By replacing the the legitimate IP address for a domain such as example.com with a booby-trapped address, attackers can cause example.com to carry out a variety of malicious activities, including harvesting user’s login credentials. The techniques detected by FireEye are particularly effective, because they allow attackers to obtain valid TLS certificates that prevent browsers from detecting the hijacking.
“A large number of organizations has been affected by this pattern of DNS record manipulation and fraudulent SSL certificates,” FireEye researchers Muks Hirani, Sarah Jones, Ben Read wrote in a report published Thursday. “They include telecoms and ISP[s], government and sensitive commercial entities.” The campaign, they added, is occurring around the globe at “an almost unprecedented scale, with a high degree of success.”
One DNS hijacking technique involves changing what’s known as the DNS A record. It works when the attackers have somehow previously compromised the login credentials for the administration panel of the target’s DNS provider. The attackers then change the IP address of the targeted domain to one they control. With control over the domain, the attackers then use the automated Let’s Encrypt service to generate a valid TLS certificate for it. Cisco’s Talos team previously described this method.
With that in place, people who visit the targeted domain don’t access its legitimate server. Instead, they access an attacker-controlled server that connects back to the legitimate server to give visitors the impression nothing is amiss. The attackers then collect usernames and passwords. End users receive no warnings and won’t notice any differences in the site they’re accessing except, possibly, for a longer-than-normal delay.
A second technique is similar except that it exploits a previously compromised domain registrar or ccTLD to change name server records.
The third technique uses a DNS redirector in tandem with one of the above two methods.
FireEye said attackers are using the techniques to hijack dozens of domains belonging to entities in North America, Europe, the Middle East, and North Africa. The company advised administrators to take a variety of measures, including:
The researchers assessed with moderate confidence that the attackers had a link to Iran, based on IP addresses they’re using.
“This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors,” Thursday’s report concluded. “This is an overview of one set of [tactics, techniques, and procedures] that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action.”
The National Cybersecurity and Communications Integration Center issued a statement that encouraged administrators to read the FireEye report.