In recent years, a new kind of cyber attack has emerged: DNS hijacking. Also known as redirection, DNS hijacking operates by sending users to malicious websites against their will as part of sophisticated, information-stealing campaigns. As malicious tools and knowledge are spread across the dark web, these types of attacks are on the rise.
Fortunately, organizations are able to mitigate the threat of hijacking attacks by investing in the monitoring of DNS records and traffic. Advanced, automated analytics tools provide an additional layer of threat detection, avoiding major financial losses and damage to company reputation.
What is DNS hijacking?
The DNS is described as the ‘phone book of the internet’ and converts the domain name entered by a user to reach a website or an app into the IP address for that site. Computing systems require these IP addresses to connect with one another. Without the DNS, the most basic of web browsing tasks would be made painfully slow and difficult. This ‘digital phonebook’ is in fact a giant database dispersed across thousands of servers, moving down through a hierarchical system of domains. There are four main types of DNS server: recursive resolvers, root nameservers, TLD nameservers, and authoritative nameservers. All four work in tandem to return the IP address to the user.
Because of its globally dispersed nature, the DNS inevitably has a large attack surface. This is made worse by the fact that the DNS was designed decades ago when cyber security world was less evolved, meaning that without the right protection the DNS layer can be easily exploited. DNS hijacking occurs when data passing between user and nameserver is intercepted and redirected to an identical-looking malicious site.
Attacks on the rise
Most of the attacks we’ve seen in the past few years have been a result of rogue DNS server tactics: attackers compromise a DNS server, changing the information held in cached records and causing legitimate DNS requests to be unexpectedly redirected to malicious sites. This technique is becoming increasingly popular within the criminal fraternity, leading to a number of high-profile cases in the past few years, including two, likely state-sponsored, campaigns known as DNSpionage and Sea Turtle, which have been ongoing since 2017.
- The DNSpionage attack compromised DNS infrastructure for over 50 Middle Eastern companies and government agencies including Albania, Cyprus, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Saudi Arabia and the United Arab Emirates. Blamed on state actors in Iran, the attacks compromised login information for DNS servers run by registrars and others, before altering DNS A records and nameserver records. This redirected users to identical-looking malicious sites where their email log-in details were harvested.
- Sea Turtle, a state-sponsored campaign, saw hackers targeting DNS infrastructure firms like registrars, telcos and ISPs to reach their prime targets: national security agencies, ministries of foreign affairs and prominent energy organizations. Log-in details for DNS infrastructure were obtained via spear-phishing and vulnerability exploitation, before DNS records were altered to point users to malicious man-in-the-middle phishing sites, allowing hackers to log in as the victims.
By intercepting the data that passes between user and nameserver, cyber criminals can redirect users to identical looking but malicious sites. These are often websites where users are asked to input sensitive data, allowing attackers to steal this information. A serious DNS hijack resulting in a data breach can result in lost customers, brand damage, a decline in share price, legal costs and loss of competitor advantage. In the wake of the DNSpionage and Sea Turtle hijacking campaigns, both the US and UK governments have issued alerts for the public and private sector.
How Nominet can help
Nominet’s NTX platform reduces risk on your network by detecting and eliminating threats before they cause harm. NTX analyzes DNS records and traffic for both known and unknown threats, providing change alerts, contextual information and third-party threat intelligence for more comprehensive evidence of any unauthorized behavior which may lead to a DNS hijack.