Situation: a new wave of attacks with the interception of DNS queries - we analyze the basic methods of protection
Information security specialists have registered an increase in the number of DNS attacks hijacking the websites of private and government companies. We tell who suffered and how to defend.
/ Flickr / F Delventhal / CC BY / Photo changed
The information security organization FireEye published a report last month that reported on a massive wave of attacks on private companies and government organizations. Attackers used the technique of DNS interception, or DNS hijacking. They blocked TCP / IP configurations on the victim’s computer and transferred all requests to a fake DNS server. This allowed them to direct user traffic to their own web servers and use them to steal personal data.
According to FireEye, the growth in the number of such attacks began to grow in January 2017. Hackers target domains from Europe, North America, the Middle East and North Africa. At least six domains of the US federal agencies and sites of the governments of the Middle East countries have suffered.
FireEye experts in their report point out three DNS substitution patterns used by hackers. The first of these was described by Cisco security divisions — Talos. The attackers hacked the DNS service providers (for the time being it is not known for certain), and then changed the DNS A record , associating the real domain with the IP belonging to the hackers.
As a result, the victims fell on a similar original site. To achieve maximum similarity, even a cryptographic certificate, Let's Encrypt , was made for a fake website. At the same time, requests from a fake resource were redirected to the original one. The fake page returned true answers, and the substitution could be noticed only by longer loading pages.
This attack scheme was used to hack into the websites of the UAE government, the Lebanese Ministry of Finance, and Middle East Airlines. Hackers intercepted all traffic and redirected it to the IP address 185.20.187.8. According to Talos experts, attackers stole passwords from the mailboxes of employees of organizations and data for accessing VPN services.
The second scheme of the malefactors is connected with the change in the register of DNS addresses of the NS record of the domain. It is responsible not for one page of a specific domain (for example: mail.victim.com), but for all links of the form x.victim.com. The rest of the method is similar to the first one: hackers created a copy of the original site and redirected users to it, and then stole the data.
The third method was often used in conjunction with the first two. Website visitors were not immediately sent to a fake page. First, they switched to an additional service - DNS Redirector. He recognized where the user is sending the DNS request. If a visitor entered a page from the victim’s network, he was redirected to a fake copy of the site. To other users, the Redirector returned the real IP address, and the person got to the original resource.
Experts can not yet assess the exact damage from hacking, as the new victims of hackers become known after the publication of the report. Therefore, even the US Department of Homeland Security (DHS) has drawn attention to the problem. Specialists of the organization published a directive in which they formed a list of mandatory requirements for other federal agencies. For example, DHS requires government departments to update the passwords for administrator accounts, enable multi-factor authentication in DNS accounts, and inspect all DNS records.
/ Wikimedia / ANIL KUMAR BOSE / CC BY-SA
Recommendations from the directive must be implemented by all agencies within ten working days. According to the publication of CyberScoop, this period is quite rare in the documents of the Ministry. This indicates the “emergency” status of the directive.
A remarkable series of hacks was also called by representatives of providers of DNS servers. According to NS1 DNS hosting CEO Chris Bivers (Kris Beevers), the most important conclusion from the recent attacks is that organizations do not use basic defenses. At its core, attacks are pretty simple, and many of them could be prevented.
In their report, FireEye experts provide several protection methods that will help organizations prevent DNS hijacking attacks:
Enable Multifactor Authentication (MFA). This is one of the requirements that the Department of Homeland Security presented to the state departments. Multifactor authentication complicates the task for attackers to connect to the control panel with the DNS settings.
For example, 2FA could prevent attackers from replacing the Linux.org site in early December last year. Fortunately, the attack was limited only to vandalism with switching to another server in DNS.
Check the logs of certificates. Security experts advise administrators to double-check certificates using the Certificate Transparency tool. This is an IETF standard and open source project that stores information about all certificates issued for a specific domain.
If it turns out that some of them were falsified, you can complain about the certificate and revoke it. Special tools, such as SSLMate , will help you to track changes in the Certificate Transparency logs.
Go to DNS-over-TLS. To prevent attacks with DNS interception, some companies also use DNS-over-TLS (DoT). It encrypts and checks user requests to the DNS server and does not allow attackers to change the data. For example, recently protocol support was implemented in Google Public DNS.
Attacks with DNS interception becomes more and more, and hackers are not always interested in user data. Recently, dozens of hacked domains, including those from Mozilla and Yelp, used to send fraudulent emails. In this case, the hackers used a different attack pattern - they took control of the domains that the companies stopped using, but did not remove the provider from the DNS records.
In most cases, hacking is to blame companies that did not bother with security issues. Cloud providers can help deal with this problem.
Often, the DNS servers of vendors, unlike the systems of companies, are protected by an additional protocol DNSSEC . It protects all DNS records with a digital signature that can only be created using a private key. Hackers cannot enter arbitrary data into such a system, so it becomes more difficult to replace the response from the server.
