Date: January 24, 2019
TLP – WHITE
Event: Weaknesses in Managed DNS Providers Processes Allow for Domain Hijacking
Summary: Earlier this month, the US-CERT issued a bulletin with information on a large DNS infrastructure hijacking campaign. Ars Technica has also recently published an article that includes more detail on a weakness attackers targeted in order to hijack domains, and a link to a list of vulnerable domains. The TIC has chosen to issue this bulletin, as there is a potential for H-ISAC member domains to be affected.
Relevance: It is likely that H-ISAC members own domains that may be affected.
Potential Actions:
· Implement multi-factor authentication on domain registrar accounts, or on other systems used to modify DNS records.1
· Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.1
· Search for encryption certificates related to domains and revoke any fraudulently requested certificates.1
· Considering checking the following linked list to determine whether any URLs owned by your organization are included, and take action as appropriate: hxxps://pastebin[.]com/raw/wgCWLz8K
· Validate A, NS, MX record changes.3
· Validate the source IPs in OWA/Exchange logs.3
References:
1. hxxps://www.us-cert[.]gov/ncas/current-activity/2019/01/10/DNS-Infrastructure-Hijacking-Campaign
2. hxxps://arstechnica[.]com/information-technology/2019/01/godaddy-weakness-let-bomb-threat-scammers-hijack-thousands-of-big-name-domains/
3. hxxps://www.fireeye[.]com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
4. hxxps://blog.talosintelligence[.]com/2018/11/dnspionage-campaign-targets-middle-east.html