Last weekend, the media has widely communicated on the consequences of an unprecedented attack that targeted the domain names.
Indeed, during the night of 22-23 February ICANN reported the large-scale attacks on the domain names: it is DNS hijacking. These attacks consist in “replacing the authorized servers addresses with addresses of machines controlled by the attackers”, as explained by the organization, allowing the attackers to examine the data in order to find passwords, email addresses etc., even to completely capture the traffic towards their servers.
A wave of attacks that began in November 2018
Actually, this is not an attack but a wave of attacks that the domain names system has endured for several weeks now.
Since the end of November 2018, an attack has targeted Lebanon and the United Arab Emirates and affected .GOV domain names. In this attack, the cybercriminals have proceeded with DNS hijacking.
At the beginning of January 2019, the company FireEye reported in an article a wave of DNS hijacking that has affected domain names belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.
If the attackers were then not identified, the initial research suggested the attacks could be conducted by persons based in Iran.
Important fact regarding the attack of February 22: this time, it struck, sometimes successfully, important actors of the Internet.
These attacks are not new, it’s their magnitude and the targets which have led ICANN to react and remind the risks to the DNS.
What are these attacks?
The method used is the DNS hijacking deployed on a large scale. This is a malicious attack, also called DNS redirection. Its aim: overwrite the TCP/IP parameters of a computer in order to redirect it towards a fraudulent DNS server instead of the configured official DNS server. To do this, the attacker takes control of the targeted machine through different techniques to alter the DNS configurations.
The American government, among others, recently warned about these series of highly sophisticated attacks of which the aim would be to siphon a large volume of passwords. These attacks would target more specifically governments and private companies.
Between DNS hijacking and cyber espionage
According to Talos’ article of November 2018, the attackers behind these attacks would have collected emails and connection information (login credentials – passwords) by hijacking the DNS, so that the traffic of the emails and the VPN (Virtual Private Networking) of the targeted institutions would be redirected to a server controlled by the cybercriminals.
Once the connectors collected, other attacks can be launched for espionage purposes, like the Man-In-The-Middle.
Then how to effectively protect yourself?
You must be aware that if these attacks essentially aim the domain names system, we can never say it enough, the first entry point of your domain names portfolio for an attacker is your access to the management platform.
• Mandatory recommendation: protect your access to the platform for technical management of your domains
Security devices of the domains management portal (IP filtering, ACL, HTTPS) exist and must be applied. In the best scenario, the 2 factor authentication should be applied, SSO system too.
If these complementary solutions are still not implemented, we strongly recommend to implement them, in particular the 2 factors authentication in order to fight against passwords thefts.
However, this is not enough regarding the company’s strategic domains protection. Others mechanisms exist and deserve to be activated :
• To protect your domain names with registry lock
The implementation of a registry lock on your strategic names, notably with services associated as emails, websites, etc., will prevent their fraudulent modifications. The registry lock allows to “block” domains’ information at the registry level and prevent from any titular, admin contact or DNS servers fraudulent modification.
• To implement the DNSSEC protocol
DNSSEC guarantees DNS resolution authenticity and integrity, in other words it offers protection against two kind of attacks targeting DNS: DNS spoofing and DNS cache poisoning, attacks aiming to modify the response sent by the DNS and to redirect users to fraudulent and undetectable websites. DNSSEC should be adopted massively by the market in the upcoming years.
• To rely on anycast DNS network
The DNS is frequently the target of directed attacks, as DDoS, which consequence is to prevent the good DNS resolution. Anycast DNS network relies on several points of presence for a better resilience.
These four complementary mechanisms are part of ANSSI recommendations about DNS resilience and are strongly advised.
Although no perfect solution exists today to fully protect the infrastructures from cyberattacks, it is the implementation of several preventive measures combined that will allow to reduce the vulnerabilities (so) easily exploited by the pirates.