DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer’s TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.
These modifications may be made for malicious purposes such as phishing, for self-serving purposes by Internet service providers (ISPs), by the Great Firewall of China and public/router-based online DNS server providers to direct users’ web traffic to the ISP’s own web servers where advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.
The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), alerted public last year of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
For more detail, see the following source:
| INDICATOR_VALUE | TYPE | ROLE | ATTACK_PHASE | OBSERVED_DATE | DESCRIPTION |
| hxxp://hr-suncor[.]com/Suncor_employment_form[.]doc | URL | URL WATCHLIST | DELIVERY | 11/27/2018 | According to open-source analysis, the URL is a spear phishing link that leads to a file containing a malicious macro; the file is designed to look like a legitimate file available on the Suncor Energy website. At the time of analysis, the URL led to file “stat.php” [MD5: ca783981d8cff646eececb652f636a3b]. File is clean according to antivirus engines. |
| hxxp://hr-wipro[.]com/Wipro_Working_Conditions[.]doc | URL | URL WATCHLIST | DELIVERY | 1/10/2019 | According to open-source analysis, the URL is a spear phishing link that leads to a malicious file. At the time of analysis, research into the the URL did not result in any file information. |
| hr-wipro[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 11/27/2018 | According to open-source analysis, this is a malicious domain masquerading as a legitimate website that hosts job listings. At the time of analysis, the domain resolved to IP “185.161.211.79” which is geolocated in the Netherlands. |
| hr-suncor[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 11/27/2018 | According to open-source analysis, this is a malicious domain masquerading as a legitimate website that hosts job listings. At the time of analysis, the domain resolved to IP “185.161.211.79” which is geolocated in the Netherlands. |
| 0ffice36o[.]com | FQDN | DOMAIN WATCHLIST | C2 | 11/27/2018 | According to open-source analysis, this is a C2 server domain for a remote administration tool (RAT) malware and communicates with the malware over HTTP and DNS. At the time of analysis, the domain resolved to IP “185.20.187.8”, which is geolocated in the Netherlands. |
| cloudipnameserver[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “209.99.40.222”, which is geolocated in the USA. |
| cloudnamedns[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “209.99.40.223”, which is geolocated in the USA. |
| lcjcomputing[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP ” 198.54.117.210″, which is geolocated in the USA. |
| mmfasi[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “192.64.147.142”, which is geolocated in the USA. |
| Interaland[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “52.58.78.16”, which is geolocated in Germany. |
| 128[.]199[.]50[.]175 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
| 139[.]162[.]144[.]139 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
| 139[.]59[.]134[.]216 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
| 142[.]54[.]179[.]69 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the USA. |
| 146[.]185[.]143[.]158 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
| 178[.]62[.]218[.]244 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
| 185[.]15[.]247[.]140 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
| 185[.]161[.]209[.]147 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
| 185[.]161[.]211[.]72 | IPV4ADDR | IP_WATCHLIST | C2 | 11/27/2018 | According to open-source analysis, this IP supported C2 operations for remote administration tool (RAT) malware. The IP is geolocated in the Netherlands. |
| 185[.]161[.]211[.]79 | IPV4ADDR | IP_WATCHLIST | C2 | 1/14/2019 | According to open-source analysis, this IP, at some point, resolved to domains “hr-suncor.com” and “hr-wipro.com”. Both domains are considered to be malicious domains masquerading as a legitimate websites that host job listings. The IP is geolocated in the Netherlands and at the time of analysis, resolved to domain “files-sender.com”. |
| 185[.]174[.]101[.]168 | IPV4ADDR | IP_WATCHLIST | C2 | 1/14/2019 | According to open-source analysis, this IP, at some point, resolved to domains “hr-suncor.com” and “hr-wipro.com”. Both domains are considered to be malicious domains masquerading as a legitimate websites that host job listings. The IP is geolocated in the USA. |
| 185[.]20[.]184[.]138 | IPV4ADDR | IP_WATCHLIST | C2 | 11/27/2018 | According to open-source analysis, this IP supported C2 operations for remote administration tool (RAT) malware. The IP is geolocated in the Netherlands. |
| 185[.]20[.]187[.]8 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. At the time of analysis, the IP resolved to domain “0ffice36o.com”. The IP is geolocated in the Netherlands. |
| 185[.]236[.]78[.]63 | IPV4ADDR | IP_WATCHLIST | C2 | 1/14/2019 | According to open-source analysis, this IP was used for establishing a remote desktop protocol (RDP) session over an SSH tunnel. The IP is geolocaed in the Netherlands. |
| 188[.]166[.]119[.]57 | IPV4ADDR | IP_WATCHLIST | C2 | 10/10/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
| 199[.]247[.]3[.]191 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
| 206[.]221[.]184[.]133 | IPV4ADDR | IP_WATCHLIST | C2 | 11/20/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the USA. |
| 37[.]139[.]11[.]155 | IPV4ADDR | IP_WATCHLIST | C2 | 11/2/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. At the time of analysis, the IP resolved to newly registered domain “anexamination.info” (1/2/2019). |
| 89[.]163[.]206[.]26 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
| 82[.]196[.]11[.]127 | IPV4ADDR | IP_WATCHLIST | C2 | 12/1/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands |
| 82[.]196[.]8[.]43 | IPV4ADDR | IP_WATCHLIST | C2 | 10/1/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
| 9c8507a1fd7d2579777723b53fee1f3e | MD5 | FILE HASH WATCHLIST | INSTALLATION | 11/27/2018 | According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server. |
| 807482efce3397ece64a1ded3d436139 | MD5 | FILE HASH WATCHLIST | INSTALLATION | 11/27/2018 | According to open-source analysis, this file contains malicious macros that lead to the delivery of remote administration tool (RAT) malware. |
| C00C9F6EBF2979292D524ACFF19DD306 | MD5 | FILE HASH WATCHLIST | INSTALLATION | 11/27/2018 | According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server. |
| D2052CB9016DAB6592C532D5EA47CB7E | MD5 | FILE HASH WATCHLIST | INSTALLATION | 11/27/2018 | According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server. |
Technical Details
Using the following techniques, attackers have redirected and intercepted web and mail traffic, and could do so for other networked services.
- The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records.
- Next, the attacker alters DNS records, like Address (A), Mail Exchanger (MX), or Name Server (NS) records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a risk that persists beyond the period of traffic redirection.
- Because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.
Mitigations
NCCIC recommends the following best practices to help safeguard networks against this threat:
- Update the passwords for all accounts that can change organizations’ DNS records.
- Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
- Audit public DNS records to verify they are resolving to the intended location.
- Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
