DNS hijacking has been making headlines in recent weeks with several high profile attacks coming to light. From router takeovers to mass mobile hijacking to the “Sea Turtle” campaign, hijacking is an often overlooked threat vector that baffles some security personnel due to there being few apparent avenues of defense. However, with the right preparation, mitigating the risks of DNS hijacks becomes a much simpler exercise.
What is DNS Hijacking?
DNS hijacking is an attack vector in which threat actors alter a victim’s DNS settings in order to driver the victim’s internet traffic to a predetermined destination controlled by the threat actor. This can several forms, the most common of which are manually altering DNS settings in the router itself and compromising ISP infrastructure.
The DNS hijacking attack vector has been in the news recently with the observance and reporting of several high profile campaigns. The first involved attackers using common exploits against D-Link routers to manually alter the router’s DNS settings, driving infected users to specific phishing and malvertising sites.
A second campaign targeted mobile users with malware which changed the infected device’s DNS settings in order to drive the victims to specific malvertisement sites.
The third campaign, known as “Sea Turtle”, involved a state-sponsored threat actor infiltrating ISPs and altering DNS setting for specific ISP customers, primarily government institutions, in order to establish man-in-the-middle attacks as a form of espionage.
Indeed, several malware strains include DNS hijacking settings to drive infected internet traffic to specific destinations. This is especially common when targeting iOS and Mac OS devices as DNS settings are some of the few settings that are relatively insecure against malicious software infections on those devices.
An Oldie and A Goldie
DNS hijacking and its myriad variations are not new. These techniques have been in use for at least a decade, as the very nature of DNS makes it exceedingly difficult to defend. As noted before in this blog, the Domain Name System (DNS) serves as the phonebook of the internet, directing traffic by converting URLs into numeric values (IPs) and routing traffic to the proper destination.
Every computer connected to the internet has a root DNS server to which it automatically begins DNS searches, and these servers can also be specified at the router level. For example, many US-sold personal computers default to Google’s DNS server, but the computer’s owner can manually change these settings if they so desire, such as to a VPN’s server, or set a global LAN DNS server via their router.
However, if a threat actor has established his own DNS server, and he manages to change someone’s DNS settings, then all traffic internet traffic originating from that someone’s machine will route to the threat actor’s DNS server first, giving the threat actor full control over “the phonebook” and all of its lookup and routing potential.
Identifying When Adversaries Establish Attack Infrastructure
Defending against DNS hijacks is much the same as many other preventative cyber defenses – understanding the organization’s digital footprint and the ways in which a threat actor may seek to exploit that infrastructure in order to be prepared for the possibility. Obviously an organization has little control over attacks against its ISP, but situational awareness can assist in identifying how a threat actor may launch such attacks.
Understanding this footprint is much the same as defending against typosquatting, except that, instead of only looking at the organization’s footprint, security teams must also consider outside organizations with which there are regular business interactions.
DNS monitoring tools in conjunction with an SSL/TLS certificate monitoring tools provide an organization with valuable insight into not only its own digital footprint, but the footprints of major third-party vendors.
In these types of attacks, threat actors will establish fake websites with URLs that are highly similar to the real site’s URL. For example, a recent phishing campaign targeting Verizon mobile customers saw more than 30 variations of Verizon used in conjunction with other keywords for the threat actor’s phishing domains. In terms of the MITRE PRE-ATT&CK framework, this process falls in the range of T1326-T1334.
In addition, anonymously purchasing valid SSL certificates is easier than ever. A valid certificate proves the malicious site’s trustworthiness to the browser. If a green padlock is present in the address bar of the browser, that means that the SSL certificate is valid and trusted.
Threat actors will use these typosquats and valid SSL certificates to portray their malicious sites like a real site in order to harvest credentials with fake login screens, deliver malicious payloads to the victim’s computer, launch cyptomining scripts, or serve malicious advertisements, among other actions. When a threat actor can reasonably portray a common website with which an organization has regular business interaction, they rely on their victims to blindly click on links and log in to websites.
Therefore, an organization must develop a robust list of common tokens of not only its own names and brands, but the names and brands of trusted partners and third-party vendors. With this list, the organization can monitor for new infrastructure, as either domain names or SSL certificates, and request takedowns and further investigations if illegitimate entries appear. Should such entities appear, security personnel can then check to see if anyone inside the organization has visited that page and immediately take steps to reset passwords or quarantine that user’s machine if malware is present.
Beyond this monitoring for tampering outside of the organization’s domain space, organizations should strictly adhere to DNS Security Extension (DNSSEC) specifications and ensure that access to admin accounts is limited with strong passwords. Performing regular audits of the organization’s DNS space, along with audits of other partners will assist in verifying that traffic between the two entities remains between them and away from prying eyes.