HP Security Research Threat Intelligence Briefing - Episode 7

To view the full report, please open the attached pdf “Companion to HPSR Threat Intelligence Podcast Episode 7 final.pdf”. The report contains the information posted in this blog.

 

Thank you for subscribing to Episode 7 of the HP Security Research Threat Intelligence Briefing. In this briefing we discuss domain hijacking attacks that make use of the Domain Name System (DNS) and the severity of these attacks. DNS is a vital component of the Internet. While some consider DNS to be equivalent to a phone book, it is actually much more. DNS is the most critical service on a network as it is necessary for establishing communications.  When the DNS is compromised, malicious actors can control communications for very large groups of people and applications. With domain hijacking, the attacker can take over an organization’s domain without ever touching the organization directly.

  

Domain Name System (DNS) Attacks

Many people are aware of the attack surface DNS provides, but only think in terms of DNS cache poisoning, open resolvers, DNS used for amplification in DDoS attacks, and direct attacks against BIND or other DNS servers. This overlooks a large attack vector, domain hijacking. DNS and search engines together control almost all communications on the Internet. If you control a DNS resolver, you control all traffic that makes use of that resolver. If you control an authoritative DNS, you control all users’ traffic destined for that domain. If you own the domain of a search engine (i.e. Google & Bing) you can control all communications from users and applications using that search engine. DNS is the “key to the kingdom” and attackers are leveraging DNS to hijack users’ traffic on a massive scale. 

 

Examples of this activity include:

  • Attacking 3rd party providers (similar to Syrian Electonic Army attacking SocialFlow and OutBrain) with social engineering to take over a specific domain
  • Targeting TLD registrars’ web management portal with SQLi to gain complete control of all domains under that TLD (see Turkmenistan TLD hack on page 17 of attached report)
  • Targeting TLD registrars with social engineering to gain complete control of all domains under that TLD using their web management portal (see Uzbekistan TLD hack on page 26 of attached report)
  • Targeting specific domain admins to gain control of a domain that admin manages (see ShareThis.com takeover by SEA on page 30 of attached report) 

The motivations behind this activity include:

  • Defacement to spread a message (i.e.: google.ps on page 35 of attached report)
  • Defacement to gain notoriety, gamification (treating hacking activity as a game, scoring more “points” with defacements in order to increase relative standings)
  • Defacement to harm a target
  • HTTP authentication token compromise
  • Man-in-the-middle attack on credentials
  • Spread malware / grow a botnet
  • Denial of Service
  • Retaliation

The impact of these attacks is being felt as these attacks grow in popularity. A novice skill level is required to conduct the attacks, which broadens the scope of actors involved significantly. It should be expected that domain hijacking will be a vector used for financially motivated attacks. In this report, we highlight over 20 examples of domain hijacking and the motivations and tactics used by the threat actors.

 

Domain hijacking is an attack where incorrect information is inserted for a domain or subdomain. The most common approaches for an attacker are to:

  • Compromise the authoritative name server directly to insert false information into the zone file for a domain
  • Compromise the record for a domain with the registrar or registry and replace the authoritative name servers with name servers that they control.

NOTE:

If an attacker controls the authoritative name server for a domain, they have complete control of that domain and all its users’ traffic.

 

Domain hijacking has been tracked by ICANN since 2005 making its initial appearance in the “Domain Name Hijacking: Incidents, Threats, Risk, and Remedial Actions” report released by ICANN July 12, 2005.

 

Globally, there are thousands of registrars managing over 233 million domains. The registries and registrars for larger generic TLDs (gTLDs), such as .com, .edu, .gov, .mil, process millions of transactions per day and have a vast infrastructure to handle the volume. This infrastructure handles domain traffic from the largest companies on the Internet (such as Google, Facebook, Yahoo, Baidu).   Because of the scale and the type of domains involved, the gTLDs hold high-risk targets and have taken great efforts to secure their infrastructure.

 

Smaller country code TLDs (ccTLDs), such as .pk, .ke, .my, registries and registrars have a much smaller footprint and lack the same scale and resources found in the larger gTLDs. These are where many of today’s DNS attacks are occurring.

 

DNS Attack Motivations

Many of the DNS attacks (tracked by HP Security Research) are meant to increase the number of high profile websites that a hacker can “deface”. This is to increase the hacker’s notoriety at places like Zone-h. Figure 1 shows the leader board for the all-time most active “notifiers” at Zone-h.

