Alex - Fotolia

UK cyber security agency investigates DNS hijacking

NCSC is probing the large-scale DNS hijacking campaign that has reportedly affected government and commercial organisations worldwide, and has issued defence advice

The National Cyber Security Centre (NCSC) has announced in an alert that it is investigating an international campaign of domain name system (DNS) infrastructure tampering attacks.

The announcement comes just days after the US Department of Homeland Security (DHS) issued an emergency directive to government departments in an effort to block further attacks.

The US authorities warned that attackers could use compromised credentials to modify the location to which an organisation’s domain name resources resolve to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organisation’s domain names, enabling man-in-the-middle attacks.

The UK and US government alerts follow reports by researchers at Cisco’s Talos and FireEye’s Mandiant  intelligence teams that a wave of DNS hijacking, apparently coming out of Iran, was affecting dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.

US authorities said they were tracking “a series of incidents” involving DNS infrastructure tampering, were aware of “multiple executive branch agency domains” that were impacted, and although the NCSC said it was not currently aware of any compromised entities in the UK, the agency warned that the techniques exhibited could “feasibly be deployed” against UK targets.

Detailing the DNS address record and DNS name server record hijacking techniques used in the campaign, the NCSC said the initial infection vector used to compromise the credentials is not yet known, but it is plausible that multiple techniques are being exploited to gain a foothold.

Read more about DNS security

The NCSC alert lists a number of indicators of compromise (IoC) that have been reported and advises organisation to monitor for these IoCs on their networks.

The NCSC said it is working with industry partners and international government counterparts to understand the attack campaign’s impact and identify defensive measures.

In the meantime, the NCSC has recommended that organisations responsible for registering domains take mitigating steps in three areas:

Steps to take with your registry/registrar

  • Ensure two-factor authentication is enabled in all registrar or registry accounts, and that the passwords are not easily guessed, are stored securely, and not reused across services.
  • Attackers may attempt to use account recovery processes to gain access to domain management, so ensure that contact details are accurate and up to date.
  • Many registrars and registries offer “lock” services to require additional security enhancing steps before changes can be made. Understand any “lock” services available to you, and consider applying them, particularly to high-value domains.
  • Ensure any available logging is enabled, so that you can review changes that have been made.

Steps to take with your DNS hosting

  • Ensure two-factor authentication is enabled in all DNS hosting accounts, and the passwords are not easily guessed, and not re-used across services.
  • Ensure you have backups of your critical DNS zones to allow you to recover in the event of a breach.
  • Consider use of configuration-as-code approaches to manage changes to your DNS zones.
  • Ensure any available logging is enabled, so that you can review changes that have been made.
  • Monitor critical DNS records for unexpected changes, such as name server records, the address records associated with name server records, MX records and the DNS records associated with critical services that would be high-value targets. DNS monitoring services are widely available.
  • Monitor certificate transparency logs for TLS certificates being issued for your domains. Unexpected certificates may be an indication that an attacker has control of DNS associated with the domain.

Steps to take in DNS management

  • Ensure that individuals involved in DNS management have an awareness of the importance of DNS accounts, and the threat of these accounts being targeted.
  • A domain name may be hijacked if its registration is not renewed and it expires. Ensure that contact and billing details are correct with your registrar to avoid this.
  • Subdomains may be delegated to different teams, or to third parties, for example through NS or CNAME records. Ensure that these parties meet your security needs and ensure that you promptly withdraw such delegations when no longer in use.
  • Consider formalising a “registry function” in your organisation to oversee domain name management. This is most relevant where multiple teams have registered and operate domains.

Read more on Hackers and cybercrime prevention

Data Center
Data Management