/ Flickr / F Delventhal / CC BY / Photo changed
What happened
The information security organization FireEye published a report last month that reported on a massive wave of attacks on private companies and government organizations. Attackers used the technique of DNS interception, or DNS hijacking. They blocked TCP / IP configurations on the victim’s computer and transferred all requests to a fake DNS server. This allowed them to direct user traffic to their own web servers and use them to steal personal data.
According to FireEye, the growth in the number of such attacks began to grow in January 2017. Hackers target domains from Europe, North America, the Middle East and North Africa. At least six domains of the US federal agencies and sites of the governments of the Middle East countries have suffered.
What methods do hackers use?
FireEye experts in their report point out three DNS substitution patterns used by hackers. The first of these was described by Cisco security divisions — Talos. The attackers hacked the DNS service providers (for the time being it is not known for certain), and then changed the DNS A record , associating the real domain with the IP belonging to the hackers.
As a result, the victims fell on a similar original site. To achieve maximum similarity, even a cryptographic certificate, Let's Encrypt , was made for a fake website. At the same time, requests from a fake resource were redirected to the original one. The fake page returned true answers, and the substitution could be noticed only by longer loading pages.
This attack scheme was used to hack into the websites of the UAE government, the Lebanese Ministry of Finance, and Middle East Airlines. Hackers intercepted all traffic and redirected it to the IP address 185.20.187.8. According to Talos experts, attackers stole passwords from the mailboxes of employees of organizations and data for accessing VPN services.
The second scheme of the malefactors is connected with the change in the register of DNS addresses of the NS record of the domain. It is responsible not for one page of a specific domain (for example: mail.victim.com), but for all links of the form x.victim.com. The rest of the method is similar to the first one: hackers created a copy of the original site and redirected users to it, and then stole the data.
The third method was often used in conjunction with the first two. Website visitors were not immediately sent to a fake page. First, they switched to an additional service - DNS Redirector. He recognized where the user is sending the DNS request. If a visitor entered a page from the victim’s network, he was redirected to a fake copy of the site. To other users, the Redirector returned the real IP address, and the person got to the original resource.
What do they think about attacks?
Experts can not yet assess the exact damage from hacking, as the new victims of hackers become known after the publication of the report. Therefore, even the US Department of Homeland Security (DHS) has drawn attention to the problem. Specialists of the organization published a directive in which they formed a list of mandatory requirements for other federal agencies. For example, DHS requires government departments to update the passwords for administrator accounts, enable multi-factor authentication in DNS accounts, and inspect all DNS records.
/ Wikimedia / ANIL KUMAR BOSE / CC BY-SA
Recommendations from the directive must be implemented by all agencies within ten working days. According to the publication of CyberScoop, this period is quite rare in the documents of the Ministry. This indicates the “emergency” status of the directive.
A remarkable series of hacks was also called by representatives of providers of DNS servers. According to NS1 DNS hosting CEO Chris Bivers (Kris Beevers), the most important conclusion from the recent attacks is that organizations do not use basic defenses. At its core, attacks are pretty simple, and many of them could be prevented.
How to protect
In their report, FireEye experts provide several protection methods that will help organizations prevent DNS hijacking attacks:
Enable Multifactor Authentication (MFA). This is one of the requirements that the Department of Homeland Security presented to the state departments. Multifactor authentication complicates the task for attackers to connect to the control panel with the DNS settings.
For example, 2FA could prevent attackers from replacing the Linux.org site in early December last year. Fortunately, the attack was limited only to vandalism with switching to another server in DNS.
“Two-factor authentication is a simple security measure that will help protect against attacks with substitution of the DNS server response,” commented Sergey Belkin, head of the IaaS provider development department at 1cloud.ru . - Cloud providers can help with protection. In particular, users of our free DNS hosting can quickly connect 2FA using the prepared instructions . Additionally, customers can track all changes to their DNS records in their profile to make sure they are valid. ”
Check the logs of certificates. Security experts advise administrators to double-check certificates using the Certificate Transparency tool. This is an IETF standard and open source project that stores information about all certificates issued for a specific domain.
If it turns out that some of them were falsified, you can complain about the certificate and revoke it. Special tools, such as SSLMate , will help you to track changes in the Certificate Transparency logs.
Go to DNS-over-TLS. To prevent attacks with DNS interception, some companies also use DNS-over-TLS (DoT). It encrypts and checks user requests to the DNS server and does not allow attackers to change the data. For example, recently protocol support was implemented in Google Public DNS.
Perspectives
Attacks with DNS interception becomes more and more, and hackers are not always interested in user data. Recently, dozens of hacked domains, including those from Mozilla and Yelp, used to send fraudulent emails. In this case, the hackers used a different attack pattern - they took control of the domains that the companies stopped using, but did not remove the provider from the DNS records.
In most cases, hacking is to blame companies that did not bother with security issues. Cloud providers can help deal with this problem.
Often, the DNS servers of vendors, unlike the systems of companies, are protected by an additional protocol DNSSEC . It protects all DNS records with a digital signature that can only be created using a private key. Hackers cannot enter arbitrary data into such a system, so it becomes more difficult to replace the response from the server.
Our posts from the corporate blog:
Source: https://habr.com/ru/post/439426/