Last weekend, the media has widely communicated on the consequences of an unprecedented attack that targeted the domain names.
Indeed, during the night of 22-23 February ICANN reported the large-scale attacks on the domain names: it is DNS hijacking. These attacks consist in “replacing the authorized servers addresses” with “addresses of machines controlled by the attackers”, as explained by the organization, allowing the attackers to examine the data in order to find passwords, email addresses etc., even to completely capture the traffic towards their servers.
A wave of attacks that began in November 2018
Actually, this is not an attack but a wave of attacks that the domain names system has endured for several weeks now.
Since the end of November 2018, an attack has targeted Lebanon and the United Arab Emirates and affected .GOV domain names. In this attack, the cybercriminals have proceeded with DNS hijacking.
At the beginning of January 2019, the company FireEye reported in an article, a wave of DNS hijacking that has affected domain names belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.
If the attackers were then not identified, the initial research suggested the attacks could be conducted by persons based in Iran.
Important fact regarding the attack of February 22: this time, it struck, sometimes successfully, important actors of the Internet.
What are these attacks?
The method used is the DNS hijacking deployed on a large scale. This is a malicious attack, also called DNS redirection. Its aim: overwrite the TCP/IP parameters of a computer in order to redirect it towards a fraudulent DNS server instead of the configured official DNS server. To do this, the attacker takes control of the targeted machine through different techniques to alter the DNS configurations.
The American government, among others, recently warned about these series of highly sophisticated attacks of which the aim would be to siphon a large volume of passwords. These attacks would target more specifically governments and private companies.
Between DNS hijacking and cyber espionage
According to Talos’ article of November 2018, the attackers behind these attacks would have collected emails and connection information (login credentials – passwords) by hijacking the DNS, so that the traffic of the emails and the VPN (Virtual Private Networking) of the targeted institutions would be redirected to a server controlled by the cybercriminals.
Once the connectors collected, other attacks can be launched for espionage purposes, like the Man-In-The-Middle.
Then how to effectively protect yourself?
You must be aware that if these attacks essentially aim the domain names system, we can never say it enough, the first entry point of your domain names portfolio for an attacker is your access to the management platform.
The first and utmost recommendation is to protect your access
For many years, Nameshield has developed securing measures for the access to the domain names management platform (IP filter, ACL, HTTPS) and in addition proposes the 2 factors authentication and the SSO.
If these complementary solutions are still not implemented, Nameshield strongly recommends to implement them, in particular the 2 factors authentication in order to fight against passwords thefts.
To implement the DNSSEC protocol
The implementation of DNSSEC, if it was more widely deployed, would prevent or at least lessen the impact of these attacks by limiting their consequences.
It’s becoming increasingly urgent that DNSSEC is adopted on a massive scale, for both resolvers and authoritative servers.
To protect your domain names
The implementation of a registry lock on your strategic names will prevent their fraudulent modifications.
Although no perfect solution exists today to fully protect the infrastructures from cyberattacks, it is the implementation of several preventive measures combined that will allow to reduce the vulnerabilities (so) easily exploited by the pirates.