DNSpionage hacks: Time for DNSSEC?

News by Mark Mayne

Warnings about a series of high-profile private company and public body domain hijacks have been analysed by a veteran researcher with surprising results.

A huge number of DNS attacks have targeted private companies and public bodies alike, and in a concerning analysis from security researcher Brian Krebs, the scale of the threat to even well-prepared enterprise was found to be significant.

The vast wave of attacks has resulted in the attackers slurping up huge numbers of login credentials, in essence by faking DNS records, so that a legitimate domain points to an IP address controlled by the attacker, rather than the domain’s rightful owner.

Although this process of DNS hijacking has been common knowledge for some years, this campaign – dubbed DNSpionage – has refined DNS hijacking into a potent tool. One aspect has been a focus on compromising core services that provide domain lookups for company and government sites and email servers, while other modifications have been made to avoid detection.

In the last few months alone, those behind the DNSpionage campaign have compromised vital components of DNS infrastructure for more than 50 Middle Eastern companies and government agencies.

The attackers have also successfully taken over domains belonging to the Netnod Internet Exchange in Sweden and the Packet Clearing House (PCH) in Northern California. These two western companies were compromised so the hackers could generate valid TLS certificates, in turn enabling them to launch man-in-the-middle attacks. Netnod operates one of the 13 root name servers that are critical to the functioning of the Internet.

Netnod learned of its role in the attack on 2 January, according to a statement on the company site: "As a participant in an international security co-operation, Netnod became aware on 2 January 2019 that we had been caught up in this wave and that we had experienced a MITM (man-in-the-middle) attack," the statement reads. "Netnod was not the ultimate goal of the attack. The goal is considered to have been the capture of login details for Internet services in countries outside of Sweden."

Meanwhile, PCH was compromised with a phishing attack that yielded registrar credentials, which the hackers used to send Extensible Provisioning Protocol (EPP) messages – a specific protocol designed to enable registrars to notify regional registries about domain record changes.

Krebs followed the trail, emailing Netnod’s security director Patrik Fältström, who replied: "The attack was from my perspective clearly an early version of a serious EPP attack," he wrote. "That is, the goal was to get the right EPP commands sent to the registries. I am extremely nervous personally over extrapolations towards the future. Should registries allow any EPP command to come from the registrars? We will always have some weak registrars, right?"

Concerningly, although both Netnod and PCH are advocates and adopters of DNSSEC (DNS Security Extensions), a technology designed expressly to prevent these types of attack, the attackers were able to circumvent the protections. This was mainly possible because of spotty implementation of DNSSEC globally, with only about 20 percent of the world’s major networks being compliant. The attackers initially targeted Netnod infrastructure that was not compliant, and once in were able to disable DNSSEC long enough to request new SSL certificates before re-enabling it.

"PCH’s infrastructure was targeted by DNSpionage attackers in four distinct attacks between December 13, 2018 and January 2, 2019. With each attack, the hackers would turn on their password-slurping tools for roughly one hour, and then switch them off before returning the network to its original state after each run", noted Krebs, highlighting that even alert enterprises that monitor their DNS infrastructure for unauthorised changes might not spot such short term changes.

PCH relied on no fewer than three commercial DNS monitoring services, said Krebs, none of which spotted the attacks.

Matt Walmsley, EMEA director at Vectra, told SC Media UK: "When DNS was designed decades ago it was utility, not security, that was front of mind.  DNS’s security limitations have been widely understood for some time, yet subsequent security extensions such as DNSsec, whilst growing in use, are yet to become the norm. For the affected DNS registrars, more administration controls and authentication layers would certainly have made the attacks much harder to execute. DNS providers are a fundamental element of the internet’s own digital supply chain, their resilience and security are critical.

"These transitory DNS attacks likely form an element of wider reconnaissance where the threat actor is seeking to penetrate and establish a persistent point of presence inside the target organisations, particularly government ones. This could be part of state sponsored cyber-espionage or the precursor to political interference, either of which could have a much longer last and wider impact."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop