.S. Department of Homeland Security US-CERT

National Cyber Awareness System:

 

01/24/2019 03:01 PM EST

 

Original release date: January 24, 2019

Summary

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

See the following links for downloadable copies of open-source indicators of compromise (IOCs) from the sources listed in the References section below:

These files will be updated as information becomes available.

Technical Details

Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.

  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.

Mitigations

NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Update the passwords for all accounts that can change organizations’ DNS records.
  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  • Audit public DNS records to verify they are resolving to the intended location.
  • Search for encryption certificates related to domains and revoke any fraudulently requested certificates.

References

Revisions

  • January 24, 2019: Initial version

This product is provided subject to this Notification and this Privacy & Use policy.

This email was sent to drenner@summitsol.com using GovDelivery Communications Cloud on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870

GovDelivery logo

 

IMPORTANT NOTICE
This e-mail, including attachments, is covered by the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510-2521, may include confidential, proprietary, and legally privileged information (including, without limitation, attorney-client privilege), and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any use, dissemination, distribution, printing, or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.

 

at

7 comments:

  1. JohnHarrisMarch 15, 2019 at 4:44 AM

    My recommendations for the top tools for preparing for your ace4sure.comcertification exam. Remember that the exam is designed to be entry level to ensure patient safety, so don’t get too anxious and don’t over think it. Throughout your nursing education, you have passed many tests, and this is just one more test. You can pass this, too!

    ReplyDelete
  2. jaqulinMay 23, 2019 at 11:02 AM

    This comment has been removed by the author.

    ReplyDelete
  3. jaqulinMay 23, 2019 at 11:03 AM

    People may not like to receive calls for business purpose. It is said that almost 80% of consumers prefer to be contacted by a business via text than a call. You might want to take Text My Main Number's services in that case.

    ReplyDelete
  4. davidsmithJuly 5, 2019 at 3:37 AM

    Dumpsaway.com provides authentic IT Certification exams preparation material guaranteed to make you pass in the first attempt. Download instant free demo & begin preparation.
    Real Exam Braindumps

    ReplyDelete
  5. CertificationexamsAugust 16, 2019 at 2:55 AM

    Microsoft 365 certification is very important in the 365 filed.  The scope of the Microsoft MS-900 certification is increasing rapidly. CertificationGenie offers best Microsoft 365 Fundamentals exam preparation material and latest Microsoft MS-900 dumps. We also provide MS-900 exam questions in pdf format and Microsoft exam practice software. We assure you that by using our MS-900 study material you can pass Microsoft 365 Fundamentals in the first attempt with high marks.

    ReplyDelete
  6. UnknownSeptember 28, 2020 at 3:28 AM

    ExamsTrainer is a well-known name for real Microsoft MS-900 exam questions. You can rely on our Microsoft MS-900 dumps for more powerful and effective Microsoft 365 Fundamentals exam preparation in a very short time of period. Good Luck for your upcoming Microsoft 365 certificate test.

    ReplyDelete
  7. carisSeptember 10, 2021 at 10:03 PM

    https://buzztum.com/bl0-100-nokia-bell-labs-5g-foundation/

    ReplyDelete