You must protect your organization from DNS hijacking

What is DNS Hijacking?

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer’s TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behavior of a trusted DNS server so that it does not comply with internet standards.”

Definition Source: Wikipedia

These modifications may be made for malicious purposes such as phishing, for self-serving purposes by Internet service providers (ISPs), by the Great Firewall of China, and public/router-based online DNS server providers to direct users’ web traffic to the ISP’s own web servers where advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), alerted the public last year of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

INDICATOR_VALUETYPEROLEATTACK_PHASEOBSERVED_DATEDESCRIPTION
hxxp://hr-suncor[.]com/Suncor_employment_form[.]docURLURL WATCHLISTDELIVERY11/27/2018According to open-source analysis, the URL is a spear phishing link that leads to a file containing a malicious macro; the file is designed to look like a legitimate file available on the Suncor Energy website. At the time of analysis, the URL led to file “stat.php” [MD5: ca783981d8cff646eececb652f636a3b]. File is clean according to antivirus engines.
hxxp://hr-wipro[.]com/Wipro_Working_Conditions[.]docURLURL WATCHLISTDELIVERY1/10/2019According to open-source analysis, the URL is a spear phishing link that leads to a malicious file. At the time of analysis, research into the the URL did not result in any file information.
hr-wipro[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE11/27/2018According to open-source analysis, this is a malicious domain masquerading as a legitimate website that hosts job listings. At the time of analysis, the domain resolved to IP “185.161.211.79” which is geolocated in the Netherlands.
hr-suncor[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE11/27/2018According to open-source analysis, this is a malicious domain masquerading as a legitimate website that hosts job listings. At the time of analysis, the domain resolved to IP “185.161.211.79” which is geolocated in the Netherlands.
0ffice36o[.]comFQDNDOMAIN WATCHLISTC211/27/2018According to open-source analysis, this is a C2 server domain for a remote administration tool (RAT) malware and communicates with the malware over HTTP and DNS. At the time of analysis, the domain resolved to IP “185.20.187.8”, which is geolocated in the Netherlands.
cloudipnameserver[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE1/11/2019According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “209.99.40.222”, which is geolocated in the USA.
cloudnamedns[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE1/11/2019According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “209.99.40.223”, which is geolocated in the USA.
lcjcomputing[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE1/11/2019According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP ” 198.54.117.210″, which is geolocated in the USA.
mmfasi[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE1/11/2019According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “192.64.147.142”, which is geolocated in the USA.
Interaland[.]comFQDNDOMAIN WATCHLISTRECONNAISSANCE1/11/2019According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “52.58.78.16”, which is geolocated in Germany.
128[.]199[.]50[.]175IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
139[.]162[.]144[.]139IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
139[.]59[.]134[.]216IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
142[.]54[.]179[.]69IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the USA.
146[.]185[.]143[.]158IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
178[.]62[.]218[.]244IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
185[.]15[.]247[.]140IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
185[.]161[.]209[.]147IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
185[.]161[.]211[.]72IPV4ADDRIP_WATCHLISTC211/27/2018According to open-source analysis, this IP supported C2 operations for remote administration tool (RAT) malware. The IP is geolocated in the Netherlands.
185[.]161[.]211[.]79IPV4ADDRIP_WATCHLISTC21/14/2019According to open-source analysis, this IP, at some point, resolved to domains “hr-suncor.com” and “hr-wipro.com”.  Both domains are considered to be malicious domains masquerading as a legitimate websites that host job listings. The IP is geolocated in the Netherlands and at the time of analysis, resolved to domain “files-sender.com”.
185[.]174[.]101[.]168IPV4ADDRIP_WATCHLISTC21/14/2019According to open-source analysis, this IP, at some point, resolved to domains “hr-suncor.com” and “hr-wipro.com”.  Both domains are considered to be malicious domains masquerading as a legitimate websites that host job listings. The IP is geolocated in the USA.
185[.]20[.]184[.]138IPV4ADDRIP_WATCHLISTC211/27/2018According to open-source analysis, this IP supported C2 operations for remote administration tool (RAT) malware. The IP is geolocated in the Netherlands.
185[.]20[.]187[.]8IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. At the time of analysis, the IP resolved to domain “0ffice36o.com”. The IP is geolocated in the Netherlands.
185[.]236[.]78[.]63IPV4ADDRIP_WATCC21/14/2019According to open-source analysis, this IP was used for establishing a remote desktop protocol (RDP) session over an SSH tunnel.  The IP is geolocaed in the Netherlands.
188[.]166[.]119[.]57IPV4ADDRIP_WATCHLISTC210/10/2018According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
199[.]247[.]3[.]191IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
206[.]221[.]184[.]133IPV4ADDRIP_WATCHLISTC211/20/2018According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the USA.
37[.]139[.]11[.]155IPV4ADDRIP_WATCHLISTC211/2/2018According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. At the time of analysis, the IP resolved to newly registered domain “anexamination.info” (1/2/2019).
89[.]163[.]206[.]26IPV4ADDRIP_WATCHLISTC21/10/2019According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany.
82[.]196[.]11[.]127IPV4ADDRIP_WATCHLISTC212/1/2018According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands
82[.]196[.]8[.]43IPV4ADDRIP_WATCHLISTC210/1/2018According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic.  The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands.
9c8507a1fd7d2579777723b53fee1f3eMD5FILE HASH WATCHLISTINSTALLATION11/27/2018According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server.
807482efce3397ece64a1ded3d436139MD5FILE HASH WATCHLISTINSTALLATION11/27/2018According to open-source analysis, this file contains malicious macros that lead to the delivery of remote administration tool (RAT) malware.
C00C9F6EBF2979292D524ACFF19DD306MD5FILE HASH WATCHLISTINSTALLATION11/27/2018According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server.
D2052CB9016DAB6592C532D5EA47CB7EMD5FILE HASH WATCHLISTINSTALLATION11/27/2018According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server.

Technical Details

Using the following techniques, attackers have redirected and intercepted web and mail traffic and could do so for other networked services.

  1. The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
  2. Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
  3. Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end-users receive no error warnings.

Mitigations

NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Update the passwords for all accounts that can change organizations’ DNS records.
  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  • Audit public DNS records to verify they are resolving to the intended location.
  • Search for encryption certificates related to domains and revoke any fraudulently requested certificates.

How is your state of IT? Call Us: (855) 551-7760 with any questions.