 

zone-h.jpg


 

The Zone-h leaderboard, among others, provides a stack ranking of hackers. In this particular leaderboard, a hacker can raise their standing in the all-time stats by compromising many websites through a mass defacement. The easiest way to do that is by owning many domains in a ccTLD. The scoring often gives more credit to website defacements that belong to major organizations. On Zone-h these are referred to as “Special Defacements.”

 

These actors will sometimes use their defacement to spread a message. These messages often relate to geo-political tensions in a particular region, as in the case with the ongoing attacks between groups from Pakistan and India.

 

If an organization’s domain is hijacked, commonly the domain is ostensibly taken off the Internet until the organization can regain control of the domain. This creates a denial of service. This occurred recently on August 27, 2013 when the Syrian Electronic Army (SEA) took control of the New York Times domain NYTimes.com, along with others, and redirected users’ traffic to their own website. Again, in this example, the SEA used the attack to spread a message supporting Syrian President Assad as is their primary motivation in all operations. In parallel to the NYTimes.com attack, Twitter was also attacked by the SEA. The SEA had previously threatened Twitter for disabling their accounts and the attack was done in retaliation.

 

By diverting traffic destined to a website to an alternate location, the attacker has complete control of the users’ experience. There are many malicious actions that the attacker can then leverage. A clone website could be setup so users attempt to login, revealing their credentials to the attacker. HTTP authentication tokens could be collected. The alternate website could host malware that would be distributed to users attempting to access the site. This could be used to grow a botnet controlled by the attacker.

 

By taking over an entire domain the MX records (Mail Exchange DNS Records) that direct email to the proper email servers are also owned by the attacker. Most email that is transmitted over the Internet is clear-text and not encrypted. Changing the MX records allows an attacker to have all of the victim organizations email to be sent to the attacker. This can provide a wealth of information to the attacker.

 

Many organizations have specific sites for mobile platforms, such as mobile.twitter.com. This allows an attacker to target mobile devices for exploitation with targeted attacks for mobile platforms.

 

NOTE:

Combining malware distribution with domain hijacking, creates an extremely severe threat. During a domain hijack, a massive amount of traffic could be redirected to a malware distribution site. This could lead to thousands of compromises in a very short time frame (minutes). It is because of this, that HP Security Research considers domain hijacking to be one of the most severe threats on the Internet. 

 

 

HP Security Research (HPSR) Recommendations

There are steps that can be taken to protect your domains from hijack attempts and to detect when unauthorized changes have been made. ICANN has provided a list of steps that should be taken in order to protect a domain registration from hijacking. Please take special note of item 4 in the list below. Domain locking is one of the most effective techniques to mitigate DNS hijacking as a result from social engineering. In addition, multi-factor authentication (as mentioned on page 15 of SAC040[1]) combined with a challenge response and physical call back verification is highly recommended.

 

"ICANN's Recommendations Registrants Can Take To Protect Against Domain Hijacking" is below:[2]

 

Measures all registrants should take to protect against domain hijacking or other domain name attacks include:

  1. Protect domain name account credentials. Most registrar account portals are password protected, so create strong passwords, and safeguard them. You may also want to shop for a registrar that offers multi-factor authentication (e.g., token).
  2. Use SSL (HTTPS) when you access your domain name registration account.
  3. Use ICANN accredited registrars. Ask about the reputation and service record of registrars. If you’re not entirely comfortable with a registrar, you can and should consider transferring your domain to a party you trust.
  4. Ask your registrar to apply registrar locks on your domain names. Locks (formally, status codes) prevent changes to your domain name registrations, and block attempts to transfer or delete your domain names (see SAC044, pp 22-23). A number of TLD registry operators offer registry lock to prevent unintended changes to registry accounts. This service is offered in addition to lock services offered by registrars, and often includes manual support (1, 2).
  5. Pay attention to “routine” registrar correspondence, as these may be phishing emails. In these email messages, phishers often use HTML to embed malicious links in seemingly innocuous or “safe” links. Don’t click on a hyperlink; instead, type the link in manually.
  6. Monitor your domain’s WHOIS and DNS information. Check both routinely to detect any unauthorized or suspicious changes (see SAC044, pp 20-22).
  7. Keep your domain name registrant account information private, secure, and recoverable.

