Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.
Initial research suggests the actor or actors responsible have a nexus to Iran. This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success.
Commenting on the news are the following security researchers:
Craig Young, computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT):
“From what I know of this wave of attacks, most of the hijackings have involved compromised credentials being used to directly manipulate DNS records. This is very easy to guard against by limiting access to DNS server management portals and using FIDO based multi-factor authentication.
Organizations should also be taking advantage of certificate transparency logs to actively recognize if an illegitimate HTTPS certificate has been issued. Certificate transparency logging is required for all certification authorities in the CA/Browser Forum. For added security, organizations can even use HSTS preloading with certificate pinning to make sure browsers will not trust a certificate created through DNS hijacking.
In general, it is very important to closely monitor DNS configuration and promptly remove any stale records. This is especially true when stopping a cloud campaign, where the service required DNS records pointing to the cloud provider’s network. Frans Rosén with Detectify labs has demonstrated repeatedly that this situation can be used to take control of many high-value domains.
Compromised domains can be used to distribute malware, harvest credentials, and even spy on email.”
Chris Doman, security researcher at AlienVault:
“This is continuing activity that was earlier reported on by Cisco back in November. The main intention behind these attacks seems to be able to bypass the encryption on traffic to certain websites, by issuing attacker controlled security certificates.
It’s interesting that attackers in Iran are pointed to as a possible source of these attacks. Attackers in Iran were linked to somewhat similar attacks back in 2011 that involved compromising a certificate authority to issue their own certificates. US-CERT has provided some advice on how to respond to these attacks, with the primary recommendation being to ensure you have two-factor authentication enabled on your domain name setting panels.”