A current report from Palo Alto Networks’s Unit 42 exposes the persistent and evolving risk of DNS hijacking, a stealthy tactic cybercriminals use to reroute web visitors. By leveraging passive DNS evaluation, the cybersecurity firm additionally offered real-world examples of current DNS hijacking assaults — highlighting the urgency of countering this hidden hazard.
What’s DNS hijacking?
DNS hijacking includes modifying the responses from focused DNS servers, redirecting customers to attacker-controlled servers as an alternative of the reliable ones they intend to succeed in.
DNS hijacking will be accomplished in a number of methods:
- Gaining management of the area proprietor’s account, offering entry to DNS server settings: On this situation, the attacker possesses legitimate consumer credentials with the authority to immediately change the DNS server configuration. The attacker may even have legitimate credentials for the area registrar or DNS service supplier and alter the configuration.
- DNS cache poisoning: The attacker impersonates a DNS nameserver and forges a reply, resulting in attacker-controlled content material as an alternative of the reliable one.
- Man-in-the-Center assault: The attacker intercepts the consumer’s DNS queries and offers outcomes that redirect the sufferer to the attacker-controlled content material. This solely works if the attacker is answerable for a system implicated within the DNS question/reply course of.
- Modifying DNS-related system recordsdata, such because the host file in Microsoft Home windows programs. If the attacker has entry to that native file, it’s doable to redirect the consumer to attacker-controlled content material.
Attackers typically use DNS hijacking to redirect customers to phishing web sites that look much like the supposed web sites or to contaminate the customers with malware.
Detecting DNS hijacking with passive DNS
The Unit 42 report described a technique to detect DNS hijacking by way of passive DNS evaluation.
What’s passive DNS?
Passive DNS describes terabytes of historic DNS queries. Along with the area identify and the DNS file sort, passive DNS data typically include a “first seen” and a “final seen” timestamp. These data permit customers to hint the IP addresses a website has directed customers to over time.
For an entry to look in passive DNS, it should be queried by a system whose DNS queries are recorded by passive DNS programs. That is why essentially the most complete passive DNS data typically comes from suppliers with excessive question volumes, comparable to ISPs or corporations with in depth buyer bases. Subscribing to a passive DNS supplier is usually advisable, as they acquire extra DNS queries than the common firm, providing a extra full view than native DNS queries alone.
SEE: Every part You Must Know in regards to the Malvertising Cybersecurity Menace (TechRepublic Premium)
Detecting DNS hijacking
Palo Alto Community’s methodology for detecting DNS hijacking begins by figuring out never-seen-before DNS data, as attackers usually create new data to redirect customers. By no means-seen-before domains are excluded from detection as a result of they lack enough historic data. Invalid data are additionally eliminated at this step.
The DNS data are then analyzed utilizing passive DNS and geolocation information primarily based on 74 options. In response to the report, “some options examine the historic utilization of the brand new IP tackle to the previous IP tackle of the area identify within the new file.” The purpose is to detect anomalies that might point out a DNS hijack operation. A machine-learning mannequin then offers a chance rating primarily based on the evaluation.
WHOIS data are additionally checked to stop a website from being re-registered, which typically leads to a whole IP tackle change that could possibly be detected as DNS hijack.
Lastly, energetic navigations are carried out on the domains’ IP addresses and HTTPS certificates. An identical outcomes point out false positives and might subsequently be excluded from DNS hijacking operations.
DNS hijack statistics
From March 27 to Sept. 21 2024, researchers processed 29 billion new data, 6,729 of which had been flagged as DNS hijacking. This resulted in a median of 38 DNS hijack data per day.
Unit 42 signifies that cybercriminals have hijacked domains to host phishing content material, deface web sites, or unfold illicit content material.
DNS hijacking: Actual-world examples
Unit 42 has seen a number of DNS hijack instances within the wild, principally for cybercrime functions. But additionally it is doable to make use of DNS hijacking for cyberespionage.
Hungarian political celebration results in phishing
One of many largest political opposition teams to the Hungarian authorities, the Democratic Coalition (DK), has been hosted on the identical subnet of IP addresses in Slovakia since 2017. In January 2024, researchers detected a change within the DK’s web site, which instantly resolved to a brand new German IP tackle, resulting in a Microsoft login web page as an alternative of the political celebration’s normal information web page.
US firm defaced
In Could 2024, two domains of a number one U.S. utility administration firm had been hijacked. The FTP service, which has led to the identical IP tackle since 2014, instantly modified. The DNS nameserver was hijacked utilizing the attacker-controlled ns1.csit-host.com.
In response to the analysis, the attackers additionally used the identical nameservers to hijack different web sites in 2017 and 2023. The purpose of the operation was to point out a defaced web page from an activist group.
How corporations can shield themselves from this risk
To guard from these threats, the report recommended that organizations:
- Deploy multi-factor authentication to entry their DNS registrar accounts. Establishing a whitelist of IP addresses allowed to entry DNS settings can also be a good suggestion.
- Leverage a DNS registrar that helps DNSSEC. This protocol provides a layer of safety by digitally signing DNS communications, making it tougher to intercept and spoof information for risk actors.
- Use networking instruments that examine DNS queries outcomes from third-party DNS servers — comparable to these from ISPs — to the DNS queries outcomes obtained when utilizing the corporate’s normal DNS server. A mismatch may point out a change in DNS settings, which is perhaps a DNS hijacking assault.
As well as, all {hardware}, comparable to routers, should have up-to-date firmware, and all software program should be up-to-date and patched to keep away from being compromised by frequent vulnerabilities.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.