 

We agree with these recommendations and recommend implementing these in order to better protect your domains.

 

Registry locks, as recommended in #4 are an additional step that can be used to prevent the recent domain hijacks that have made the news. Verisign acts as the registry for several gTLDs and provides registry lock services for .com, .net, .tv, .cc, and .name TLDs.[3] Unfortunately, not all TLDs offer registry locks today. Many ccTLDs do not yet offer these, nor does the TLD for .org. According to MarkMonitorTM, of the over 200 TLDs there are only 21 TLDs offering registry locks. These include: .AF, .AU, .BI, .CX, .CC, .CZ, .EU, .COM, .NAME, .NET, .GY, .KI, .MX, .ME, .NL, .NF, .PK, .PR, .GS, .TL, and .TV.

 

Matt Serlin, Vice President of Domain Management, MarkMonitor Inc. told HPSR that over the past few years MarkMonitorTM has been actively working with registry operators to offer additional security measures.  This has included adding IP restrictions and two-factor authentication to registrar accounts as well as offering registry lock on high profile domains.  Registry lock is the highest security option on a domain and will require multiple authentication steps to update a domain. MarkMonitorTM recommends all companies implement registry lock on their mission critical domains to mitigate the threat posed in the current domain threat landscape.

 

In order to check your domains to see if they have locks at the registrar or registry you can look at the whois results for the domain.

 

 If the status appears in this way, the domain has been locked at the registrar.

     Status: clientDeleteProhibited

     Status: clientTransferProhibited

     Status: clientUpdateProhibited

  

 If the status appears in this way, the domain has been locked at the registry.

     Status: serverDeleteProhibited

     Status: serverTransferProhibited

     Status: serverUpdateProhibited

 

The targeting of ccTLDs by attackers has grown to be such a problem that Microsoft launched a program to offer free security assessments to these registries in order to assist them to better secure their systems.[4]

 

Domain hijacking has been around for many years in various forms. Here we will highlight twenty seven incidents involving hijacked domains, many compromising TLDs allowing the attacker access to thousands of domains. Figure 2 shows twenty-six incidents by various hacker groups since January 2012. Prior to then, these attacks were seen but not on the same scale. This time period stands out showing an increase in attack frequency. The incidents are identified by the target country where the domains are registered as shown in the timeline.

 

 
timeline pic.jpg 

Figure 2 Related domain hijacking incidents[5]

 
Summary

For over two years, attackers have been targeting domain registrars, domain registries, and administrative users with various attacks in order to hijack domains. In recent weeks, this activity has increased and escalated. The movement away from less destructive goals to leveraging domain hijacking to spread malware is a turning point. It should be expected that this activity will continue. The incidents discussed here are by no means all inclusive, but they should help the reader to understand the breadth of the situation.

 

Actors profiled in this report range from individuals and groups with low skill levels, to internationally known hackers, to the unknown. What the incidents have in common is a relatively low skill level required in order to hijack a domain for malicious purposes, often without even touching the affected organization. As always, the human element is the weakest link and attackers have targeted that element repeatedly with spear phishing in order to gather credentials for domain administration systems. In other cases, web site vulnerabilities have been targeted. Regardless of the tactic used, the outcome is serious.

 

In this report we showed how attackers were able to access not only domain administration systems but email as well. Nearly every conversation on the Internet relies on DNS. DNS allows flexibility for HA, growth, and other changes in Internet infrastructure over time. For a great number of reasons, communicating purely with IP addresses to bypass DNS is simply not feasible in this day and age. Because of this, DNS is a crucial component of the Internet and all communications.

 

If you control DNS, you are able to control large volumes of traffic. That is all user traffic, all web traffic, all email traffic, everything realted to the effected domains. Suppose in the attack against the NYTimes the SEA had stood up a replica website requesting user credentials then redirected the user’s browser back to the original website. They could run a man-in-the-middle attack. What if this happened to a system such as Skype, with its 2 Billion minutes per day of voice and video?[6] DNS should be considered critical infrastructure and be protected as such.

 

This companion report supports Episode 7 of the HP Security Research Threat Intelligence Briefing podcast available on the Web and iTunes. The regular podcasts and the associated companion reports are published through the HP Security Research blog at hp.com/go/hpsrblog.



 

Labels: threatbriefings
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.