NCSC issues guidance for combatting global DNS hijacking campaign

Middle East-based attacks expected to spread to consumers and businesses across Europe

Internet concept

The UK's National Cyber Security Centre has published guidance to governments, organisations and individuals who may be affected by a large-scale global DNS hijacking campaign.

The report stipulates most of the attacks have been isolated to the Middle East, but some impactful cases have been reported in both the UK and the US too. The techniques the attackers are using could also "feasibly be deployed against UK targets".

A Domain Name System (DNS) is like a telephone directory for the internet, routing Web traffic to the correct IP address - hijacking it can allow third-parties to potentially snoop on the traffic flowing to governments, businesses and consumers.

"In the campaign, attackers are believed to have compromised credentials that have given them the ability to manipulate DNS records, giving them the ability to redirect traffic to attacker-owned infrastructure," read the report.

If an attacker successfully hijacks a DNS, they could intercept traffic, placing confidential business information or credentials at risk of theft or exploitation through subsequent phishing attacks.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Two main techniques are being used in the hijacking campaign, the first of which relates to a DNS A (address) record - an entity responsible for mapping a domain name to the IP of the computer hosting that domain.

Attackers are altering these A records to reroute the target domain to the attackers IP address instead, allowing them to create a proxy that mirrors the intended recipient. A new TLS certificate is created when this happens which bypasses browser security warnings.

The second technique being used is similar to the first; attackers alter DNS Name Server records to achieve the same effect. Name Server records specify the servers which provide DNS services for the domain - a new TLS certificate is also created here, bypassing browser security.

What to do

Firstly, the NCSC recommends using two-factor authentication (2FA) on all domain registrar or registry accounts and use strong, unique passwords.

"Attackers may attempt to use account recovery processes to gain access to domain management, so ensure that contact details are accurate and up-to-date," read the report. "This is particularly relevant for DNS, as it's common for domains to be registered before corporate email accounts are available."

Advertisement - Article continues below

As for the DNS, users should enable any and all types of logging so changes can be reviewed. Backups of critical DNS zones are also recommended in case a recovery is necessary after a breach.

If you want to be ahead of the attackers, there are a few ways to pre-empt any malicious activity should they get a foothold on your system. Critical DNS record should be monitored regularly (monitoring software is widely available) for unexpected changes to Name Server records and the DNS A records associated with them.

You can also monitor Certificate Transparency logs for TLS certificates being issued for your domains - unexpected certificates could indicate a possible breach.

ISPs fight encrypted DNS

As it stands, internet service providers (ISPs) are fighting for their right to monitor web traffic as a new encrypted DNS system is being adopted to increase security.

There's a debate around whether these changes need to be made, some experts believe DNS is fundamentally weak and the changes are long overdue, while others claim it could scupper the Internet Watch Foundation's child abuse blacklist.

"DNS is fundamentally insecure," said Neil Brown, a network expert lawyer and founder of law firm Decoded Legal. "DNS is used - or abused - to do a number of things like content controls for court order site blocking. If you ask for the Pirate Bay, the number you get back isn't for the Pirate Bay."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020