A current report from Palo Alto Networks’s Unit 42 exposes the persistent and evolving risk of DNS hijacking, a stealthy tactic cybercriminals use to reroute web site visitors. By leveraging passive DNS evaluation, the cybersecurity firm additionally supplied real-world examples of current DNS hijacking assaults — highlighting the urgency of countering this hidden hazard.
What’s DNS hijacking?
DNS hijacking entails modifying the responses from focused DNS servers, redirecting customers to attacker-controlled servers as a substitute of the authentic ones they intend to succeed in.
DNS hijacking might be carried out in a number of methods:
- Gaining management of the area proprietor’s account, offering entry to DNS server settings: On this situation, the attacker possesses legitimate person credentials with the authority to instantly change the DNS server configuration. The attacker may even have legitimate credentials for the area registrar or DNS service supplier and alter the configuration.
- DNS cache poisoning: The attacker impersonates a DNS nameserver and forges a reply, resulting in attacker-controlled content material as a substitute of the authentic one.
- Man-in-the-Center assault: The attacker intercepts the person’s DNS queries and gives outcomes that redirect the sufferer to the attacker-controlled content material. This solely works if the attacker is answerable for a system implicated within the DNS question/reply course of.
- Modifying DNS-related system information, such because the host file in Microsoft Home windows techniques. If the attacker has entry to that native file, it’s potential to redirect the person to attacker-controlled content material.
Attackers usually use DNS hijacking to redirect customers to phishing web sites that look just like the supposed web sites or to contaminate the customers with malware.
Detecting DNS hijacking with passive DNS
The Unit 42 report described a technique to detect DNS hijacking by way of passive DNS evaluation.
What’s passive DNS?
Passive DNS describes terabytes of historic DNS queries. Along with the area title and the DNS report kind, passive DNS data usually comprise a “first seen” and a “final seen” timestamp. These data enable customers to hint the IP addresses a site has directed customers to over time.
For an entry to look in passive DNS, it should be queried by a system whose DNS queries are recorded by passive DNS techniques. For this reason probably the most complete passive DNS info usually comes from suppliers with excessive question volumes, akin to ISPs or firms with in depth buyer bases. Subscribing to a passive DNS supplier is commonly advisable, as they gather extra DNS queries than the typical firm, providing a extra full view than native DNS queries alone.
SEE: The whole lot You Have to Know in regards to the Malvertising Cybersecurity Menace (TechRepublic Premium)
Detecting DNS hijacking
Palo Alto Community’s technique for detecting DNS hijacking begins by figuring out never-seen-before DNS data, as attackers typically create new data to redirect customers. By no means-seen-before domains are excluded from detection as a result of they lack enough historic info. Invalid data are additionally eliminated at this step.
The DNS data are then analyzed utilizing passive DNS and geolocation information primarily based on 74 options. In accordance with the report, “some options evaluate the historic utilization of the brand new IP handle to the previous IP handle of the area title within the new report.” The aim is to detect anomalies that would point out a DNS hijack operation. A machine-learning mannequin then gives a likelihood rating primarily based on the evaluation.
WHOIS data are additionally checked to forestall a site from being re-registered, which usually leads to an entire IP handle change that could possibly be detected as DNS hijack.
Lastly, lively navigations are carried out on the domains’ IP addresses and HTTPS certificates. Equivalent outcomes point out false positives and may due to this fact be excluded from DNS hijacking operations.
DNS hijack statistics
From March 27 to Sept. 21 2024, researchers processed 29 billion new data, 6,729 of which have been flagged as DNS hijacking. This resulted in a mean of 38 DNS hijack data per day.
Unit 42 signifies that cybercriminals have hijacked domains to host phishing content material, deface web sites, or unfold illicit content material.
DNS hijacking: Actual-world examples
Unit 42 has seen a number of DNS hijack circumstances within the wild, largely for cybercrime functions. But additionally it is potential to make use of DNS hijacking for cyberespionage.
Hungarian political celebration results in phishing
One of many largest political opposition teams to the Hungarian authorities, the Democratic Coalition (DK), has been hosted on the identical subnet of IP addresses in Slovakia since 2017. In January 2024, researchers detected a change within the DK’s web site, which all of a sudden resolved to a brand new German IP handle, resulting in a Microsoft login web page as a substitute of the political celebration’s regular information web page.
US firm defaced
In Could 2024, two domains of a number one U.S. utility administration firm have been hijacked. The FTP service, which has led to the identical IP handle since 2014, all of a sudden modified. The DNS nameserver was hijacked utilizing the attacker-controlled ns1.csit-host.com.
In accordance with the analysis, the attackers additionally used the identical nameservers to hijack different web sites in 2017 and 2023. The aim of the operation was to point out a defaced web page from an activist group.
How firms can shield themselves from this risk
To guard from these threats, the report urged that organizations:
- Deploy multi-factor authentication to entry their DNS registrar accounts. Establishing a whitelist of IP addresses allowed to entry DNS settings can also be a good suggestion.
- Leverage a DNS registrar that helps DNSSEC. This protocol provides a layer of safety by digitally signing DNS communications, making it harder to intercept and spoof information for risk actors.
- Use networking instruments that evaluate DNS queries outcomes from third-party DNS servers — akin to these from ISPs — to the DNS queries outcomes obtained when utilizing the corporate’s regular DNS server. A mismatch may point out a change in DNS settings, which may be a DNS hijacking assault.
As well as, all {hardware}, akin to routers, will need to have up-to-date firmware, and all software program should be up-to-date and patched to keep away from being compromised by widespread vulnerabilities.
Disclosure: I work for Pattern Micro, however the views expressed on this article are mine.