Security researchers from FireEye have identified a wave of DNS hijacking attacks on domains owned by government, telecom and internet infrastructure organizations around the globe. The analysis suggests the bad actors behind the cyber attacks are of Iranian origin or sponsorship.
“This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success,” FireEye noted in the report.
Organizations in the Middle East and North Africa, Europe and North America have been affected.
Attackers are known to use compromised credentials to modify DNS records (that the organization’s domain normally resolves to) and then redirect user traffic to attacker-controlled infrastructure.
The bad actors can further obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.
FireEye has been tracking the activity for the past several months and have provided details on the attacker’s tactics, techniques and procedures (or TTPs).
Three different methods have been used in the widespread attacks, one that was previously identified by Cisco’s Talos security team last November. In each case, DNS records were manipulated to enable the compromise of its victims.
The three ways of DNS hijacking as noted in the FireEye report include:
- Alter DNS A records
- Alter DNS NS records
- Use a DNS Redirector in conjuntion with either of the first two methods.
“A large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates,” FireEye added.
FireEye emphasized these types of attacks are difficult to defend against. However, organizations can defend against these types of attacks by implementing these controls:
- Implement multi-factor authentication (MFA) on your organization’s domain admin portal.
- Validate A and NS record changes.
- Search for SSL certificates related to your domain and revoke any malicious certificates.
- Validate the source IPs in OWA/Exchange logs.
- Conduct an internal investigation to assess whether attackers have gained access to your environment.
Google also released new security enhancements to its public Domain Name Service (DNS) recursive resolver service by adding DNS-over-TLS.
In conclusion, these types of large-scale DNS hijacking illustrate the ongoing evolution of Iran-based actors.