New DNS hijacking campaign

UK’s National Cyber Security Centre (NCSC) is warning of an ongoing DNS hijacking campaign.

This warning follows an alert the NCSC issued of similar hijacking of Domain Name Systems (DNS) in January. In this latest advisory, the NCSC says they “have observed further activity, with victims of DNS hijacking identified across multiple regions and sectors.”

DNS hijacking threat

DNS hijacking refers to when an attacker without authorization alters DNS entries in a zone file on an authoritative DNS server. In addition, the attacker can also modify domain configurations in relation to domain registrar. As a consequence, the bad guys can use these modifications to redirect traffic and capture sensitive information.

The NCSC also highlights multiple risks of DNS hijacking, such as:

  • Create malicious DNS records – used in phishing campaign to target customers or employees.
  • Obtain valid SSL certificates for domain name (based on DNS records) also used in phishing attacks.
  • Transparent proxy – an attacker alters domain zone entries (such as “A” or “CNAME” records) and then redirects traffic to malicious IP owned by attacker.
  • Domain hijack – an attacker can take complete control and ownership of domain. Thus, making it harder to recover.

DNS hijacking mitigations

To better prepare against these threats, the NCSC provides some good safeguards for organizations.

For example, always use multi-factor authentication (MFA) to guard against account takeovers used to login to domain registrar. MFA is one of the easiest and strongest controls to prevent unauthorized access and DNS registrar changes. The NCSC has also published best practice guidance for password security and anti-phishing.

In addition, organizations should also implement the following best practices:

  • Regularly audit access and changes to domain registrar.
  • Don’t use individual email addresses for domain contacts (instead use role accounts, such as hostmaster@).
  • Be wary of phishing attacks and protect email accounts at all times.
  • Implement a “registrar lock” – this prevents the domain being transferred to a new owner, without the lock being fist removed.
  • Domain management monitoring – such as domain transfers, WHOIS data changes and nameserver changes.
  • Keep extensive records.

Finally, NCSC adds good advice on namserver and web application security. The guidance includes topics on change control, access control and SSL monitoring, just to name a few.

Read the full NCSC DNS hijacking advisory here (with PDF download).

Related Articles