A latest report from Palo Alto Networks’s Unit 42 exposes the persistent and evolving risk of DNS hijacking, a stealthy tactic cybercriminals use to reroute web site visitors. By leveraging passive DNS evaluation, the cybersecurity firm additionally offered real-world examples of latest DNS hijacking assaults — highlighting the urgency of countering this hidden hazard.
What’s DNS hijacking?
DNS hijacking entails modifying the responses from focused DNS servers, redirecting customers to attacker-controlled servers as an alternative of the authentic ones they intend to succeed in.
DNS hijacking might be achieved in a number of methods:
- Gaining management of the area proprietor’s account, offering entry to DNS server settings: On this state of affairs, the attacker possesses legitimate consumer credentials with the authority to immediately change the DNS server configuration. The attacker might even have legitimate credentials for the area registrar or DNS service supplier and alter the configuration.
- DNS cache poisoning: The attacker impersonates a DNS nameserver and forges a reply, resulting in attacker-controlled content material as an alternative of the authentic one.
- Man-in-the-Center assault: The attacker intercepts the consumer’s DNS queries and offers outcomes that redirect the sufferer to the attacker-controlled content material. This solely works if the attacker is in command of a system implicated within the DNS question/reply course of.
- Modifying DNS-related system information, such because the host file in Microsoft Home windows programs. If the attacker has entry to that native file, it’s attainable to redirect the consumer to attacker-controlled content material.
Attackers typically use DNS hijacking to redirect customers to phishing web sites that look just like the supposed web sites or to contaminate the customers with malware.
Detecting DNS hijacking with passive DNS
The Unit 42 report described a technique to detect DNS hijacking through passive DNS evaluation.
What’s passive DNS?
Passive DNS describes terabytes of historic DNS queries. Along with the area title and the DNS document kind, passive DNS data typically comprise a “first seen” and a “final seen” timestamp. These data enable customers to hint the IP addresses a website has directed customers to over time.
For an entry to look in passive DNS, it have to be queried by a system whose DNS queries are recorded by passive DNS programs. That is why essentially the most complete passive DNS data typically comes from suppliers with excessive question volumes, comparable to ISPs or firms with in depth buyer bases. Subscribing to a passive DNS supplier is commonly advisable, as they gather extra DNS queries than the common firm, providing a extra full view than native DNS queries alone.
SEE: Every little thing You Have to Know in regards to the Malvertising Cybersecurity Risk (TechRepublic Premium)
Detecting DNS hijacking
Palo Alto Community’s methodology for detecting DNS hijacking begins by figuring out never-seen-before DNS data, as attackers usually create new data to redirect customers. By no means-seen-before domains are excluded from detection as a result of they lack adequate historic data. Invalid data are additionally eliminated at this step.
The DNS data are then analyzed utilizing passive DNS and geolocation information primarily based on 74 options. In response to the report, “some options examine the historic utilization of the brand new IP tackle to the previous IP tackle of the area title within the new document.” The aim is to detect anomalies that would point out a DNS hijack operation. A machine-learning mannequin then offers a chance rating primarily based on the evaluation.
WHOIS data are additionally checked to forestall a website from being re-registered, which typically leads to a whole IP tackle change that may very well be detected as DNS hijack.
Lastly, energetic navigations are carried out on the domains’ IP addresses and HTTPS certificates. Equivalent outcomes point out false positives and might due to this fact be excluded from DNS hijacking operations.
DNS hijack statistics
From March 27 to Sept. 21 2024, researchers processed 29 billion new data, 6,729 of which had been flagged as DNS hijacking. This resulted in a mean of 38 DNS hijack data per day.
Unit 42 signifies that cybercriminals have hijacked domains to host phishing content material, deface web sites, or unfold illicit content material.
DNS hijacking: Actual-world examples
Unit 42 has seen a number of DNS hijack circumstances within the wild, largely for cybercrime functions. But it’s also attainable to make use of DNS hijacking for cyberespionage.
Hungarian political social gathering results in phishing
One of many largest political opposition teams to the Hungarian authorities, the Democratic Coalition (DK), has been hosted on the identical subnet of IP addresses in Slovakia since 2017. In January 2024, researchers detected a change within the DK’s web site, which abruptly resolved to a brand new German IP tackle, resulting in a Microsoft login web page as an alternative of the political social gathering’s regular information web page.
US firm defaced
In Could 2024, two domains of a number one U.S. utility administration firm had been hijacked. The FTP service, which has led to the identical IP tackle since 2014, abruptly modified. The DNS nameserver was hijacked utilizing the attacker-controlled ns1.csit-host.com.
In response to the analysis, the attackers additionally used the identical nameservers to hijack different web sites in 2017 and 2023. The aim of the operation was to point out a defaced web page from an activist group.
How firms can shield themselves from this risk
To guard from these threats, the report steered that organizations:
- Deploy multi-factor authentication to entry their DNS registrar accounts. Establishing a whitelist of IP addresses allowed to entry DNS settings can be a good suggestion.
- Leverage a DNS registrar that helps DNSSEC. This protocol provides a layer of safety by digitally signing DNS communications, making it tougher to intercept and spoof information for risk actors.
- Use networking instruments that examine DNS queries outcomes from third-party DNS servers — comparable to these from ISPs — to the DNS queries outcomes obtained when utilizing the corporate’s regular DNS server. A mismatch might point out a change in DNS settings, which is likely to be a DNS hijacking assault.
As well as, all {hardware}, comparable to routers, should have up-to-date firmware, and all software program have to be up-to-date and patched to keep away from being compromised by frequent vulnerabilities.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.
