More than any other digital communications infrastructure, cybercriminals are increasingly targeting the domain name system. The DNS, often referred to as the phone directory of the internet, is vulnerable to hijacking, a serious and growing threat. A variation known as the Sea Turtle attack is especially dangerous, threatening organizations, customers, users, and the DNS infrastructure itself.
Researchers from Cisco Talos reported a dangerous example of DNS compromise in late 2018 and early 2019. Dubbed “DNSpionage,” this apparent state-sponsored attack “hijacks” the DNS, intercepting and misdirecting users to malicious website destinations without their knowledge. It was serious enough that the U.S. Department of Homeland Security issued an unprecedented global alert warning governments and commercial organizations of the risks to cybersecurity.
More worrisome, however, is a dangerous variation on domain hijacking that threatens both organizations and the service provider infrastructure of the DNS itself.
Breaching the Foundations of Trust
When hackers compromise the integrity of the DNS, they attack the very foundation of the internet. Every digital destination an organization owns has a domain name and a DNS configuration that routes browsers like Chrome and Safari to the correct IP address for each and every endpoint. Domains and DNS routing represent the basic underpinning of the internet. They’re part of the chain of trust, a mechanism that assures users that websites are legitimate.
But a DNS attack represents a profound breach of the fundamental chain of trust that underpins communication in the digital age. The potential harm to organizations and their consumers is limitless, given the types and increasing volume of data being exchanged online.
Beginning in 2017, the Sea Turtle attacks first affected government organizations in the Middle East and Europe. Unlike the DNS hijacking that targets domain-owner organizations, Sea Turtle also breached domain registrars, DNS services, and certain top-level domain registries. Effectively, Sea Turtle acquires control of the DNS service.
Using the very DNS infrastructure that companies and their customers depend upon to protect their online activities, perpetrators can sit in the middle of an online “conversation” and harvest any sensitive data and credentials the parties exchange. It’s just as bad as it sounds. Imagine, for example, logging into your online bank account only to find later that a malicious third party had intercepted your online session. Your credentials have been stolen and the thieves now have access to your bank account.
Domain hijacking gives criminals access to organizations’ domains and all associated endpoints such as webpages, applications, and devices allowing them to redirect traffic intended for legitimate domain destinations to fraudulent ones. This type of exploit is known as a man-in-the-middle attack. The effect is further compounded by the attacker’s ability to replicate apparently legitimate SSL certificates with fraudulent certificates. SSL certificates assure browsers that an online destination (domain) is encrypted and therefore private, evidenced by the secure “padlock” logo displayed in the browser window. By accessing the DNS provider service itself, attackers can issue fraudulent SSL certificates and hijack the sessions under the guise of security.
Identifying Vulnerabilities
The most basic organizational weakness attackers exploit is systems access via compromised passwords. DNS hijackers use clever personal emails to hoodwink IT personnel or domain registrar employees into revealing confidential authorization credentials. This spear-phishing tactic has been effective in allowing unauthorized access to DNS systems. Unfortunately, it can be very difficult to defend against.
The second weakness is a lack of owner control over the DNS. Armed with a stolen password, hackers can easily change critical DNS settings, with the domain owner organization none the wiser.
With DNS served by combinations of domain registrars, managed DNS service providers, and the organization’s own self-administered DNS, it’s challenging to maintain visibility and change control. Large organizations often rely on multiple, even dozens of, active DNS services. Effective management and monitoring in this common scenario is virtually impossible with no audit function to know who changed what and when.
A third weakness is SSL certificate administration. Browsers can’t hide the true address (URL) of the destination site, so it should be easy to spot the redirection of DNS to a fraudulent website. Clever domain hijackers know this and will order and install a basic domain-validated SSL certificate under the DNS victim’s corporate name. This makes fraudulent destinations appear legitimate. Few, if any, organizations thoroughly scrutinize their SSL certificate inventory in real time to uncover bogus SSL certificates.
These three security weaknesses are exacerbated by a lack of standard DNS security settings such as Domain Name System Security Extensions, or DNSSEC; the email authentication, policy, and reporting protocol Domain-based Message Authentication, Reporting & Conformance (DMARC); and Sender Policy Framework (SPF) records. These ensure DNS lookup trust, authentication, and protection against misuse of email, respectively. In their absence, DNS is highly vulnerable.
Building Your Defenses
Domain and DNS hijacking in various forms have been around for decades, but such attacks are growing in scale and complexity. Evidence shows that attacks are more frequent, despite all attempts to mitigate them. To protect themselves from DNS hijacking, organizations are advised to implement password controls such as multifactor authentication and instituting “registry lock” on all domains to prevent name server changes.
While these are good practices, they are wholly inadequate if the goal is to bulletproof DNS security. Organizations looking to effectively protect themselves need to modernize their approaches to process control. They can get started with these three strategies:
- Consolidate DNS network services
All DNS-related vendors — domain registrars, DNS services, and TLS certificate authorities — should be consolidated to a single enterprise-class provider that offers a unified point of control, a single source of truth. Having a centralized control point reduces the security exposure of monitoring and managing multiple services.
- Implement change management control
Integrated, end-to-end change management under a single system is essential to protecting an organization’s DNS. The system should include secure password access (including two-factor authentication); role-based, permissioned user functions; and automated workflow that links domains, DNS, and SSL certificate management together. System-based tools to define and enforce DNS security settings are more effective than manual compliance rules, which are subject to human error and omission.
- Conduct regular system-based audits
Tamper-proof history audits and change alerts can further improve a consolidated, unified, and integrated DNS management system. Fragmented or siloed, manually managed DNS is the ideal playground for hackers because they are free to wreak havoc undetected. System-based management closes these vulnerabilities, and change management digest alerts help detect unauthorized changes. Conducting spontaneous and sporadic manual audits on a DNS network is no substitute for a fully integrated change management and control system.
By putting these controls in place, companies can confidently move forward knowing they are secure and compliant on the DNS. No other approach can effectively mitigate today’s global risks exposing organizations’ DNS networks.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.