Date: January 24, 2019
TLP – WHITE
Event: Weaknesses in Managed DNS Providers Processes Allow for Domain Hijacking
Summary: Earlier this month, the US-CERT issued a bulletin with information on a large DNS infrastructure hijacking campaign. Ars Technica has also recently published an article that includes more detail on a weakness attackers targeted in order to hijack domains, and a link to a list of vulnerable domains. The TIC has chosen to issue this bulletin, as there is a potential for H-ISAC member domains to be affected.
Relevance: It is likely that H-ISAC members own domains that may be affected.
· Implement multi-factor authentication on domain registrar accounts, or on other systems used to modify DNS records.1
· Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.1
· Search for encryption certificates related to domains and revoke any fraudulently requested certificates.1
· Considering checking the following linked list to determine whether any URLs owned by your organization are included, and take action as appropriate: hxxps://pastebin[.]com/raw/wgCWLz8K
· Validate A, NS, MX record changes.3
· Validate the source IPs in OWA/Exchange logs.3