Large-scale DNS hack focuses on companies worldwide

A new hack campaign has been discovered that uses various techniques to manipulate the DNS records of several organisations worldwide. FireEye researchers are writing about the campaign. The records of governments, telecom companies and internet infrastructure organizations are being hacked.

The campaign uses three different techniques, one of which is partly dependent on fraudulent SSL certificates. Organisations in the Middle East, North Africa, Europe and North America are the target of the campaign, which has been running since January 2017.

The purpose of the attacks is to collect sysadmins’ login data, to intercept the declaration of a website and to serve up malware. The techniques include customizing DNS A records, using DNS NS records or a DNS redirector. The DNS redirection technique is used together with one of the two other approaches to perform a hack.

FireEye

It is not yet clear exactly how the attacks will take place. However, FireEye states that this is probably a form of phishing. It is also possible that the attackers use multiple techniques to get into the targets. It is also unclear which mechanism is used to adjust the DNS records. FireEye thinks that at least some records were changed by compressing the registrar account of a victim’s domain.

“This is a major attack and it stands out because the attacker can access sensitive information without ever entering your network perimeter,” said Ben Read, senior manager of cyber-espionage analysis at FireEye iSIGHT Intel. “We’re still doing research, but so far we’ve found dozens of manipulated domains. The first evidence points to an Iranian sponsor, but we can’t link it to a group yet.”

Companies can protect themselves against the attacks by setting up a two-step verification for the administration portal of a domain.